PAM (Pluggable Authentication Modules)
PAM provides a flexible authentication framework for Linux systems.
Understanding PAM
Module Types
| Type |
Purpose |
| auth |
User authentication |
| account |
Account verification |
| password |
Password changes |
| session |
Session setup/teardown |
Control Flags
| Flag |
Behavior |
| required |
Must pass, continue checking |
| requisite |
Must pass, fail immediately if not |
| sufficient |
If passes, skip remaining |
| optional |
Result doesn't affect overall |
Common PAM Configuration
/etc/pam.d/common-auth
# Standard auth configuration
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Account Lockout
# /etc/pam.d/common-auth - Add before pam_unix
auth required pam_faillock.so preauth silent deny=5 unlock_time=900
auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900
# Check locked accounts
faillock --user username
# Unlock user
faillock --user username --reset
Password Quality
# /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3 \
minlen=14 \
dcredit=-1 \
ucredit=-1 \
ocredit=-1 \
lcredit=-1 \
difok=3
password [success=1 default=ignore] pam_unix.so obscure sha512
Session Limits
# /etc/security/limits.conf
* soft core 0
* hard core 0
* hard nproc 256
* hard nofile 1024
root hard maxlogins 3
@sshusers hard maxlogins 2
PAM Modules
pam_access.so
# /etc/security/access.conf
# Allow root from local
+ : root : LOCAL
# Allow admins from specific IPs
+ : @admins : 10.0.0.0/24
# Deny all others
- : ALL : ALL
# Enable in /etc/pam.d/sshd
account required pam_access.so
pam_time.so
# /etc/security/time.conf
# Allow sshd login Mon-Fri 08:00-18:00
sshd;*;*;Wk0800-1800
# Enable in /etc/pam.d/sshd
account required pam_time.so
Testing PAM
# Test PAM configuration (be careful!)
pamtester sshd username authenticate
# Debug PAM issues
journalctl | grep pam
advanced | Authentication | Updated 2025-01-15
- pam
- authentication
- linux
- security
- login