Terminologies

Management Group: auth, account, password, session Module Controls: required, requisite, sufficient, optional. Module: /lib/security/pam_ldap.so Module Argument: try_first_pass

directive (a complete line) is composed of a mechanism (authaccountpassword or session), a success check (includeoptionalrequired, ...), the path to the module and possibly arguments (like revoke for example).

An example directive:

auth required /lib/security/pam_unix_auth.so try_first_pass

The module interface directives can be stacked or placed on top of each other. In fact, the order in which the modules are listed is very important to the authentication process.

Management Group

Linux-PAM separates the tasks of authentication into four independent management groups:

  • account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service.
  • authentication modules verify the user's identity, for example by requesting and checking a password or other secret. They may also pass authentication information on to other systems like a keyring.
  • password modules are responsible for updating passwords, and are generally coupled to modules employed in the authentication step. They may also be used to enforce strong passwords.
  • session modules define actions that are performed at the beginning and end of sessions. A session starts after the user has successfully authenticated.

Linux PAM - Wikipedia

Code

For example, pam_open_session is the API PAM provides for applications.

pam_sm_open_session is the function PAM modules should implement to be called by PAM.

We can say pam_sm_open_session is the backend for the pam_open_session.

Misc

What does 'stacking' mean?

Note that in our sample config, four separate modules are listed for the ‘auth’ realm. This is referred to as ‘stacking’ in PAM lingo.

If, on the other hand, there are multiple modules defined for the service's operation, those modules are said to be stacked and that a PAM stack exists for that service. For example, these entries represent a sample "auth stack" for the login service.

Understanding PAM - Linux.com

PAM authentication modules - Documentation