Pluggable Authentication Module PAM




  • PAM Library consists of 4 PAM Stacks
  • There are 4 PAM stacks available: auth, account, session, and password
  • They are assembled and configured using modules in /lib64/security file.



  • auth stack is responsible for authenticating user (login credentials)
  • account stack is used to verify an account in some way
  • session stack gives an application chance to verify resources as a user logs in
  • password stack is used to update credentials (updating password e.g)
Some applications use just one stack, some use all four. It depends!


  • pam _unix - module used for all stacks. It is used for traditional password authentication
  • pam_time - module used for time-of-day access control.
  • pam_deny - module that always fails
  • pam_permit - module that always succeeds
  • pam_tally2 - module used to count login attempts and lock out after to many failures.
  • pam_pwquality - module that enforces password strength
  • pam_securetty - module that limits root login to make terminals more secure
  • pam_rootok - module that tests if the user ID is zero (ID of root is 0)

Here is quite more of these modules that we can use



With all these modules, we can control how our stack behaves, and make our authentication policies.
All these modules are configured with PAM config files, shown below



All these services require authentication, hence we can set our PAM configs for each service.
These config files must be set with proper syntax, explained below.




Now, the Control Flags
  • Each module in a PAM stack returns success or failure.
  • When PAM calls module stack, control proceed down the stack and each module returns success or failure.
  • The control flags determine how these combine to determine the success or failure of the stack as a whole.



  • Sufficient - If the current module suceeds, then the stack returns success and no more modules are called
  • Requisite - If the current module fails, then the stack returns failure and no more modules are called.
  • Required - If the current module fails, the stack continues to call more modules, even though the stack will fail at the end. Good way to not let know a user where at the authentication process he failed.
  • Optional - It does not matter if the module fails or suceeds.

pam_pwquality - enforces password strength. It is installed as “required” at top of password stack by default (in system-auth). It is used only when a new password is set. It does not check existing passwords (it cannot because system only stores hashed passwords)

It should check:
  • Dictionary word
  • Palindrome
  • Repeated characters
  • Long monotonic sequence
  • Compared to old passwords
  • Too short or simple