Introduction to Linux PAM
The Linux PAM package contains
Pluggable Authentication Modules used by the local system
administrator to control how application programs authenticate
users.
Note
Development versions of BLFS may not build or run some packages
properly if LFS or dependencies have been updated since the most
recent stable versions of the books.
Package Information
Additional Downloads
Linux PAM Dependencies
Optional
libnsl-2.0.1, libtirpc-1.3.6, rpcsvc-proto-1.4.4, Berkeley
DB (deprecated), libaudit, and
libeconf
Optional (To build the Documentation and Man Pages)
docbook-xml-5.0, docbook-xsl-ns-1.79.2, fop-2.10 (for the PDF
format), libxslt-1.1.42, and Lynx-2.9.2 (for the
plain text format)
Note
Shadow-4.16.0 and
Systemd-256.5 must be reinstalled and
reconfigured after installing and configuring Linux PAM.
With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
installed by default. Use libpwquality-1.4.5 to enforce strong
passwords.
Kernel
Configuration
For the PAM module pam_loginuid.so
(referred by the PAM configuration file system-session
if Systemd-256.5 is rebuilt with PAM
support later) to work, a kernel configuration parameter
need to be set or the module will just do nothing:
General setup --->
[*] Auditing support [AUDIT]
Installation of Linux PAM
If you've installed docbook-xml-5.0, docbook-xsl-ns-1.79.2, libxslt-1.1.42, and Lynx-2.9.2 and you
wish to generate the plain text format of the documentations,
modify meson.build
to use Lynx-2.9.2 instead of W3m or Elinks those BLFS
does not provide:
sed -e "s/'elinks'/'lynx'/" \
-e "s/'-no-numbering', '-no-references'/ \
'-force-html', '-nonumbers', '-stdin'/" \
-i meson.build
Compile and link Linux PAM by
running the following commands:
mkdir build &&
cd build &&
meson setup .. \
--prefix=/usr \
--buildtype=release \
-D docdir=/usr/share/doc/Linux-PAM-1.7.0 &&
ninja
To test the results, a suitable /etc/pam.d/other
configuration file must exist.
Reinstallation or Upgrade of Linux PAM
If you have a system with Linux PAM installed and working, be
careful when modifying the files in /etc/pam.d
, since your system may become
totally unusable. If you want to run the tests, you do not need
to create another /etc/pam.d/other
file. The existing file can be used for the tests.
You should also be aware that make
install overwrites the configuration files in
/etc/security
as well as
/etc/environment
. If you have
modified those files, be sure to back them up.
For a first-time installation, create a configuration file by
issuing the following commands as the root
user:
install -v -m755 -d /etc/pam.d &&
cat > /etc/pam.d/other << "EOF"
auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so
EOF
Now run the tests by issuing ninja
test. Be sure the tests produced no errors before
continuing the installation.
For a first-time installation, remove the configuration file
created earlier by issuing the following command as the
root
user:
rm -fv /etc/pam.d/other
Now, as the root
user:
ninja install &&
chmod -v 4755 /usr/sbin/unix_chkpwd
If you do not have the optional dependencies installed to build the
documentation and downloaded the optional pre-built documentation,
again as the root
user:
tar -C / -xvf ../../Linux-PAM-1.7.0-docs.tar.xz
Configuring Linux-PAM
Configuration Files
/etc/security/*
and /etc/pam.d/*
Configuration Information
Configuration information is placed in /etc/pam.d/
. Here is a sample file:
# Begin /etc/pam.d/other
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so nullok
# End /etc/pam.d/other
Now create some generic configuration files. As the root
user:
install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account
account required pam_unix.so
# End /etc/pam.d/system-account
EOF
cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth
auth required pam_unix.so
# End /etc/pam.d/system-auth
EOF
cat > /etc/pam.d/system-session << "EOF" &&
# Begin /etc/pam.d/system-session
session required pam_unix.so
# End /etc/pam.d/system-session
EOF
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password required pam_unix.so yescrypt shadow try_first_pass
# End /etc/pam.d/system-password
EOF
If you wish to enable strong password support, install libpwquality-1.4.5, and follow the
instructions on that page to configure the pam_pwquality PAM
module with strong password support.
Next, add a restrictive /etc/pam.d/other
configuration file. With this
file, programs that are PAM aware will not run unless a
configuration file specifically for that application exists.
cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
# End /etc/pam.d/other
EOF
The PAM man page (man pam) provides a good
starting point to learn about the several fields, and allowable
entries. The Linux-PAM System Administrators' Guide at
/usr/share/doc/Linux-PAM-1.7.0/Linux-PAM_SAG.txt
is recommended for additional information.