Introduction to Linux-PAM

The Linux-PAM package contains Pluggable Authentication Modules. This is useful to enable the local system administrator to choose how applications authenticate users.

Package Information

Additional Downloads

Linux-PAM Dependencies


CrackLib-2.8.9, Prelude, and sgmltools-lite

User Notes:

Installation of Linux-PAM

If you downloaded the documentation, unpack the tarball into the doc directory of the source tree:

tar -xf ../Linux-PAM- -C doc

Install Linux-PAM by running the following commands:

./configure --libdir=/usr/lib \
            --sbindir=/lib/security \
            --enable-securedir=/lib/security \
            --enable-docdir=/usr/share/doc/Linux-PAM- \
            --enable-read-both-confs &&

The test suite will not provide meaningful results until the package has been installed and configured. If, after installing the package and creating a minimum configuration as shown below in the 'other' example, you wish to run the tests, issue make check.



Don't delete the Linux-PAM source tree until after you reinstall the Shadow package. The reinstallation of the Shadow package includes much more stringent security for the PAM configuration, and you can run the Linux-PAM test suite after completing the Shadow instructions to test the new setup. All the tests should pass.

Now, as the root user:

make install &&
chmod -v 4755 /lib/security/unix_chkpwd &&
mv -v /lib/security/pam_tally /sbin &&
mv -v /usr/lib/libpam*.so.0* /lib &&
ln -v -sf ../../lib/ /usr/lib/ &&
ln -v -sf ../../lib/ /usr/lib/ &&
ln -v -sf ../../lib/ /usr/lib/

If you downloaded the documentation, install it using the following command:

for DOCTYPE in html pdf ps txts
    cp -v -R doc/$DOCTYPE /usr/share/doc/Linux-PAM-

Command Explanations

--libdir=/usr/lib: This parameter results in the libraries being installed in /usr/lib.

--sbindir=/lib/security: This parameter results in two executables, one which is not intended to be run from the command line, being installed in the same directory as the PAM modules. One of the executables is later moved to the /sbin directory.

--enable-securedir=/lib/security: This parameter results in the PAM modules being installed in /lib/security.

--enable-docdir=...: This parameter results in the documentation being installed in a versioned directory name.

--enable-read-both-confs: This parameter allows the local administrator to choose which configuration file setup to use.

chmod -v 4755 /lib/security/unix_chkpwd: The unix_chkpwd password-helper program must be setuid so that non-root processes can access the shadow-password file.

mv -v /lib/security/pam_tally /sbin: The pam_tally program is designed to be run by the system administrator, possibly in single-user mode, so it is moved to the appropriate directory.

mv -v /usr/lib/libpam*.so.0* /lib: This command moves the dynamic libraries to /lib as they may be required in single user mode.

ln -v -sf ...: These commands recreate the .so symlinks as the libraries they pointed to were moved to /lib.

Configuring Linux-PAM

Config Files

/etc/security/* and /etc/pam.d/* or /etc/pam.conf

Configuration Information

Configuration information is placed in /etc/pam.d/ or /etc/pam.conf depending on system administrator preference. Below are example files of each type:

# Begin /etc/pam.d/other

auth            required     nullok
account         required
session         required
password        required     nullok

# End /etc/pam.d/other

# Begin /etc/pam.conf

other           auth            required     nullok
other           account         required
other           session         required
other           password        required     nullok

# End /etc/pam.conf

The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.

Refer to for a list of various modules available.



You should now reinstall the Shadow-4.0.15 package.


Installed Program: pam_tally
Installed Libraries: libpam.{so,a}, libpamc.{so,a}, and libpam_misc.{so,a}
Installed Directories: /etc/pam.d, /etc/security, /lib/security and /usr/include/security

Short Descriptions


is used to view or manipulate the faillog file.


provides the interfaces between applications and the PAM modules.

Last updated on 2007-01-18 13:38:19 -0600