pam.conf File

Purpose

Contains service entries for each PAM (Pluggable Authentication Modules) module type.

Description

The /etc/pam.conf configuration file consists of service entries for each PAM module type and serves to route services through a defined module path. Entries in the file are composed of the following whitespace-delimited fields: service_name module_type control_flag module_path module_options
Item Description
service_name Specifies the name of the PAM enabled service. The keyword OTHER is used to define the default module to use for applications not specified in an entry.
module_type Specifies the module type for the service. Valid module types are auth, account, session, or password. A given module will provide support for one or more module types.
control_flag Specifies the stacking behavior for the module. Supported control flags are required, requisite, sufficient, or optional.
required
All required modules in a stack must pass for a successful result. If one or more of the required modules fail, all of the required modules in the stack will be attempted, but the error from the first failed required module is returned.
requisite
Similar to required except that if a requisite module fails, no further modules in the stack are processed and it immediately returns the first failure code from a required or requisite module.
sufficient
If a module flagged as sufficient succeeds and no previous required or sufficient modules have failed, all remaining modules in the stack are ignored and success is returned.
optional
If none of the modules in the stack are required and no sufficient modules have succeeded, then at least one optional module for the service must succeed. If another module in the stack is successful, a failure in an optional module is ignored.
module_path Specifies the module to load for the service. Valid values for module_path may be specified as either the full path to the module or just the module name. If the full path to the module is not specified, the PAM library prepends /usr/lib/security (for 32-bit services) or /usr/lib/security/64 (for 64-bit services) to the module name.

If the module path is specified as full path, then it directly uses for 32-bit services, for 64-bit services module path derived as module_path/64/module_name.

module_options Specifies a space delimited list of module specific options. Values for this field are dependent on the options supported by the module defined in the module_path field. This field is optional.
Malformed entries, or entries with invalid values for the module_type or control_flag fields are ignored by the PAM library. Entries beginning with a number sign (#) character at the beginning of the line are also ignored as this denotes a comment.

PAM supports a concept typically referred to as stacking, which allows multiple mechanisms to be used for each service. Stacking is implemented in the configuration file by creating multiple entries for a service with the same module_type field. The modules are invoked in the order in which they are listed in the file for a given service name, with the final result determined by the control_flag field specified for each entry.

The following /etc/pam.conf subset is an example of stacking in the auth module type for the login service.
#
# PAM configuration file /etc/pam.conf
#

# Authentication Management
login   auth     required       /usr/lib/security/pam_ckfile    file=/etc/nologin
login   auth     required       /usr/lib/security/pam_aix
login   auth     optional       /usr/lib/security/pam_test      use_first_pass
OTHER   auth     required       /usr/lib/security/pam_prohibit

The example configuration file contains three entries for the login service. Having specified both pam_ckfile and pam_aix as required, both modules will be executed and both must be successful for the overall result to be success. The third entry for the fictitious pam_test module is optional and its success or failure will not affect whether the user is able to login. The option use_first_pass to the pam_test module requires that a previously entered password be used instead of prompting for a new one.

Use of the OTHER keyword as a service name enables a default to be set for any other services that are not explicitly declared in the configuration file. Setting up a default ensures that all cases for a given module type will be covered by at least one module. In the case of this example, all services other than login will always fail since the pam_prohibit module returns a PAM failure for all invocations.

Changing the /etc/pam.conf File

When changing the /etc/pam.conf configuration file, consider the following:
  • The file should always be owned by the root user and group security. Permission on the file should be set to 644 to allow everyone read access, but only allow root to modify it.
  • For greater security, consider explicitly configuring each PAM enabled service and then using the pam_prohibit module for the OTHER service keyword.
  • Read any documentation supplied for a chosen module and service, and determine which control flags, options and module types are supported and what their impact will be.
  • Select the ordering of modules and control flags carefully, keeping in mind the behavior of required, requisite, sufficient, and optional control flags in stacked modules.
Note: Incorrect configuration of the PAM configuration file can result in a system that cannot be logged in to since the configuration applies to all users, including root. After making changes to the file, always test the affected applications before logging out of the system. A system that cannot be logged in to can be recovered by booting the system in maintenance mode and correcting the /etc/pam.conf configuration file.

Files

Item Description
/etc/pam.conf Location of the pam.conf configuration file.