HxHippy

PAM Configuration

Pluggable Authentication Modules configuration and security.

Last updated: 2025-01-15

PAM (Pluggable Authentication Modules)

PAM provides a flexible authentication framework for Linux systems.

Understanding PAM

Module Types

Type Purpose
auth User authentication
account Account verification
password Password changes
session Session setup/teardown

Control Flags

Flag Behavior
required Must pass, continue checking
requisite Must pass, fail immediately if not
sufficient If passes, skip remaining
optional Result doesn't affect overall

Common PAM Configuration

/etc/pam.d/common-auth

# Standard auth configuration
auth    required                        pam_env.so
auth    required                        pam_faildelay.so delay=2000000
auth    [success=2 default=ignore]      pam_unix.so nullok
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

Account Lockout

# /etc/pam.d/common-auth - Add before pam_unix
auth    required    pam_faillock.so preauth silent deny=5 unlock_time=900
auth    [default=die] pam_faillock.so authfail deny=5 unlock_time=900

# Check locked accounts
faillock --user username

# Unlock user
faillock --user username --reset

Password Quality

# /etc/pam.d/common-password
password    requisite       pam_pwquality.so retry=3 \
                           minlen=14 \
                           dcredit=-1 \
                           ucredit=-1 \
                           ocredit=-1 \
                           lcredit=-1 \
                           difok=3
password    [success=1 default=ignore]    pam_unix.so obscure sha512

Session Limits

# /etc/security/limits.conf
*               soft    core            0
*               hard    core            0
*               hard    nproc           256
*               hard    nofile          1024
root            hard    maxlogins       3
@sshusers       hard    maxlogins       2

PAM Modules

pam_access.so

# /etc/security/access.conf
# Allow root from local
+ : root : LOCAL
# Allow admins from specific IPs
+ : @admins : 10.0.0.0/24
# Deny all others
- : ALL : ALL

# Enable in /etc/pam.d/sshd
account    required    pam_access.so

pam_time.so

# /etc/security/time.conf
# Allow sshd login Mon-Fri 08:00-18:00
sshd;*;*;Wk0800-1800

# Enable in /etc/pam.d/sshd
account    required    pam_time.so

Testing PAM

# Test PAM configuration (be careful!)
pamtester sshd username authenticate

# Debug PAM issues
journalctl | grep pam
advanced Authentication Updated 2025-01-15
  • pam
  • authentication
  • linux
  • security
  • login