PAM in Linux

PAM in Linux :-

This module provides traditional Unix authentication, password management, and user account setup. It uses standard system calls to retrieve and set password and account information, and relies on /etc/shadow and/etc/passwd.

Establishes the validity of the user’s account and password and may offer advice on changing the user’s password, or force a password change. The actions this module performs are controlled by the/etc/passwd and /etc/shadow files.

Arguments: audit, debug.

This component of the module checks the user’s password against the password databases. Configuration for this component is done in /etc/nsswitch.conf. An additional binary, unix_chkpwd, is used to allow the component to read protected databases without requiring the whole module to besetuid root.

Arguments: audit, debug, nodelay, nullok, try_first_pass, use_first_pass.

This component changes the user’s password. The module can be stacked with this component to check password security.

Arguments: audit, bigcrypt, debug, md5, nis, not_set_pass, nullok, remember, try_first_pass,use_authtok, and use_first_pass.

This component logs the user name and session type to syslog, at the start and end of the user’s session. There are no arguments to this component.


  • audit — A more extensive form of debug
  • bigcrypt — Use the DEC “C2” extension to crypt().
  • debug — Log information using syslog
  • md5 — Use md5 encryption instead of crypt().
  • nis — Use NIS (Network Information Service) passwords.
  • nodelay — By default, the module requests a delay-on-failure of a second. This argument overrides the default.
  • not_set_pass — Don’t use the passwords from other stacked modules. Don’t give the new password to other stacked modules.
  • nullok — By default, if the official password is blank, the authentication fails. This argument overrides the default.
  • remember (remember=n) — Save n recent passwords to prevent the user from alternating passwords.
  • try_first_pass — Use the password from the previous stacked auth module, and prompt for a new password if the retrieved password is blank or incorrect.
  • use_authtok — Set the new password to the one provided by a previous module.
  • use_first_pass — Use the result from the previous stacked auth module, never prompts the user for a password, fails if the result was a fail.