Linux PAM
Status: Scaffold — content in progress
PAM (Pluggable Authentication Modules) is the Linux authentication framework. It sits between applications and authentication mechanisms, providing a modular, configurable auth layer.
PAM Stack
/etc/pam.d/sshd ← per-service PAM configuration
/etc/pam.d/common-auth ← shared auth stack
Each line in a PAM config: type control module arguments
| Type | Purpose |
|---|---|
| auth | Verify identity |
| account | Access control (is account valid, not expired, locked?) |
| password | Password changing rules |
| session | Session setup/teardown |
Key Modules
| Module | Function |
|---|---|
| pam_unix | Standard Unix password auth (checks /etc/shadow) |
| pam_sss | SSSD integration — AD/LDAP auth |
| pam_krb5 | Kerberos auth |
| pam_tally2 / pam_faillock | Lockout after failed attempts |
| pam_google_authenticator | TOTP second factor |
| pam_exec | Execute arbitrary command on auth — dangerous if misconfigured |
Attack Surface
- Writable
/etc/pam.d/→ install backdoor module (e.g.,pam_execrunning reverse shell) - pam_unix with weak passwords
- PAM debug logging can leak credentials to syslog
Cross-Links
| Topic | Link |
|---|---|
| Linux SSSD | linux-sssd |
| Linux Kerberos | linux-kerberos |