Home

LinuxPAM

Linux-PAM, short for Linux Pluggable Authentication Modules, is a framework of shared libraries that provides a centralized authentication mechanism for Linux systems. It decouples authentication logic from applications and services, enabling administrators to alter authentication policies without changing program code. Linux-PAM handles tasks in four areas: authentication, account management, session management, and password management.

Configured through files in /etc/pam.d and /etc/security, Linux-PAM determines which modules are invoked by which services.

Modules are platform-specific shared libraries located in /lib/security (or /lib64/security). Typical modules include pam_unix.so (traditional Unix

Linux-PAM is a core component in most Linux distributions, used by login programs, su, sudo, cron, and

Linux-PAM originated as an implementation of the PAM framework for Linux and is maintained by a community

Each
PAM
configuration
defines
a
stack
of
modules
for
a
given
service
and
for
a
given
management
type
(auth,
account,
password,
session).
Modules
have
control
flags
such
as
required,
requisite,
sufficient,
or
optional
that
influence
the
overall
outcome.
authentication
against
/etc/passwd
and
/etc/shadow),
pam_ldap.so
(LDAP-backed
authentication),
pam_krb5.so
(Kerberos),
and
pam_sss.so
(SSSD).
A
service
can
combine
modules
to
implement
complex
policies,
support
multiple
authentication
backends,
or
enable
multi-factor
authentication
by
stacking
modules.
many
network
services.
Misconfiguration
can
prevent
logins
or
lock
accounts,
so
administrators
often
test
PAM
stacks
with
tools
and
keep
backup
configurations.
PAM
configurations
are
user-modifiable
but
require
careful
planning
and
documentation.
alongside
major
distributions.
It
remains
the
standard
method
for
integrating
authentication
services
across
Linux
systems
and
supports
a
wide
range
of
backends
and
third-party
modules.