create new tag
view all tags

PAM Component

The lcfg-pam man page gives full details of all possible resources but this is one of the most complex LCFG components available so it's worth asking others if you need some help!

Creating a new PAM Service

On a fully-managed machine creating a new PAM service configuration file must be done using the LCFG pam component, it's not possible to simply use the file component as the pam component is very opinionated about the contents of the /etc/pam.d directory.

Consider the situation where we need to create a PAM config for rstudio (/etc/pam.d/rstudio).

auth      requisite      pam_succeed_if.so uid >= 500 quiet
auth      required       pam_unix.so nodelay
account   required       pam_unix.so

The first step is to add a service with the required name (e.g. rstudio):

!pam.services mADD(rstudio)

This needs to be an LCFG tag, if the required config file name isn't suitable for use as a tag (e.g. it contains a hyphen) then you can override the filename using the really resource like this:

!pam.services           mADD(foobar)
pam.really_foobar    foo-bar

The next step is to register all the required modules for the service, there are 4 types each of which has an associated resource:

  • auth - authmods resource
  • account - acctmods resource
  • password - passmods resource
  • session - sessmods resource

In the case of the rstudio example resources are required for the auth and account modules:

!pam.services                            mADD(rstudio)
pam.authmods_rstudio              succeedif unix
pam.acctmods_rstudio              unix

Specify the module names in the order in which they need to appear in the service configuration. Note that they must be listed in the pam.modules resource, if you're using a new module then it needs registering.

Each PAM entry looks something like the following:

type ctrl path args

There are associated resources for the ctrl (control) and args (arguments) elements associated with the module for each entry type. These have default values, for example the unix module has the following:

pam.acct_ctrl_unix required
pam.auth_ctrl_unix required
pam.pass_ctrl_unix required
pam.sess_ctrl_unix required

pam.auth_args_unix nullok_secure
pam.pass_args_unix obscure sha512

These can be overridden for a specific entry in a service by adding extra resources with names based on both the service and module names (in that order). For example:

pam.auth_ctrl_rstudio_succeedif   requisite /* default is required */
pam.auth_args_rstudio_succeedif   uid >= 500 quiet
pam.auth_args_rstudio_unix        nodelay /* default is nullok_secure */

Registering a New Module

Most standard modules are already registered with the PAM component and thus are available for immediate use.

If you need to add another new module it's fairly straightforward, firstly it needs adding to the pam.modules tag list and the path to the module needs to be specified:

!pam.modules      mADD(krb5)
!pam.path_krb5      mSET(<%pam.libsec_dir%>pam_krb5.so)

Although it's not essential to specify the absolute path to the module we consider it good practice and the directory location is available for reference in the pam.libsec_dir resource.

Each PAM entry in a service file looks something like the following:

type ctrl path args

For any entry type which make sense for the module you must provide a default ctrl (control). For example:

pam.auth_ctrl_krb5      required
pam.acct_ctrl_krb5     required
pam.pass_ctrl_krb5      required
pam.sess_ctrl_krb5      optional

These may be overridden on a per-service basis.

Optionally args (arguments) may also be specified for any entry type for the module. For example:

pam.auth_args_krb5       minimum_uid=1000
pam.acct_args_krb5       minimum_uid=1000
pam.pass_args_krb5       minimum_uid=1000 try_first_pass use_authtok
pam.sess_args_krb5       minimum_uid=1000

These may be overridden on a per-service basis.

-- squinney - 2021-05-27

Topic revision: r2 - 2021-05-27 - squinney
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback