Linux PAM の概要

Linux PAM パッケージは、プラグイン方式の認証モジュール (Pluggable Authentication Modules) を提供します。 これはローカルのシステム管理者が、各アプリケーションに対してどのユーザーにどのような権限を与えるかを制御する有用な機能です。

本パッケージは LFS-11.1 において正しくビルドでき動作することが確認されています。




Linux PAM の依存パッケージ


Berkeley DB-5.3.28, libnsl-2.0.0, libtirpc-1.3.2, libaudit, Prelude

任意 (ドキュメント再生成時)

docbook-xml-4.5, docbook-xsl-1.79.2, fop-2.6, libxslt-1.1.34 and either Lynx-2.8.9rel.1 or W3m



Shadow-4.9 and Systemd-249 need to be reinstalled after installing and configuring Linux PAM.


Linux PAM のインストール

ドキュメントをダウンロードしている場合は、以下のコマンドを実行して tarball を解凍します。

tar -xf ../Linux-PAM-1.5.2-docs.tar.xz --strip-components=1

If you instead want to regenerate the documentation, fix the configure script so that it detects lynx if installed:

sed -e 's/dummy elinks/dummy lynx/'                                    \
    -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
    -i configure

以下のコマンドを実行して Linux-PAM をビルドします。

./configure --prefix=/usr                        \
            --sbindir=/usr/sbin                  \
            --sysconfdir=/etc                    \
            --libdir=/usr/lib                    \
            --enable-securedir=/usr/lib/security \
            --docdir=/usr/share/doc/Linux-PAM-1.5.2 &&

コンパイル結果をテストするには、設定ファイル /etc/pam.d/other が適切に用意されていなければなりません。


Reinstallation or upgrade of Linux PAM

If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The installed one can be used for that purpose.

You should also be aware that make install overwrites the configuration files in /etc/security as well as /etc/environment. In case you have modified those files, be sure to back them up.

For a first installation, create the configuration file by issuing the following commands as the root user:

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required
account  required
password required
session  required

make check によりテストを実行します。 Ensure there are no errors produced by the tests before continuing the installation. Note that the checks are quite long. It may be useful to redirect the output to a log file in order to inspect it thoroughly.

Only in case of a first installation, remove the configuration file created earlier by issuing the following command as the root user:

rm -fv /etc/pam.d/other

root ユーザーになって以下を実行します。

make install &&
chmod -v 4755 /usr/sbin/unix_chkpwd


--enable-securedir=/usr/lib/security: This switch sets the installation location for the PAM modules.

--disable-regenerate-docu : If the needed dependencies (docbook-xml-4.5, docbook-xsl-1.79.2, libxslt-1.1.34, and Lynx-2.8.9rel.1 or W3m) are installed, the manual pages, and the html and text documentations are (re)generated and installed. Furthermore, if fop-2.6 is installed, the PDF documentation is generated and installed. Use this switch if you do not want to rebuild the documentation.

chmod -v 4755 /usr/sbin/unix_chkpwd: パスワードヘルパープログラム unix_chkpwd に対して setuid を設定します。 root 権限ではないプロセスが shadow ファイルにアクセスできるようにするためです。

Linux-PAM の設定




設定情報は /etc/pam.d/ に保持します。 以下はその例です。

# Begin /etc/pam.d/other

auth            required     nullok
account         required
session         required
password        required     nullok

# End /etc/pam.d/other

Now set up some generic files. As the root user:

install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account

account   required

# End /etc/pam.d/system-account

cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      required

# End /etc/pam.d/system-auth

cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session

session   required

# End /etc/pam.d/system-session
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password  required       sha512 shadow try_first_pass

# End /etc/pam.d/system-password

If you wish to enable strong password support, install libpwquality-1.4.4, and follow the instructions in that page to configure the pam_pwquality PAM module with strong password support.

Now add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application is created.

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required
auth        required
account     required
account     required
password    required
password    required
session     required
session     required

# End /etc/pam.d/other

PAM パッケージの Man ページ (man pam) を見れば、各項目と可能な記述内容がよく分かるようになっています。 Linux-PAM システム管理者ガイド (Linux-PAM System Administrators' Guide) を参照して、より詳細な情報を確認してください。



You should now reinstall the Shadow-4.9 and Systemd-249 packages.


インストールプログラム: faillock, mkhomedir_helper, pam_namespace_helper, pam_timestamp_check, pwhistory_helper, unix_chkpwd, unix_update
インストールディレクトリ: /etc/security, /usr/lib/security, /usr/include/security, /usr/share/doc/Linux-PAM-1.5.2



displays and modifies the authentication failure record files


is a helper binary that creates home directories


is a helper program used to configure a private namespace for a user session


is a helper program that transfers password hashes from passwd or shadow to opasswd


is used to check if the default timestamp is valid


is a helper binary that verifies the password of the current user


is a helper binary that updates the password of a given user

アプリケーションと PAM モジュールの間のインターフェースを提供します。