Introduction to Linux PAM

The Linux PAM package contains Pluggable Authentication Modules used by the local system administrator to control how application programs authenticate users.



Development versions of BLFS may not build or run some packages properly if LFS or dependencies have been updated since the most recent stable versions of the books.

Package Information

Additional Downloads

Optional Documentation

Linux PAM Dependencies


libnsl-2.0.1, libtirpc-1.3.4, rpcsvc-proto-1.4.4, Berkeley DB (deprecated), libaudit, libeconf, and Prelude



Shadow-4.16.0 must be reinstalled and reconfigured after installing and configuring Linux PAM.

Kernel Configuration

For the PAM module (referred by the PAM configuration file system-session if elogind-255.5 is built later) to work, a kernel configuration parameter need to be set or the module will just do nothing:

General setup --->
  [*] Auditing support                                                   [AUDIT]

Installation of Linux PAM

First, prevent the installation of an unneeded systemd file:

sed -e /service_DATA/d \
    -i modules/pam_namespace/

The shipped libtool.m4 file has a configuration inconsistent with LFS /usr hierarchy. This issue would cause linked with an rpath flag which may sometimes cause troubles or even security issues. Regenerate the building system to fix the inconsistency:

autoreconf -fi

If you downloaded the documentation, unpack the tarball by issuing the following command.

tar -xf ../Linux-PAM-1.6.1-docs.tar.xz --strip-components=1

Compile and link Linux PAM by running the following commands:

./configure --prefix=/usr                        \
            --sbindir=/usr/sbin                  \
            --sysconfdir=/etc                    \
            --libdir=/usr/lib                    \
            --enable-securedir=/usr/lib/security \
            --docdir=/usr/share/doc/Linux-PAM-1.6.1 &&

To test the results, a suitable /etc/pam.d/other configuration file must exist.


Reinstallation or Upgrade of Linux PAM

If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The existing file can be used for the tests.

You should also be aware that make install overwrites the configuration files in /etc/security as well as /etc/environment. If you have modified those files, be sure to back them up.

For a first-time installation, create a configuration file by issuing the following commands as the root user:

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required
account  required
password required
session  required

Now run the tests by issuing make check. Be sure the tests produced no errors before continuing the installation. Note that the tests are very long. Redirect the output to a log file, so you can inspect it thoroughly.

For a first-time installation, remove the configuration file created earlier by issuing the following command as the root user:

rm -fv /etc/pam.d/other

Now, as the root user:

make install &&
chmod -v 4755 /usr/sbin/unix_chkpwd

Command Explanations

--enable-securedir=/usr/lib/security: This switch sets the installation location for the PAM modules.

chmod -v 4755 /usr/sbin/unix_chkpwd: The setuid bit for the unix_chkpwd helper program must be turned on, so that non-root processes can access the shadow file.

Configuring Linux-PAM

Configuration Files

/etc/security/* and /etc/pam.d/*

Configuration Information

Configuration information is placed in /etc/pam.d/. Here is a sample file:

# Begin /etc/pam.d/other

auth            required     nullok
account         required
session         required
password        required     nullok

# End /etc/pam.d/other

Now create some generic configuration files. As the root user:

install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account

account   required

# End /etc/pam.d/system-account

cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      required

# End /etc/pam.d/system-auth

cat > /etc/pam.d/system-session << "EOF" &&
# Begin /etc/pam.d/system-session

session   required

# End /etc/pam.d/system-session

cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password  required       yescrypt shadow try_first_pass

# End /etc/pam.d/system-password

If you wish to enable strong password support, install libpwquality-1.4.5, and follow the instructions on that page to configure the pam_pwquality PAM module with strong password support.

Next, add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application exists.

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required
auth        required
account     required
account     required
password    required
password    required
session     required
session     required

# End /etc/pam.d/other

The PAM man page (man pam) provides a good starting point to learn about the several fields, and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.



You should now reinstall the Shadow-4.16.0 package .


Installed Program: faillock, mkhomedir_helper, pam_namespace_helper, pam_timestamp_check, pwhistory_helper, unix_chkpwd and unix_update
Installed Libraries:, and
Installed Directories: /etc/security, /usr/lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-1.6.1

Short Descriptions


displays and modifies the authentication failure record files


is a helper binary that creates home directories


is a helper program used to configure a private namespace for a user session


is a helper program that transfers password hashes from passwd or shadow to opasswd


is used to check if the default timestamp is valid


is a helper binary that verifies the password of the current user


is a helper binary that updates the password of a given user

provides the interfaces between applications and the PAM modules