ยง2023-11-03

2.2) Structure of a PAM configuration file

PAM can be configured in two ways:

[alexlai@orgpi58G ~]$ ls /etc/pam.d/
chfn      chsh                  groupmems  lightdm-autologin  login     other   polkit-1  runuser-l  su    su-l         systemd-user        system-login         system-services
chpasswd  cinnamon-screensaver  lightdm    lightdm-greeter    newusers  passwd  runuser   sshd       sudo  system-auth  system-local-login  system-remote-login  vlock

$ cat /etc/pam.d/sshd
#%PAM-1.0  -->1

auth      include   system-remote-login  -->2
account   include   system-remote-login
password  include   system-remote-login
session   include   system-remote-login

--> 1, Declares the version of this configuration file for PAM 1.0. This is merely a convention, but could be used in the future to check the version.

--> 2 This line specifies the authentication configuration. It uses the include directive to include the configuration from the system-remote-login file.

[alexlai@orgpi58G ~]$ cat /etc/pam.d/system-remote-login
#%PAM-1.0

auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login
[alexlai@orgpi58G ~]$ cat /etc/pam.d/system-login 
#%PAM-1.0

auth       required   pam_shells.so  --> 1
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
session    optional   pam_umask.so
-session   optional   pam_systemd.so
session    required   pam_env.so

--> 1, This line configures the authentication phase and requires that users' login shells (specified in the /etc/shells file) are valid. If a user's shell is not in the allowed list, authentication will fail.

$ man pam_shells.so or man pam_nologin` to see

The /etc/pam.d/system-login file is another PAM configuration file that defines authentication, account management, password policies, and session management for the "system-login" service. Just like the previous file (sshd), let's break down each line in this file:

#%PAM-1.0: As in the previous file, this is a comment line and indicates the PAM version being used (1.0). It doesn't affect the PAM configuration itself.

auth required pam_shells.so: This line configures the authentication phase and requires that users' login shells (specified in the /etc/shells file) are valid. If a user's shell is not in the allowed list, authentication will fail.

auth requisite pam_nologin.so: This line configures the authentication phase and uses the pam_nologin.so module. The requisite control flag means that if this module fails, authentication is immediately denied, and no further authentication checks are performed. It's often used to deny login when a system is in a maintenance mode or when login is globally restricted.

auth include system-auth: This line includes the system-auth configuration in the authentication phase. This is a common practice to reuse and share authentication configuration between different services. The system-auth file likely contains additional authentication directives.

account required pam_access.so: This line configures the account management phase and enforces access control policies. It may be used to restrict user access based on various criteria.

account required pam_nologin.so: Similar to line 3, this enforces login restrictions and denies access if necessary.

account include system-auth: This line includes the system-auth configuration in the account management phase, allowing the reuse of account-related settings.

password include system-auth: This line includes the system-auth configuration in the password management phase, reusing password-related settings.

session optional pam_loginuid.so: This line configures the session management phase and initializes the login user ID. It's set to "optional," meaning it's not required for a successful session.

session optional pam_keyinit.so force revoke: This line initializes cryptographic keys for a session. The force revoke parameter likely ensures that any previously loaded keys are revoked when this module is invoked.

session include system-auth: Just like in previous sections, this includes the system-auth configuration in the session management phase, allowing for shared session-related settings.

session optional pam_motd.so: This module displays the message of the day (MOTD) during session initialization. It's set to "optional," so it won't prevent a session if it fails.

session optional pam_mail.so dir=/var/spool/mail standard quiet: This line configures the handling of mail during session initialization. It checks for mail in the specified directory and sets the standard and quiet options.

session optional pam_umask.so: This module sets the user's file mode creation mask (umask) during session initialization.

-session optional pam_systemd.so: This line, with a hyphen in front of "session," would normally be used to exclude a module from the session phase, but it appears to be commented out in this case.

session required pam_env.so: This module sets environment variables during session initialization. It's marked as "required," indicating it must succeed for a successful session.

In summary, this PAM configuration file specifies various directives to control authentication, account management, password policies, and session management for the "system-login" service, including the inclusion of settings from the system-auth file to maintain consistency and reuse of configurations.