How PAM Works: The Basics
The functionality of the PAM system is actually fairly basic. Any service that requires authentication is linked against the PAM libraries included with Linux. For example, try the following:
# ldd /bin/login libcrypt.so.1 => /lib/libcrypt.so.1 (0x40020000) libpam.so.0 => /lib/libpam.so.0 (0x4004d000) libdl.so.2 => /lib/libdl.so.2 (0x40055000) libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x4005a000) libc.so.6 => /lib/libc.so.6 (0x4005d000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) #
Notice that the login program, used by programs such as getty and in.telnetd to authenticate users and log them in, is linked against the PAM libraries.
When a specific service such as login requires user authentication, it employs the PAM routines to complete this authentication. These routines look at the PAM configuration files for stack entries with a matching service name. They then process these entries in the order in which they are found, one by one.
To help you to understand the way in which PAM works, let's take a closer look at one service's authentication procedure. For the login service, for example, a default configuration might look something like Listing 1.
Listing 1 Section of /etc/pam.conf for login
login auth required pam_securetty.so login auth required pam_pwdb.so login auth required pam_nologin.so login auth optional pam_mail.so login account required pam_pwdb.so login session required pam_pwdb.so login session optional pam_lastlog.so login password required pam_pwdb.so
NOTE
On many newer systems, the PAM configuration is split among a number of files stored in the /etc/pam.d/ directory. Each file is named after the service it handles, and the service identifier is therefore omitted from each action inside the file. For example, the file equivalent the /etc/pam.d/login file might contain this:
auth |
required |
pam_securetty.so |
auth |
required |
pam_pwdb.so |
auth |
required |
pam_nologin.so |
auth |
optional |
pam_mail.so |
account |
required |
pam_pwdb.so |
session |
required |
pam_pwdb.so |
session |
optional |
pam_lastlog.so |
password |
required |
pam_pwdb.so |
In the end, the result is the same. If the /etc/pam.d/ directory exists, it will be used exclusively, and the /etc/pam.conf file will be ignored.
Because each of these rules belongs to the login service, the entire stack will be processed each time a user attempts to log in. Let's step through the stack rules one by one. Refer to the PAM modules reference guide mentioned earlier for extensive descriptions of each module and its properties. The actions will proceed in this order:
-
The pam_securetty.so module checks to see that the requested user is allowed to log in at the console in question by comparing the user's login location against the /etc/securetty file. This action is required; if it fails, the authentication request will be rejected after all other actions have been completed.
-
The pam_pwdb.so module is called to see whether the user has entered the correct password. This action is also required.
-
The pam_nologin.so module is called to see whether the file /etc/nologin exists. If so, the file is displayed and the action will fail, eventually preventing the user from logging in. This action is also required.
-
The pam_mail.so module is called to see whether the user has any new mail. This action is optional, so the user will be allowed to log in based on the results of other actions whether or not any new mail is present.
-
The pam_pwdb.so module is called again, this time in the account context, which causes it to check for password or account expiration. If the account has expired, or if the user's password has expired and the user refuses to enter a new one, the action will fail. This action is required for login.
-
The pam_pwdb.so module is called yet again, this time in the session context, causing it to enter the login attempt in the system log. This action is required, meaning that if the system is unable to record the login, the user will not be allowed to enter.
-
The pam_lastlog.so module is called to update the user login history in the /var/log/lastlog file.
-
The pam_pwdb.so module is called one last time to replace the user's password in the /etc/shadow file, in case the password has been updated (see step 5) during the login process. This action is also required, meaning that if the system is unable to complete it, the user will not be allowed to log in.
This stack of actions represents the entire authentication process for user logins, from beginning to end. If it seems a bit cloudy at this point, try referring to the PAM System Administrator's Guide for exhaustive detail. However, the best way to learn is to begin working with PAM directly.