Skip to content

PAM - Pluggable Authentication Modules โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link

Basic Information โ€‹

PAM (Pluggable Authentication Modules) acts as a security mechanism that verifies the identity of users attempting to access computer services, controlling their access based on various criteria. It's akin to a digital gatekeeper, ensuring that only authorized users can engage with specific services while potentially limiting their usage to prevent system overloads.

Configuration Files โ€‹

  • Solaris and UNIX-based systems typically utilize a central configuration file located at /etc/pam.conf.
  • Linux systems prefer a directory approach, storing service-specific configurations within /etc/pam.d. For instance, the configuration file for the login service is found at /etc/pam.d/login.

An example of a PAM configuration for the login service might look like this:

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so

PAM Management Realms โ€‹

These realms, or management groups, include auth, account, password, and session, each responsible for different aspects of the authentication and session management process:

  • Auth: Validates user identity, often by prompting for a password.
  • Account: Handles account verification, checking for conditions like group membership or time-of-day restrictions.
  • Password: Manages password updates, including complexity checks or dictionary attacks prevention.
  • Session: Manages actions during the start or end of a service session, such as mounting directories or setting resource limits.

PAM Module Controls โ€‹

Controls dictate the module's response to success or failure, influencing the overall authentication process. These include:

  • Required: Failure of a required module results in eventual failure, but only after all subsequent modules are checked.
  • Requisite: Immediate termination of the process upon failure.
  • Sufficient: Success bypasses the rest of the same realm's checks unless a subsequent module fails.
  • Optional: Only causes failure if it's the sole module in the stack.

Example Scenario โ€‹

In a setup with multiple auth modules, the process follows a strict order. If the pam_securetty module finds the login terminal unauthorized, root logins are blocked, yet all modules are still processed due to its "required" status. The pam_env sets environment variables, potentially aiding in user experience. The pam_ldap and pam_unix modules work together to authenticate the user, with pam_unix attempting to use a previously supplied password, enhancing efficiency and flexibility in authentication methods.

References โ€‹

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: