Pluggable Authentication Modules

Linux comes with a Pam Modules to help you to interact with the running services in hardening way and custom the services security to much your need.

PAM is extra Rules to Control user interfaces ( Auth,Account,Session)  layers for the applications

the applications/services should be compiled with libpam.so

here is example for sshd service

and every layer of this interfaces reflected with another action of  different control flags (required , optional, include, sufficient) and every flag  takes a parameters of configuration

PAM modules located in /etc/pam.d/*

example sshd service

/etc/pam.d/sshd

 

lets cut this in slices

  • interfaces
  • flags
  • modules
  • parameters

 

lets go for the first object (Interfaces)

  1. auth : this interfaces responsible for account validation of password
  2. account : this interface responsible for account allowed access like account age
  3. password: this interface responsible for changing passwords
  4. session: this interface responsible for interactions with another  access  like mounting

Control Flags

  1. required : this flag must reflect with success message to allow user to access the system but pam will keep checking the other rules too
  2. requisite: this flag result reflect user status immediately and won’t check the else  rules
  3. sufficient : not mandatory to return with  success and if it fails the result will be ignored , but if  the return success and no fails before it , this will allow user to pass the check
  4. optional: this result be ignored during check , it only reflect the interface if there is no other refrence
  5. include: this flag read the configuration file for this interface and append them to current statment

PLEASE NOTE : this rules effected by sequence priority from the top to the bottom of line order

Modules

pam modules located in linux system inside /lib/security or /lib64/security depends in your current system

 

Parameters 

every modules come with it own parameters

after navigate through the manual page

u will see description for this module and it own paramters

This module can be plugged into the password stack of a given application to provide some plug-in
strength-checking for passwords.

modifying the pam reflect the running service instant 

One thought on “Pluggable Authentication Modules”

Leave a Reply

Your email address will not be published. Required fields are marked *

*