PAM Authentication Basics

PAM (Pluggable Authentication Modules) is the authentication framework that all Ubuntu services use. When you log in via SSH, use sudo, or run su, PAM handles the authentication, account validation, session setup, and password management. Understanding PAM is essential because misconfiguring it can lock you out of the system permanently.

What PAM does

Application (sshd, sudo, login)
         |
         v
    PAM Framework
         |
    reads /etc/pam.d/sshd
         |
    ┌────┴──────────────────────────────────┐
    │  auth   → Who are you? (password/key) │
    │  account → Is your account valid?      │
    │  session → Set up environment          │
    │  password → How to change password     │
    └───────────────────────────────────────┘
         |
    Each step calls one or more modules (pam_unix.so, pam_google_authenticator.so, etc.)
         |
    Result: allow or deny access

PAM configuration files

# Each service has its own PAM config in /etc/pam.d/
ls /etc/pam.d/

# Key files:
# /etc/pam.d/common-auth     — included by most services for auth
# /etc/pam.d/common-account  — account validation
# /etc/pam.d/common-session  — session management
# /etc/pam.d/common-password — password changing
# /etc/pam.d/sshd            — SSH-specific overrides
# /etc/pam.d/sudo            — sudo-specific
# /etc/pam.d/login           — console login

# View a service's PAM config
cat /etc/pam.d/sshd

Example /etc/pam.d/sshd structure

# Standard auth for sshd
@include common-auth

# Account checking (expiry, lockout, access restrictions)
@include common-account

# Session setup (home directory, limits, environment)
@include common-session

# Password changing (rare for SSH, but included)
@include common-password

PAM module types

Module type	Purpose	Example modules
`auth`	Identify the user and verify credentials	pam_unix, pam_google_authenticator, pam_sss
`account`	Check if account is valid (not expired, locked, time-restricted)	pam_unix, pam_time, pam_access, pam_faillock
`session`	Set up and tear down user session (mount home, set limits)	pam_unix, pam_limits, pam_mkhomedir
`password`	Handle password changes	pam_unix, pam_pwquality, pam_cracklib

PAM control flags

Flag	Meaning	On failure
`required`	Must succeed; continues to remaining modules	Final result is failure, but continues
`requisite`	Must succeed; stops immediately on failure	Stops, immediately returns failure
`sufficient`	If it succeeds (and no required failure before), stop and succeed	Continues to next module
`optional`	Result doesn’t matter unless it’s the only module	Continues, failure usually ignored

# Example auth stack from /etc/pam.d/common-auth:
auth    [success=1 default=ignore]  pam_unix.so nullok
auth    requisite                   pam_deny.so
auth    required                    pam_permit.so

# Reading this:
# 1. Try pam_unix (password check). If success: skip 1 module (jump to pam_permit).
# 2. If pam_unix fails: run pam_deny (which always fails) → requisite means STOP immediately.
# 3. pam_permit always succeeds (only reached via the skip in step 1).

Common PAM modules

Module	Purpose
`pam_unix.so`	Standard Unix password authentication (/etc/shadow)
`pam_pwquality.so`	Password strength enforcement
`pam_faillock.so`	Account lockout after failed attempts
`pam_limits.so`	Resource limits (open files, processes)
`pam_time.so`	Time-based access restrictions
`pam_access.so`	Host/user/terminal-based access control
`pam_mkhomedir.so`	Create home directory on first login
`pam_google_authenticator.so`	Google Authenticator TOTP MFA
`pam_sss.so`	SSSD integration (LDAP, Active Directory)

Testing PAM changes safely

# CRITICAL: Before editing any PAM file, open a second root session
# If you break PAM, you need that session to undo the change
sudo -i  # Open a root shell in a separate terminal tab first

# Test the PAM configuration without applying it
pamtester sshd testuser authenticate

# If testing authentication from command line:
ssh -v testuser@localhost 2>&1 | grep -E "auth|PAM"

# Check PAM errors in logs
sudo journalctl -u ssh --since "1 minute ago" | grep -i pam
sudo grep "pam" /var/log/auth.log | tail -20

⚠️ WARNING: PAM configuration errors can lock ALL users out of the system, including root. Before editing any PAM file, open a separate root session (sudo -i in a new terminal). Test changes with pamtester before closing the original session. If authentication breaks, use the open root session to revert the change.

Conclusion

PAM is the authentication backbone of Ubuntu. All service authentication flows through it. The most important safety rule: always have a separate root session open when editing PAM configuration files, because a syntax error or wrong module can lock you out instantly. Understand the four module types (auth, account, session, password) and the control flags (required, requisite, sufficient, optional) before making changes. Test with pamtester and verify in logs before considering a change complete.

FAQ

Why should administrators understand PAM Authentication Basics?+

Because this topic affects planning decisions, server lifecycle, compatibility, support expectations, or how you reason about Ubuntu systems before making operational changes.

Do I need a lab for this topic?+

A lab is useful for checking commands and seeing the concept on a real Ubuntu machine, but the main value is understanding the decision, tradeoff, or system behavior clearly.

How should I use this knowledge in production?+

Use it to make better choices, document why those choices were made, and avoid rushed changes that ignore support windows, compatibility, stability, or operational risk.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support