About Pluggable Authentication Modules

The Pluggable Authentication Modules (PAM) feature is an authentication mechanism used by the sssd profile that lets you configure how applications use authentication to verify the identity of a user. The PAM configuration files, in the /etc/pam.d directory, describe the authentication procedure for an application. The name of each configuration file is the same as, or similar to, the name of the application for the module provides authentication for. For example, the configuration files for passwd and sudo are named passwd and sudo.

Each PAM configuration file contains a list or stack of calls to authentication modules. For example, the following listing shows the default content of the login configuration file:

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

Comments in the file start with the # character. The remaining lines each define an operation type, a control flag, the name of a module such as pam_rootok.so or the name of an included configuration file such as system-auth, and any arguments to the module. PAM provides authentication modules as shared libraries in /usr/lib64/security.

For a particular operation type, PAM reads the stack from top to bottom and calls the modules listed in the configuration file. Each module generates a success or failure result when called.

The following operation types are available:

auth: The module tests whether a user is authenticated or authorized to use a service or application. For example, the module might request and verify a password. Such modules can also set credentials, such as a group membership or a Kerberos ticket.
account: The module tests whether an authenticated user is allowed access to a service or application. For example, the module might check if a user account has expired or if a user is only allowed to use a service at a specific time.
password: The module handles updates to an authentication token.
session: The module configures and manages user sessions, performing tasks such as mounting or unmounting a user's home directory.

If the operation type is preceded with a dash (-), PAM doesn't create a system log entry if the module is missing.

Except for include, the control flags tell PAM what to do with the result of running a module. The following control flags are defined for use:

optional: The module is required for authentication if it's the only module listed for a service.
required: The module must succeed for access to be granted. PAM continues to process the remaining modules in the stack whether the module succeeds or fails. PAM doesn't immediately inform the user of the failure.
requisite: The module must succeed for access to be granted. If the module succeeds, PAM continues to process the remaining modules in the stack. However, if the module fails, PAM notifies the user immediately and doesn't continue to process the remaining modules in the stack.
sufficient: If the module succeeds, PAM doesn't process any remaining modules of the same operation type. If the module fails, PAM processes the remaining modules of the same operation type to decide overall success or failure.

The control flag field can also define one or more rules that specify the action that PAM takes depending on the value that a module returns. Each rule takes the form value=action, and is surrounded square brackets, for example:

[user_unknown=ignore success=ok ignore=ignore default=bad]

If the result that's returned by a module matches a value, PAM uses the corresponding action, or, if there isn't a match, it uses the default action.

The include flag specifies that PAM must also consult the PAM configuration file specified as the argument.

For more information, see the pam(8) manual page. In addition, each PAM module has its own manual page, for example pam_unix(8), postlogin(5), and system-auth(5).