https://DevOpsCloud.io -- Cloud Monk Losang Jinpa, Ph.D., MCSE/MCT, GitOps DevOps Engineer

User Tools

Site Tools

Trace: pam_pluggable_authentication_modules
pam_pluggable_authentication_modules

Table of Contents

PAM (Pluggable Authentication Modules)

  • Definition: PAM (Pluggable Authentication Modules) is a flexible mechanism for authenticating users. It provides a way to develop programs that are independent of authentication schemes.
  • Function: Allows system administrators to configure how applications authenticate users by stacking various authentication modules.
  • Components:
     * '''PAM Modules''': Shared libraries that perform specific authentication tasks, such as verifying passwords or checking account policies.
 * '''PAM Configuration Files''': Text files located in /etc/pam.d/ that define the authentication policies for various applications.
 * '''PAM Management Groups''': Categories of management tasks, including `auth`, `account`, `password`, and `session`.
  • Features:
     * '''Flexibility''': Administrators can configure and stack multiple authentication methods.
 * '''Modularity''': Supports a wide range of authentication methods via modular plugins.
 * '''Centralized Control''': Provides centralized authentication management for different services.
 * '''Security''': Enhances security by allowing the use of advanced authentication mechanisms like biometrics and multi-factor authentication.
  • Usage: Commonly used to manage authentication for login processes, services, and applications in Unix-like systems.

Examples

  • Sample /etc/pam.d/sshd configuration:
     ```plaintext
 auth       required     pam_env.so
 auth       required     pam_unix.so
 account    required     pam_nologin.so
 account    required     pam_unix.so
 password   required     pam_unix.so
 session    required     pam_limits.so
 session    required     pam_unix.so
 session    optional     pam_motd.so
 ```

 * **auth**: Authentication management, ensuring user identity.
 * **account**: Account management, checking if access is allowed.
 * **password**: Password management, handling password changes.
 * **session**: Session management, setting up and tearing down user sessions.

  • Common PAM modules:
     * **pam_unix.so**: Uses traditional Unix authentication, such as checking /etc/passwd and /etc/shadow.
 * **pam_env.so**: Sets up user environment variables.
 * **pam_tally2.so**: Tracks login attempts and can lock accounts after too many failed attempts.
 * **pam_motd.so**: Displays the message of the day.
  • Adding a new authentication module:
     * To enable Google Authenticator for SSH:
   1. Install the Google Authenticator PAM module.
   2. Edit /etc/pam.d/sshd and add:
      ```plaintext
      auth required pam_google_authenticator.so
      ```
   3. Configure SSH to use PAM by editing /etc/ssh/sshd_config and setting:
      ```plaintext
      UsePAM yes
      ```

Summary

  • PAM (Pluggable Authentication Modules): A versatile and modular authentication framework used in Unix-like systems, providing flexibility and centralized control over authentication policies through configurable modules and management groups.
pam_pluggable_authentication_modules.txt · Last modified: 2025/02/01 06:37 by 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki