About Pluggable Authentication Modules
The Pluggable Authentication Modules (PAM) feature is an authentication mechanism used by the
sssd
profile that lets you configure how applications use authentication
to verify the identity of a user. The PAM configuration files, in the
/etc/pam.d
directory, describe the authentication procedure for an
application. The name of each configuration file is the same as, or similar to, the name of
the application for the module provides authentication for. For example, the configuration
files for passwd and sudo are named
passwd
and sudo
.
Each PAM configuration file contains a list or stack of calls to authentication
modules. For example, the following listing shows the default content of the
login
configuration file:
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
Comments in the file start with the #
character. The remaining lines each
define an operation type, a control flag, the name of a module such as
pam_rootok.so
or the name of an included configuration file such as
system-auth
, and any arguments to the module. PAM provides authentication
modules as shared libraries in /usr/lib64/security
.
For a particular operation type, PAM reads the stack from top to bottom and calls the modules listed in the configuration file. Each module generates a success or failure result when called.
The following operation types are available:
-
auth
-
The module tests whether a user is authenticated or authorized to use a service or application. For example, the module might request and verify a password. Such modules can also set credentials, such as a group membership or a Kerberos ticket.
-
account
-
The module tests whether an authenticated user is allowed access to a service or application. For example, the module might check if a user account has expired or if a user is only allowed to use a service at a specific time.
-
password
-
The module handles updates to an authentication token.
-
session
-
The module configures and manages user sessions, performing tasks such as mounting or unmounting a user's home directory.
If the operation type is preceded with a dash (-
), PAM doesn't create a
system log entry if the module is missing.
include
, the control flags tell PAM what to do with the result of
running a module. The following control flags are defined for use:
optional
-
The module is required for authentication if it's the only module listed for a service.
required
-
The module must succeed for access to be granted. PAM continues to process the remaining modules in the stack whether the module succeeds or fails. PAM doesn't immediately inform the user of the failure.
requisite
-
The module must succeed for access to be granted. If the module succeeds, PAM continues to process the remaining modules in the stack. However, if the module fails, PAM notifies the user immediately and doesn't continue to process the remaining modules in the stack.
sufficient
-
If the module succeeds, PAM doesn't process any remaining modules of the same operation type. If the module fails, PAM processes the remaining modules of the same operation type to decide overall success or failure.
The control flag field can also define one or more rules that specify the action that PAM
takes depending on the value that a module returns. Each rule takes the form
value=action
, and is surrounded
square brackets, for example:
[user_unknown=ignore success=ok ignore=ignore default=bad]
If the result that's returned by a module matches a value, PAM uses the corresponding action, or, if there isn't a match, it uses the default action.
The include
flag specifies that PAM must also consult the PAM configuration
file specified as the argument.
For more information, see the pam(8)
manual page. In addition, each PAM
module has its own manual page, for example pam_unix(8)
,
postlogin(5)
, and system-auth(5)
.