Linux Pluggable Authentication Modules (PAM) provide dynamic authorization for applications and services in a Linux system. Linux PAM is evolved from the  unix Pluggable Authentication modules architecture.

Each file under pam.d has 3 fields

A. First field


 Module authenticate the user,by checking the password


 Module verifies that access is allowed,by checking if users  account is valid,expired,allowed to access in this time of day.

3. passwd  

 Module sets and verify the passwords


 Module configure and manage user sessions. Represents the enviornment of a user.

B. Control Flag

1. required 

 Module result must be successfull for authentication to continue. If result failed returns failure only after remaining modules are invoked.

2. requisite 

 Module result must be successfull for authentication to continue.  But if module result is fail user is noticed immediately with message reflecting failed required or requiste module

3. Sufficient

 If module results fail , it is ignored, but if its successful and  no required modules is failed ,then user is authenticated to  service.

4. Optional

  If module results fail,it is ignored.If module result is successful  it does not play role in overall success/failure for module.


 1. /etc/pam.d/login

A.account     required  pam_nologin.so

Checks for /etc/nologin file, If exists stops normal user from logging in.
If module is commented, allows user to login even if file /etc/nologin exists

B.auth requisite  pam_access.so

Checks for user name, If username is correct only then it prompts for password
if user incorrect,Displays login incorrect.But if this module is commented though
username is wrong it prompts for password

C.session    required    pam_mkhomedir.so

Create user without homedir  --> useradd -M suma
If homedir doesnt exist,this module creates home dir as soon as user is logged in. But if this module is commented if user is created without homedir,it wont create home dir.

D. auth auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so 

Checks if any terminal is commented in the /etc/securetty, if any terminal is commented root cannot login in that terminal,But if this module is commented root can login in a terminal, though that particular terminal is commented in /etc/securetty file.

2. /etc/security/limits.conf

suma   .............   maxlogins     3

Allows this user to login in only 3 terminals, after 3 logins, we cant even
ssh as that particular user. Even ssh not allowed because USEPAM yes in

3. /etc/pam.d/su

auth    required    pam_rootok.so

Change above line from sufficent to required,So even root user needs password
when he tries to do su..  Change  line from sufficent to required.

4. /etc/pam.d/system_auth

passwd    required    pam_passwdqc.so

When  even root tries to set password for normal user, even root is forced
to set complex password for normal user.

5.  /etc/pam.d/vsftpd

1. auth  required  pam_listfile.so  item=user sense=deny  file=/etc/vsftpd/suma

Create file suma under /etc/vsftpd, and add some users to the file /etc/vsftpd/suma So tht users are not allowed to login thru ftp.Default file is /etc/vsftpd/ftpusersSo any users put into tht file are denied to ftp.

If you found this post useful, I would  really love it, if you can Like the Page, or share it with your Facebook/Google+/Twitter Friends... It will keep me motivated. Thank you!

No comments:

Post a Comment