PAM Modules

Creating or modifying a PAM configuration requires at least a basic understanding of the available PAM modules. If you check your existing PAM configuration files, you’re likely to see quite a range of module calls, and modifying them to get the results you expect can be tricky if you don’t understand what the existing modules do.

Tip

Some PAM modules can be called for only some management groups. Others can be called as part of a stack for any management group.

Standard PAM Modules

PAM ships with quite a few different modules. Table A-2 summarizes those that you’re most likely to encounter in your existing configuration files. Note that, although some modules directly relate to password handling, others don’t; they’re used to display information to users, set environment variables, and so on. For these modules, PAM is simply a convenient tool for accomplishing their goals. Such modules may not affect the login process at all.

Table A-2. Common standard PAM modules

Module filename

Management groups

Common arguments

Description

pam_unix.so

auth, account, session, and password

nullok, likeauth, shadow, try_first_pass, use_first_pass, use_authtok

Implements the traditional Unix (and Linux) authentication, based on /etc/passwd and /etc/shadow files.

pam_unix2.so

auth, account, session, and password

nullok, likeauth, shadow, try_first_pass, use_first_pass, use_authtok

A variant on pam_unix.so that implements additional features, such as an ability to authenticate ...

Get Linux in a Windows World now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.