18.3 Configuring PAM Using pam-config

The pam-config tool helps you configure the global PAM configuration files under /etc/pam.d/common-*-pc. Use the pam-config command to maintain your PAM configuration files. Add new modules to your PAM configurations, delete other modules or modify options to these modules. As these changes concern only the global PAM configuration files, no manual tweaking of the PAM setup for individual applications is required.

A simple real-world use case for pam-config would involve the following:

  1. Auto-generate a fresh Unix-style PAM configuration. Let pam-config create the simplest possible setup which you can extend later on. The pam-config --create command creates a simple UNIX authentication configuration. Pre-existing configuration files not maintained by pam-config are overwritten, but backup copies are kept as *.pam-config-backup.

  2. Add a new authentication method. Adding a new authentication method (e.g. LDAP) to your stack of PAM modules comes down to a simple pam-config --add --ldap command. LDAP is added wherever appropriate across all common-*-pc PAM configuration files.

  3. Add debugging for test purposes. To make sure the new authentication procedure works as planned, turn on debugging for all PAM-related operations. The pam-config --add --ldap-debug turns on debugging for LDAP-related PAM operations. Find the debugging output in /var/log/messages.

  4. Query your setup. Before you finally apply your new PAM setup, check whether it contains all the options you planned to add. The pam-config --query --module lists both the type and the options for the queried PAM module.

  5. Remove the debug options. Finally, remove the debug option from your setup when you are entirely satisfied with the performance of it. The pam-config --delete --ldap-debug turns of debugging for LDAP authentication. In case you had debugging options added for other modules, use similar commands to turn these off.

When you create your PAM configuration files from scratch using the pam-config --create command, it creates symbolic links from the common-* to the common-*-pc files. pam-config only modifies the common-*-pc configuration files. Removing these symbolic links effectively disable pam-config, because pam-config only operates on the common-*-pc files and these files are not put into effect without the symbolic links.

For more information on the pam-config command and the options available, refer to the manual page of pam-config, pam-config(8).