====== Ubuntu - PAM - Configure PAM ======

The main configuration file for PAM is **/etc/pam.conf** and the **/etc/pam.d/** directory contains the PAM configuration files for each PAM-aware application/services.

PAM will ignore the file if the directory exists.

----

===== Syntax of Main Configuration File =====

The syntax for the main configuration file is as follows.

<code>
service type control-flag module module-arguments 
</code>

where:

  * **service:** actual application name.
  * **type:** module type/context/interface.
  * **control-flag:** indicates the behavior of the PAM-API should the module fail to succeed in its authentication task.
  * **module:** the absolute filename or relative pathname of the PAM.
  * **module-arguments:** space separated list of tokens for controlling module behavior.

<WRAP info>
The file is made up of a list of rules written on a **single** line.

You can extend rules over multiple lines using the “\” escape character.  For example:
  aaa \
  bbb

The format of each rule is a **space** separated collection of tokens (the first three are case-insensitive).

Comments are preceded with “#” marks and extend to the next end of line.
</WRAP>

----

===== Syntax of PAM config files =====

The syntax of each file in **/etc/pam.d/** is similar to that of the main file and is made up of lines of the following form:

<code>
type control-flag module module-arguments
</code>

This is a example of a rule definition (without module-arguments) found in the /etc/pam.d/sshd file, which disallows non-root logins when /etc/nologin exists:

<code>
account required pam_nologin.so
</code>

----

===== Understanding PAM Management Groups and Control-flags =====

PAM authentication tasks are separated into four independent management groups.

These groups manage different aspects of a typical user’s request for a restricted service.

A module is associated to one these management group types:

  * **account:** provide services for account verification: has the user’s password expired?; is this user permitted access to the requested service?.
  * **authentication:** authenticate a user and set up user credentials.
  * **password:** are responsible for updating user passwords and work together with authentication modules.
  * **session:** manage actions performed at the beginning of a session and end of a session.

PAM loadable object files (the modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture.

The supported control-flags are:

  * **requisite:** failure instantly returns control to the application indicating the nature of the first module failure.
  * **required:** all these modules are required to succeed for libpam to return success to the application.
  * **sufficient:** given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
  * **optional:** the success or failure of this module is generally not recorded.

In addition to the above are the keywords, there are two other valid control flags:

  * **include:** include all lines of given type from the configuration file specified as an argument to this control.
  * **substack:** include all lines of given type from the configuration file specified as an argument to this control.