SH
SHELL
AI Powered Learning Portal
The Ultimate Gatekeeper: Understanding PAM
·TechSoftware Development

The Ultimate Gatekeeper: Understanding PAM

How does Linux decide if you are who you say you are? Master 'Pluggable Authentication Modules' (PAM). Understand the modular architecture of Linux identity. Learn to set password complexity rules, implement account lockouts, and customize the login experience.

linuxsecuritypamauthenticationidentitysysadmin

PAM: The Pluggable Authentication Gatekeeper

When you type your password into SSH, sudo, or the login screen, how does the system actually verify it? Does every program have its own "Password Checking" code?

No.

Linux uses PAM (Pluggable Authentication Modules).

PAM is a "Middle-man" that sits between applications (like SSH) and authentication methods (like the /etc/shadow file, or a Fingerprint reader). If you want to change how the system handles passwords, you don't change the applications; you change the PAM modules.

In this lesson, we will understand how to configure the system's "Identity Logic."

2. The Four Pillars of PAM

Every PAM configuration file is divided into four types of checks:

  1. auth: "Are you who you say you are?" (Password/Key check).
  2. account: "Are you allowed to be here right now?" (Has your password expired? Are you logged in at 3 AM from China?).
  3. password: "How do you change your identity?" (Setting complexity rules, like "Must have 1 number").
  4. session: "What do you need while you are here?" (Mounting a home folder, setting environmental variables).

3. The Configuration Hierarchy

PAM configs are found in /etc/pam.d/. Each application has its own file.

For example, /etc/pam.d/sshd controls SSH logins. But usually, they all "Include" a common file called common-auth or system-auth.

The Rule Logic:

type control_flag module_path arguments

Control Flags:

  • required: This check MUST pass. If it fails, the user is rejected, but PAM continues to run other checks (to confuse hackers).
  • requisite: MUST pass. If it fails, the user is rejected immediately.
  • sufficient: If this passes, the user is IN! No further checks are needed.

4. Practical: Enforcing Password Complexity

Suppose you want to ensure no one on your server uses the password "123456". You use the pam_pwquality module.

# In /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1

The Translation:

  • minlen=12: Minimum 12 characters.
  • ucredit=-1: At least one Uppercase.
  • dcredit=-1: At least one Digit.

5. Security: The Account Lockout (pam_tally2)

To stop brute-force attacks at the OS level, you can tell PAM to "Lock the door" for 15 minutes after 5 failed attempts.

# In /etc/pam.d/common-auth
auth required pam_tally2.so deny=5 unlock_time=900 onerr=fail

Careful: If you misconfigure this, you could accidentally lock the "root" account, making it impossible to fix the server without a recovery disk!

6. Example: A PAM "Lockout" Auditor (Python)

If a user calls you saying "I can't log in!", it might be because PAM has locked their account due to too many failed attempts. Here is a Python script that checks the "Tally" of failed logins.

import subprocess

def check_account_locks(username):
    """
    Checks if a user is currently locked by pam_tally2 or faillock.
    """
    print(f"--- Identity Audit for: {username} ---")
    
    try:
        # Check pam_tally2 (older systems)
        res = subprocess.run(["sudo", "pam_tally2", "--user", username], 
                             capture_output=True, text=True)
        print(f"Login Failure Tally: {res.stdout.strip()}")
        
        if "Failures" in res.stdout and int(res.stdout.split()[-1]) >= 5:
            print("[!!!] ALERT: Account is likely LOCKED due to failed attempts.")
            print(f"      To unlock: sudo pam_tally2 --user {username} --reset")
            
    except Exception as e:
        # Modern systems use 'faillock'
        res = subprocess.run(["sudo", "faillock", "--user", username], 
                             capture_output=True, text=True)
        print(res.stdout)

if __name__ == "__main__":
    check_account_locks("sudeep")

7. Professional Tip: Use 'pam_wheel' for extra security

You can tell PAM: "Only users in the 'wheel' (admin) group are even allowed to ATTEMPT to use the su command." Everyone else gets "Permission Denied" before they even type a password.

# In /etc/pam.d/su
auth required pam_wheel.so use_uid

8. Summary

PAM is the brain of Linux authentication.

  • The "Pluggable" part means you can add 2FA, Biometrics, or Smartcards without changing your apps.
  • Control Flags (required, sufficient) define the strictness of the gate.
  • /etc/pam.d/ is the library of security policies.
  • Password Complexity and Account Lockouts are the two most common uses for sysadmins.

In the next lesson, we will look at the files PAM actually checks: Password Security and the Shadow File.

Quiz Questions

  1. What is the difference between a required module and a sufficient module in PAM?
  2. Which PAM "Pillar" is responsible for enforcing that a user's password must have at least one capital letter?
  3. Why is it useful to have a "session" type in PAM? (What happens during a session setup?).

Continue to Lesson 4: Identity Files—The Shadow and the Passwd.

Previous LessonThe Keys to the Kingdom: Mastering sudo
Next LessonThe Locked Drawer: Passwd and the Shadow File

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn