The Linux-PAM System Administrators' Guide
		Next

The Linux-PAM System Administrators' Guide

Andrew G. Morgan

<morgan@kernel.org>

Thorsten Kukuk

<kukuk@thkukuk.de>

Version 1.7.2, January 2026

Abstract

This manual documents what a system-administrator needs to know about the Linux-PAM library. It covers the correct syntax of the PAM configuration file and discusses strategies for maintaining a secure system.

Table of Contents

1. Introduction

2. Some comments on the text

3. Overview

4. The Linux-PAM configuration file

4.1. Configuration file syntax
4.2. Directory based configuration
4.3. Example configuration file entries

5. Security issues

5.1. If something goes wrong
5.2. Avoid having a weak `other' configuration

6. A reference guide for available modules

6.1. pam_access - logdaemon style login access control
6.2. pam_canonicalize_user - get user name and canonicalize it
6.3. pam_debug - debug the PAM stack
6.4. pam_deny - locking-out PAM module
6.5. pam_echo - print text messages
6.6. pam_env - set/unset environment variables
6.7. pam_exec - call an external command
6.8. pam_faildelay - change the delay on failure per-application
6.9. pam_faillock - temporarily locking access based on failed authentication attempts during an interval
6.10. pam_filter - filter module
6.11. pam_ftp - module for anonymous access
6.12. pam_group - module to modify group access
6.13. pam_issue - add issue file to user prompt
6.14. pam_keyinit - display the keyinit file
6.15. pam_lastlog - display date of last login
6.16. pam_limits - limit resources
6.17. pam_listfile - deny or allow services based on an arbitrary file
6.18. pam_localuser - require users to be listed in /etc/passwd
6.19. pam_loginuid - record user's login uid to the process attribute
6.20. pam_mail - inform about available mail
6.21. pam_mkhomedir - create users home directory
6.22. pam_motd - display the motd file
6.23. pam_namespace - setup a private namespace
6.24. pam_nologin - prevent non-root users from login
6.25. pam_permit - the promiscuous module
6.26. pam_pwhistory - grant access using .pwhistory file
6.27. pam_rhosts - grant access using .rhosts file
6.28. pam_rootok - gain only root access
6.29. pam_securetty - limit root login to special devices
6.30. pam_selinux - set the default security context
6.31. pam_sepermit - allow/reject access based on SELinux mode
6.32. pam_setquota - set or modify disk quotas on session start
6.33. pam_shells - check for valid login shell
6.34. pam_succeed_if - test account characteristics
6.35. pam_time - time controlled access
6.36. pam_timestamp - authenticate using cached successful authentication attempts
6.37. pam_tty_audit - enable/disable tty auditing
6.38. pam_umask - set the file mode creation mask
6.39. pam_unix - traditional password authentication
6.40. pam_userdb - authenticate against a db database
6.41. pam_warn - logs all PAM items
6.42. pam_wheel - only permit root access to members of group wheel
6.43. pam_xauth - forward xauth keys between users

7. See also

8. Author/acknowledgments

		Next
		Chapter 1. Introduction