Pluggable Authentication Modules (PAM)

This is a very introductory article about PAM but I hope that this will kindle a bit of curiosity among the readers on how the authentication flow actually works in Linux systems.

Different Programs for Login

In our day-to-day use, we are using a lot of different authentication programs without realizing it. Programs such as login, gdm, sshd, ftpd, and many more all want to know that a user is who they say they are, yet there are many ways to do that. A user can provide a username and password credential which can be stored locally or remotely with LDAP or Kerberos. A user can also provide a fingerprint or a certificate as a credential and the list goes on so a natural question that should come to our minds is how is it working out for Linux in the backend. Do the developers write separate authentication mechanisms for each of these flows?

PAM

So when we think about PAM the first thing that comes to our minds should be...

Not this, no! Focus!

So from now on when we think about PAM this picture should come popping in our heads.

It would be painful to ask each application developer to rewrite the authentication checks for each new method. PAM libraries leave the checks to authentication experts. PAM is pluggable in that we can have different applications run different tests and modular in that we can add new methods with new libraries. But not just authentication, PAM allows us to handle multiple things around:

1. Authentication - authenticate a user and set up user credentials. Typically this is via some challenge-response request that the user must satisfy: if you are who you claim to be please enter your password.
2. Accounting - ?provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service?
3. Passwords - this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the auth group. Some authentication mechanisms lend themselves well?to being updated with such a function. Standard UN*X password-based access is the obvious example: please enter a replacement password.
4. Sessions - ?this group of tasks covers things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory.

Components to PAM

• man PAM - These manual pages describe the overall process, including the types of calls and a list of files involved. The description is really well written!
• man pam.conf - This man page describes the overall format and defines keywords and fields for the pam.d configuration files.
• man -k pam_ - This search of man pages lists pages available for modules installed.
• /usr/lib64/security - A collection of PAM libraries that perform various checks. Most of these modules have man pages to explain the use case and options available.
• /etc/pam.d - A collection of configuration files for applications that call libpam. These files define which modules are checked, with what options, in which order, and how to handle the result. These files may be added to the system when an application is installed and are frequently edited by other utilities. Since there are several checks done by all applications, these files may also include statements to call other configuration files in this directory. Most shared modules are found in the system-auth file for local authentication and the password-auth file for applications listening for remote connections.
• /etc/security - A collection of additional configuration files for specific modules. Some modules, such as pam_access and pam_time, allow additional granularity for checks. When an application configuration file calls these modules, the checks are completed using the additional information from its corresponding supplemental configuration files. Other modules, like pam_pwquality, make it easier for other utilities to modify the configuration by placing all the options in a separate file instead of on the module line in the application configuration file.
• /var/log/secure - Most security and authentication errors are reported to this log file. Permissions are configured on this file to restrict access.

A SMALL DEMO.

Let's create rules for login using PAM. If we have a look at /etc/pam.d directory you can quickly get your hands on a lot of configuration files. One such file is the login file.

When you'll open this file, it will look something like this:

Every rule in your config file looks something like this:

?(type) (control keyword) (module name)

1. Type - this basically tells us about the module/group. Whether the rule belongs to auth, session, password, or something else.
2. Control Keywords - we have different control keywords that mean different things. Requisite: The module result must be successful for authentication to continue. However, if a test fails at this point, the user is notified immediately with a message reflecting the first failed required or requisite module test. Required: The module result must be successful for authentication to continue. If the test fails at this point, the user is not notified until the results of all the module's tests that reference that interface is complete. Sufficient: The module result is ignored if it fails. However, if the result of a module flagged sufficient is successful and no previous modules flagged required have failed, then no other results are required and the user is authenticated to the service. Optional: The module result is ignored. A module flagged as optional only becomes necessary for successful authentication when no other modules reference the interface. Include: Unlike the other controls, this does not relate to how the module result is handled. This flag pulls in all lines in the configuration file which match the given parameter and appends them as an argument to the module.
3. Module Name: The module we want to work with.

So let's add a rule -> auth sufficient pam_permit.so

After adding this rule and saving this file. You will observe that you are no longer asked for a password in your CLI login (you can open it by pressing: CTRL + ALT + F4)

Without rule:

With the sufficient permit rule:

Yeah... so that's all for this lesson and yes, every language has its own modules that work with PAM for example python has the python-pam module so you can basically create your own integration with PAM as your authentication backend. Happy Coding!