Help with PAM changes

I need to add 4 lines of syntax into /etc/pam.d/{password-auth,system-auth}:

Disregard the extra backicks, they are for emphasis only.

`auth        required                 pam_faillock.so       preauth   silent    audit  deny=5  even_deny_root   fail_interval=900     unlock_time=900`

`auth         sufficient             pam_unix.so    try_first_pass`

`auth       [default=die]    pam_faillock.so   authfail  audit   deny=5   even_deny_root   fail_interval=900   unlock_time=900`

`account     required       pam_faillock.so`

My question is related to the relative positioning of these lines of syntax.

I see them in different files I reference located in different places. How do I know what order to place them, in relation to all of the other lines of syntax already present?

I know this is a very sensitive technology and obviously for security purposes.

Any guidance in an authorative manner would be greatly appreciated.

1 Like

I have learned with no input from anyone, that you have to keep all auth separate from account separated from password separated from session lines.

What I am concerned about still is the order of precedence of the control which could be one of {required, requisite, sufficient, optional, include and substack} for a given type. Is there any precedence? How do I know where/how to add new lines into an existing stack?

Red Hat documents PAM in: 10.2. About PAM Configuration Files Red Hat Enterprise Linux 7 | Red Hat Customer Portal
Some other details are in man pam.d. Yes, there is some precedence in controls.

The system’s tool to configure authentication is authselect. See man authselect

Ansible has module pamd for managing files in /etc/pam.d/. I presume the other configuration management tools do too.

Thanks jlehtone,
nice to see you over on this site too!

I understand based on my reading of the pam.conf man page, that the line consists of:

service    type     control      module-path   module-arguments

In reality the service has a file named after it within /etc/pam.d like the following services: ssh, sssd, su, sudo, atd, crond, gdm, login, and so on. No questions here.

So when you review a file named after ssh, for example, the syntax is then the remaining fields from left to right:

type     control      module-path   module-arguments

The type field is one of auth, account, password, and session, and they are always added, removed, modified, in the same part of the stack. No questions here.

It is once we get down to the last three fields on the line of syntax:

control      module-path   module-arguments

Once you, I, we, get down to these last 3 fields is there an order of precedence that I need to understand that would alter the behavior of PAM-enabled services? **It is the last 3 fields that I am concerned about. **

Would using the tool authselect teach me how such things would be forced into proper place?

The Red Hat document writes:

If a module’s control flag uses the sufficient or requisite value, then the order in which the modules are listed is important to the authentication process.

In other words, the modules are evaluated in order. The flags differ on whether all modules have to be evaluated.

Frankly, I’m still clueless about the authselect.

Thank you sir. Seeing you write that you are clueless about authselect leaves me feeling a little better. :wink:

Please note that since 8.4 the arguments for pam_faillock.so can be centralized in /etc/security/faillock.conf.

A DISA-STIG compliant system-auth file would look like this:


auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent
auth        sufficient    pam_unix.so
auth        required      pam_faillock.so authfail
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so

password    requisite     pam_pwquality.so try_first_pass local_users_only authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok sha512 shadow
password    required      pam_deny.so
password    required      pam_pwquality.so
password    required      pam_pwhistory.so use_authtok remember=5

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so