Q

Shadow modules with PAM

How do I use shadow modules with PAM?

To use shadow passwords with PAM, you must first enable shadow passwords. Most distributions have an option to enable this at installations. If you need to enable it later, then you will need to install the shadow package(s), called "shadow-utils" on Red Hat variations and "shadow" on Debian.

Once you've followed the shadow installation process, you need to enable support for shadow passwords in PAM. In a Red Hat distribution, this means adjusting the system-auth file in the /etc/pam.d. The system-auth file contains the default PAM authentication process. This includes the pam_unix.so PAM authentication module. This module is stacked in all contexts: auth, password, account and session. The auth context stack uses the pam_unix.so module and handles authentication like so:

auth sufficient pam_unix.so try_first_pass nullok

It should automatically detect the presence of shadow passwords.

In the password context, the pam_unix.so module is also stacked to handle the changing of user passwords, like so:

password sufficient pam_unix.so nullok try_first_pass use_authtok md5 shadow

The last option on the line, shadow, is used to ensure shadow passwords are created when a password is changed. A good explanation for that can be found here.

Configuration for other distributions, like Debian, is similar and you can find more details on configuring PAM.

This was first published in October 2006

Dig deeper on Linux system security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close