PAM(8) — Linux manual page


PAM(8)                      Linux-PAM Manual                      PAM(8)

NAME         top

       PAM, pam - Pluggable Authentication Modules for Linux

DESCRIPTION         top

       This manual is intended to offer a quick introduction to
       Linux-PAM. For more information the reader is directed to the
       Linux-PAM system administrators' guide.

       Linux-PAM is a system of libraries that handle the authentication
       tasks of applications (services) on the system. The library
       provides a stable general interface (Application Programming
       Interface - API) that privilege granting programs (such as
       login(1) and su(1)) defer to to perform standard authentication

       The principal feature of the PAM approach is that the nature of
       the authentication is dynamically configurable. In other words,
       the system administrator is free to choose how individual
       service-providing applications will authenticate users. This
       dynamic configuration is set by the contents of the single
       Linux-PAM configuration file /etc/pam.conf. Alternatively, the
       configuration can be set by individual configuration files
       located in the /etc/pam.d/ directory. The presence of this
       directory will cause Linux-PAM to ignore /etc/pam.conf.

       Vendor-supplied PAM configuration files might be installed in the
       system directory /usr/lib/pam.d/ or a configurable vendor
       specific directory instead of the machine configuration directory
       /etc/pam.d/. If no machine configuration file is found, the
       vendor-supplied file is used. All files in /etc/pam.d/ override
       files with the same name in other directories.

       From the point of view of the system administrator, for whom this
       manual is provided, it is not of primary importance to understand
       the internal behavior of the Linux-PAM library. The important
       point to recognize is that the configuration file(s) define the
       connection between applications (services) and the pluggable
       authentication modules (PAMs) that perform the actual
       authentication tasks.

       Linux-PAM separates the tasks of authentication into four
       independent management groups: account management; authentication
       management; password management; and session management. (We
       highlight the abbreviations used for these groups in the
       configuration file.)

       Simply put, these groups take care of different aspects of a
       typical user's request for a restricted service:

       account - provide account verification types of service: has the
       user's password expired?; is this user permitted access to the
       requested service?

       authentication - authenticate a user and set up user credentials.
       Typically this is via some challenge-response request that the
       user must satisfy: if you are who you claim to be please enter
       your password. Not all authentications are of this type, there
       exist hardware based authentication schemes (such as the use of
       smart-cards and biometric devices), with suitable modules, these
       may be substituted seamlessly for more standard approaches to
       authentication - such is the flexibility of Linux-PAM.

       password - this group's responsibility is the task of updating
       authentication mechanisms. Typically, such services are strongly
       coupled to those of the auth group. Some authentication
       mechanisms lend themselves well to being updated with such a
       function. Standard UN*X password-based access is the obvious
       example: please enter a replacement password.

       session - this group of tasks cover things that should be done
       prior to a service being given and after it is withdrawn. Such
       tasks include the maintenance of audit trails and the mounting of
       the user's home directory. The session management group is
       important as it provides both an opening and closing hook for
       modules to affect the services available to a user.

FILES         top

           the configuration file

           the Linux-PAM configuration directory. Generally, if this
           directory is present, the /etc/pam.conf file is ignored.

           the Linux-PAM vendor configuration directory. Files in
           /etc/pam.d override files with the same name in this

ERRORS         top

       Typically errors generated by the Linux-PAM system of libraries,
       will be written to syslog(3).

CONFORMING TO         top

       DCE-RFC 86.0, October 1995. Contains additional features, but
       remains backwardly compatible with this RFC.

SEE ALSO         top

       pam(3), pam_authenticate(3), pam_sm_setcred(3), pam_strerror(3),

COLOPHON         top

       This page is part of the linux-pam (Pluggable Authentication
       Modules for Linux) project.  Information about the project can be
       found at ⟨⟩.  If you have a bug report
       for this manual page, see ⟨//⟩.  This page was
       obtained from the project's upstream Git repository
       ⟨⟩ on 2023-12-22.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-12-18.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

Linux-PAM Manual               12/22/2023                         PAM(8)

Pages that refer to this page: runuser(1)su(1)misc_conv(3)pam_acct_mgmt(3)pam_authenticate(3)pam_chauthtok(3)pam_conv(3)pam_error(3)pam_get_authtok(3)pam_getenv(3)pam_getenvlist(3)pam_info(3)pam_misc_drop_env(3)pam_misc_paste_env(3)pam_misc_setenv(3)pam_prompt(3)pam_putenv(3)pam_sm_acct_mgmt(3)pam_sm_authenticate(3)pam_sm_chauthtok(3)pam_sm_close_session(3)pam_sm_open_session(3)pam_sm_setcred(3)pam_strerror(3)pam_syslog(3)access.conf(5)default_contexts(5)faillock.conf(5)failsafe_context(5)group.conf(5)limits.conf(5)login.defs(5)namespace.conf(5)pam.conf(5)pam_env.conf(5)pwhistory.conf(5)selinux_config(5)sepermit.conf(5)service_seusers(5)seusers(5)systemd.exec(5)time.conf(5)user_contexts(5)user@.service(5)environ(7)cron(8)faillock(8)PAM(8)pam_access(8)pam_debug(8)pam_deny(8)pam_echo(8)pam_env(8)pam_exec(8)pam_faildelay(8)pam_faillock(8)pam_filter(8)pam_ftp(8)pam_group(8)pam_issue(8)pam_keyinit(8)pam_lastlog(8)pam_limits(8)pam_listfile(8)pam_localuser(8)pam_loginuid(8)pam_mail(8)pam_mkhomedir(8)pam_motd(8)pam_namespace(8)pam_nologin(8)pam_permit(8)pam_pwhistory(8)pam_rhosts(8)pam_rootok(8)pam_securetty(8)pam_selinux(8)pam_sepermit(8)pam_setquota(8)pam_shells(8)pam_stress(8)pam_succeed_if(8)pam_systemd(8)pam_systemd_home(8)pam_time(8)pam_timestamp(8)pam_timestamp_check(8)pam_tty_audit(8)pam_umask(8)pam_unix(8)pam_userdb(8)pam_usertype(8)pam_warn(8)pam_wheel(8)pam_xauth(8)