Pluggable Authentication Modules

Categories: Linux, Security

Linux comes with Pam Modules to help you to interact with the running services in hardening way and custom the security of the service as you need.

PAM is extra Rules to Control user interfaces ( Auth, Account, Session)  layers for the applications

the applications/services should be compiled with

here is an example for sshd service

and every layer of this interfaces reflected with another action of  different control flags (required, optional, include, sufficient) and every flag  takes parameters of the configuration

PAM modules located in /etc/pam.d/*

example sshd service



lets cut this in slices

  • interfaces
  • flags
  • modules
  • parameters


lets go for the first object (Interfaces)

  1. auth : this interfaces responsible for account validation of password
  2. account : this interface responsible for account allowed access like account age
  3. password: this interface responsible for changing passwords
  4. session: this interface responsible for interactions with another  access  like mounting

Control Flags

  1. required : this flag must reflect with success message to allow a user to access the system but pam will keep checking the other rules too
  2. requisite: this flag result reflect user status immediately and won’t check the else  rules
  3. sufficient: not mandatory to return with  success and if it fails the result will be ignored, but if  the return success and no fails before it, this will allow the user to pass the check
  4. optional: this result be ignored during the check, it only reflects the interface if there is no other reference
  5. include: this flag read the configuration file for this interface and append them to the current statement

PLEASE NOTE: this rules affected by sequence priority from the top to the bottom of line order


pam modules located in Linux system inside /lib/security or /lib64/security depends in your current system



every module come with its own parameters

after navigating through the manual page

u will see description for this module and it own parameters

This module can be plugged into the password stack of a given application to provide some plug-in
strength-checking for passwords.

modifying the pam reflect the running service instant 


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.