What is PAM (Pluggable Authentication Modules) in Linux?

Solution 1:

In a nutshell, PAM the Pluggable Authentication Modules.

As its name implies it uses a plug-in style architecture. PAM makes it so that each program does not have to implement its own authentication mechanism. Instead it just checks the PAM stack.

Because PAM is pluggable you can configure the authentication stack however you like. Authenticating against LDAP, NIS, RADIUS, MySQL, Oracle, BerkelyDB, SQLite, RSA tokens, x509 certificates, flat files, one time passwords, Google two-factor, phases of the moon, etc. can all be configured in any combination.

PAM can also trigger actions such as mounting filesystems, creating directories, logging, or any other action when the stack is activated, fails or succeeds.

PAM is the authentication Swiss Army Knife, giving infinite flexibility to custom tailor authentication in any way necessary, for any application.

Without it every program would have to independently support all of these features, and that would be a sad world indeed.

Solution 2:

maybe this overview gives you all you want to know or a good start for even more: http://www.linux-pam.org/Linux-PAM-html/sag-overview.html

Some quotes:

Linux-PAM deals with four separate types of (management) task. These are: authentication management; account management; session management; and password management.

    Here is a figure that describes the overall organization of Linux-PAM:

  +----------------+
  | application: X |
  +----------------+       /  +----------+     +================+
  | authentication-[---->--\--] Linux-   |--<--| PAM config file|
  |       +        [----<--/--]   PAM    |     |================|
  |[conversation()][--+    \  |          |     | X auth .. a.so |
  +----------------+  |    /  +-n--n-----+     | X auth .. b.so |
  |                |  |       __|  |           |           _____/
  |  service user  |  A      |     |           |____,-----'
  |                |  |      V     A
  +----------------+  +------|-----|---------+ -----+------+
                         +---u-----u----+    |      |      |
                         |   auth....   |--[ a ]--[ b ]--[ c ]
                         +--------------+
                         |   acct....   |--[ b ]--[ d ]
                         +--------------+
                         |   password   |--[ b ]--[ c ]
                         +--------------+
                         |   session    |--[ e ]--[ c ]
                         +--------------+

Solution 3:

PAM is a framework that assists applications in performing what I'll call "authentication-related activities". The core pieces of PAM are a library (libpam) and a collection of PAM modules, which are dynamically linked libraries (.so) files in the folder /lib/security.

NOTE

1.Backup all data and PAM configuration files before any modification.

2.Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.

3.Read The PAM syntax correctly.

Below are the some examples, be careful while trying this.

Allow any user to su to root without a password.

For this, Edit the file /etc/pam.d/su and comment out any lines relating to the auth stack, replacing them with the single line:

auth sufficient pam_permit.so

To test this Log in as a normal user and verify that you can now use su - to become root without supplying a password.

[raj@avi ~]$ su -
[root@avi ~]#

Disable direct root login

NOTE: Before doing this, ensure that you have at least one account that can use su to become root, or you will lock yourself out from the machine.

To disable root logins on virtual terminals, edit the file /etc/pam/d/login and add the entry.

auth required pam_securetty.so

This module will prevent root login on terminal devices that aren't listed in /etc/securetty.

tty1
#tty2
#tty3
tty4
tty5

If you comment on #tty2 and #tty3, then from the virtual terminal tty2 and tty3 it is not possible to login direct as root.

Prevent non-root users from shutting down the system

Taking the PAM configuration of the halt command as an example, edit the file /etc/pam.d/halt. like this

auth sufficient pam_rootok.so

auth required pam_deny.so

To test this login as a normal user and try halt command, then you will get below error.

[test2@avi ~]$ halt
halt: Need to be root
[test2@avi ~]$

These are some examples only.

original source