oreilly.comSafari Books Online.Conferences.


PAM Modules

by Jennifer Vesperman

Editor's note: This is the second in a series of article on Pluggable Authentication Modules. In part one, Jennifer introduced PAM and showed how to get started. In this article, she walks us through some of the more useful modules.

Traditional user authentication is programmed directly into applications. Using PAM (Pluggable Authentication Modules), applications can be developed with a PAM interface, and the system administrator can choose any number of PAM modules to do authentication and other tasks.

PAM was designed for authentication, and it remains the most common function of PAM modules. Programmers being programmers, there are now PAM modules to do much more than authentication. A variety of security tasks can be done through modules, and there are utilities for session management.

Highlighted modules should be used in most systems that are connected to a network. is an easily underestimated module that allows the system administrator to adjust the user environment. checks passwords for strength and security.

Use in the password section of a PAM configuration file. The module uses the libcrack code to test whether the password is easily cracked, then runs additional tests against the old password and against system administrator determined parameters. relies on /usr/lib/cracklib_dict, and has only a password component.

As well as the libcrack tests, checks whether the new password is the old password with a change of case, whether it is a palindrome of the old password, whether it satisfies the difok argument, whether it passes the minimum length check, whether it's been recently used, and whether it's a simple rotation of the old password.

Useful arguments

difok = N
The number of characters in the new password which must not also be in the old password. The default is 10. If half the characters in the new password are new, the password passes this test.
minlen = N
Minimum length of the new password, plus one. Length credit is given for each different type of character in the new password (each case, symbols ("other") and digits). If using md5 passwords, a longer password is recommended.
dcredit, ucredit, lcredit and ocredit
The amount of length credit given for each type of character in the password (digits, each case, "other").

Example use

# /etc/pam.d/example

password    required    minlen=15 ocredit=2
password    required        use_authtok md5 allows you to set or unset environment variables using strings, existing variables, or PAM items.

The settings for this module are in /etc/security/pam_env.conf (though the argument conffile can override this). Syntax for this file is:


Comment on this articleWhat is your favorite thing about Pluggable Authentication Modules?
Post your comments

Previously in this series:

Introduction to PAM -- Pluggable Authentication Modules provide a solution to the difficulties of user authentication. Jennifer Vesperman introduces PAM and helps you get started.

The default settings are used if the override settings are not available. Environment variables can be referred to using ${variable}, and PAM items using @{variable}.

Valid PAM items for use with /etc/security/pam_env.conf are: PAM_USER, PAM_USER_PROMPT, PAM_TTY, PAM_RUSER, and PAM_RHOST. If is used on login, the ${USER} environment variable is not yet set. Use @{PAM_USER} instead.

The readenv argument toggles whether reads the environment file, /etc/environment, by default. The envfile argument allows you to use a different environment file. This file uses KEY=VALUE syntax to set the values of environment variables.

The module has only an auth component.

Pages: 1, 2, 3

Next Pagearrow

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: