knowledge/technology/linux/PAM.md

79 lines
5.8 KiB
Markdown
Raw Normal View History

2024-09-10 07:34:56 +00:00
---
obj: concept
wiki: https://en.wikipedia.org/wiki/Linux_PAM
arch-wiki: https://wiki.archlinux.org/title/PAM
repo: https://github.com/linux-pam/linux-pam
rev: 2024-09-10
---
# PAM
Linux PAM (Pluggable Authentication Modules) is a flexible system of libraries that enables the integration of various authentication methods into [Linux](./Linux.md) applications. By decoupling authentication from the application itself, PAM provides a mechanism to dynamically determine how authentication, account management, password management, and session management should be performed. This allows administrators to easily configure or modify authentication behavior without altering the application code.
## Features of PAM:
- **Modular Authentication:** PAM is highly modular, allowing administrators to stack and combine multiple authentication methods for a single service. For example, you can configure a system to use password-based authentication, followed by a biometric check, all within the same login process.
- **Configuration Flexibility:** PAM provides configuration files (located in `/etc/pam.d/`) that allow fine-grained control over how authentication and authorization work. Each service can have its own configuration file, specifying how various PAM modules should behave.
- **Security:** PAM supports advanced security policies, such as restricting login access based on user attributes, limiting the use of outdated passwords, or setting account expiration policies.
- **Integration with Many Services:** PAM integrates with various services such as [SSH](../applications/network/SSH.md), `sudo`, `login`, `su`, and more, making it a core component of user management in [Linux](./Linux.md) systems.
## PAM Configuration
Configuring PAM involves editing module stack files located in `/etc/pam.d/` or managing system-wide rules via `/etc/pam.conf`. Each file in the `pam.d/` directory corresponds to a specific service (e.g., `sshd`, `login`, `sudo`), and within each file, you define the authentication methods (PAM modules) to be used for that service. Proper configuration is essential to ensure system security, as it dictates how users authenticate, how accounts are managed, and how sessions are maintained.
Each configuration file consists of lines that follow this structure:
```
<module-type> <control-flag> <module-path> <module-arguments>
```
- **module-type**: The type of PAM module, which defines what the module does (e.g., authentication, account management).
- **control-flag**: Dictates how PAM should handle the success or failure of the module (e.g., `required`, `optional`, `requisite`, `sufficient`).
- **module-path**: The path to the PAM module or the name of the module (e.g., `pam_unix.so`, `pam_env.so`).
- **module-arguments**: Optional arguments passed to the module, which modify its behavior (e.g., `debug`, `nullok`).
### Types of PAM Module Stacks
PAM modules are organized into different categories based on the type of functionality they provide. Each category is configured separately within the service's PAM file.
- **auth**: Handles user authentication, typically by checking passwords, biometric data, or token-based systems.
- **account**: Manages account access policies, such as checking whether an account is expired or locked.
- **password**: Handles password changes and enforces password policies, such as strength or expiration.
- **session**: Handles actions performed during login or logout, like logging user sessions or mounting directories.
### Control Flags
Each PAM module in the stack is assigned a control flag that defines how its success or failure impacts the overall authentication process.
Common Control Flags:
- **required**: The module must succeed for authentication to be successful, but even if it fails, PAM continues to process other modules. The user will only be denied access after all modules have been processed.
- **requisite**: Similar to `required`, but if this module fails, PAM will immediately deny access and stop processing any remaining modules.
- **optional**: The module's result is ignored unless it's the only module for the service.
- **sufficient**: If the module succeeds, PAM stops processing further modules for that service. If it fails, PAM continues to process other modules.
### Module Arguments
Modules can be customized using arguments that modify their behavior. Common arguments include:
- **nullok**: Allows empty passwords.
- **debug**: Logs additional information for debugging.
- **try_first_pass**: Uses the password from the first authentication attempt.
- **use_first_pass**: Forces the use of the password from the first attempt, without asking the user again.
### Example
Let's take a look at a typical configuration for `/etc/pam.d/common-auth`:
```plaintext
auth required pam_tally2.so deny=5 unlock_time=600
auth requisite pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
```
- **pam_tally2.so**: Tracks failed login attempts and locks the user out after 5 failed attempts (`deny=5`). The account will unlock automatically after 10 minutes (`unlock_time=600`).
- **pam_unix.so**: Handles standard Unix authentication, tries the first password entered (`try_first_pass`) and allows empty passwords (`nullok`).
- **pam_permit.so**: A fallback module that always succeeds if reached.
- **pam_env.so**: Sets environment variables for the session.
### Commonly Used PAM Modules
1. **pam_unix.so**: Standard Unix authentication module, checking passwords in `/etc/shadow`.
2. **pam_tally2.so**: Tracks failed login attempts for account lockout.
3. **pam_limits.so**: Applies user resource limits from `/etc/security/limits.conf`.
4. **pam_env.so**: Sets environment variables during authentication.
5. **pam_pwquality.so**: Enforces password complexity policies (min length, character types, etc.).
6. **pam_ldap.so**: Enables LDAP-based authentication.