PAM Configuration Example
Start course

In this course, you'll learn about account security in Linux including pluggable authentication modules (PAM), password security, account access controls, and account types.

Learning Objectives

  • Learn about PAM and how to configure pluggable authentication modules
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn how to make an account's password expire, how to expire an account itself, and how to lock and unlock accounts
  • Understand how to monitor log files and use intrusion detection systems
  • Learn about multi-factor authentication and how it can be implemented in Linux

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


Let's look at a sample PAM configuration. PAM configuration files like most other configuration files, use a hash mark or pound sign to indicate a comment. The first line in this file is a comment. The second line in the file is a directive. Auth is a module interface, required is the control flag, and is the authentication module. The three lines that start with auth are known as a stack. In this case, all three directives are required to succeed in order for authentication to be successful. The auth required pam_securetty line ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists. If the tty is not listed in the file, any attempt to log in as root fails. The next line uses the pam_unix module. This module prompts the user for a password and then checks the password using the information stored in etc password and etc shadow. The nullok argument instructs the pam_unix module to allow blank passwords. The pam_login module is used to prevent non-root users from logging onto this system when either the etc/nologin or /var/run/nologin files are present. As a system administrator, you can use these files to keep people from logging into the system while you perform maintenance for example. When a user logs in, the contents of the nologin file will be displayed to them. Let's move on to the account required line. The account interface of the pam_unix module performs any necessary account verification such as checking to make sure the account hasn't expired. If the password on the account has expired, the next line comes into play. It uses the pam_pwquality module with an argument of retry=3. This module prompts the user to enter a new password and then perform some quality tests on that password including to see if it's a dictionary word. If the password fails the quality test, the retry=3 argument tells the module to give the user two additional chances to create an acceptable password before returning with an error. The next line uses the password interface of the pam_unix module. The arguments are shadow\nullok and use_authtok. The backslash you see here is simply a line continuation character. If you were to place this on one line then you wouldn't need to use that backslash. The shadow argument tells pam_unix to use shadow passwords. The nullok argument allows a user to change their password from a blank password. If this argument isn't used, a null password is treated as a lock to count. The use_authtok argument tells the module not to prompt for a password, but to use any password that was gathered by a previous password module. This allows us to use the pam_pwquality module to enforce strong passwords. This particular example highlights the importance of the order in which PAM directives are listed. Finally, the last line of this configuration uses the session interface of the pam_unix module which logs when a user logs into or out of the system. If you want to understand exactly what a module does, what interfaces it supports, and what arguments it expects refer to its documentation. The simplest way to do this is to drop the .so extension which stands for shared object by the way, and then pass it as an argument to the man command. So if you want to read up on the module documentation, you would run man pam_unix. We'll be coming back to PAM from time to time throughout this course. Now that you understand how PAM works in general, we can get into some specific account security measures and how you can go about creating configurations for those measures.

About the Author
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.