Certain applications are written with PAM in mind - PAM-aware applications -.
All the PAM-aware application settings are done in the PAM configuration file.
We could see that the ssh server was compiled libpam.so library.
Some of the uses of PAM modules include, access based on time, allowing resource usage based on availability, ...
Below is a simple diagram that gives us a brief idea about the interaction between PAM-aware applications and the PAM modules stack:
To check if an application was written with PAM in mind, we could use the below command:
We can see that the ssh server is PAM-aware.
PAM configuration files format:
These files are located in the "/etc/pam.d" directory and have the below format:
All the above PAM modules are "login authentication" modules.
Below are the different kinds of PAM contexts:
auth context : is used for checking accounts passwords, accounts restrictions, ...
account context :validates accounts, it checks "logins" time restrictions, ...
Password context : checks passwords strength, ...
PAM Control flags are the exit status returned to the application. Below are some of the most used control flags:
required : If a "required" modules fails, it returns a failure status, but it doesn't interrupt anything, the rest of the stack is still checked by the application. For example, if a user enters a non-existent username, the module that checks the validity of the usernames doesn't stop the checking process and the user can enter the password too.
requisite :If a module fails, it returns with a failure status and the rest of the PAM stack is ignored. For example, if a user enters a non-existent username, the module that checks the validity of usernames stops the process - the other PAM modules are ignored - and and the user can't enter the password.
sufficient control flag :If a module fails, its status is returned and the PAM module is ignored - the rest of the PAM stack is processed -. If the module succeeds, then success status is returned and the rest of the stack is ignored.
Each PAM-aware application has its PAM configuration file which defines different security policies for it.
The configuration files also list the PAM modules that are used with an application.
We could find the application and their associated PAM modules in the "/etc/pam.conf" file, or in the "/etc/pam.d" if it exists.
Most of the PAM configuration files live in the following directories:
To set system limits on resources - number of processes that a user can start for example - using PAM modules, we use the "/etc/security/limits.d" directory.
We also could set time-restricted logins - allowing logins only at certain times - in the "/etc/security/time.conf" configuration file.