openSUSE:PAM configuration

The PAM configuration guidelines explains how the PAM setup for the openSUSE distribution works.

Configuration file location

openSUSE uses only pam.d directory style configuration files, where the service is the name of the file in the pam.d directory. The /etc/pam.conf file is not supported.

The pam.d manual page explains in detail the syntax of the configuration file and the meaning.

There are three directories, in which PAM is looking for the service files in the following order:

/etc/pam.d
/usr/lib/pam.d
/usr/etc/pam.d

Which means: if a file is not found in /etc/pam.d, it will be searched in /usr/lib/pam.d and afterwards in /usr/etc/pam.d. /usr/etc/pam.d is there for historic reasons and should no longer be used, as several tools cannot cope with this directory.

Packages should always install their configuration file in /usr/lib/pam.d as normal file, not mark them as %config or something similar.

pam-config

pam-config is our tool to maintain the PAM configuration file: add, remove or update the entries. It doesn't modify the configuration files directly, but instead, creates 9 separate configuration files, which get included by the configuration files. This 9 files are:

/etc/pam.d/common-account-pc
/etc/pam.d/common-auth-pc
/etc/pam.d/common-password-pc
/etc/pam.d/common-session-nonlogin-pc
/etc/pam.d/common-session-pc
/etc/pam.d/postlogin-account-pc
/etc/pam.d/postlogin-auth-pc
/etc/pam.d/postlogin-password-pc
/etc/pam.d/postlogin-session-pc

This files will be managed with pam-config, manual changes will be overwritten on the next pam-config call!

In the following part, login services are services, which do a real user login, including writing a wtmp entry and open a systemd-logind session.

common-account-pc

This file is used for non-authentication-based account management, which applies to all services.

common-auth-pc

This file contains the modules for authenticating the user, which are common to all services.

common-password-pc

This file is used for updating the authentication token associated with the user, which applies to all services.

common-session-pc

This file contains all the modules associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.

common-session-nonlogin-pc

This is the same as common-session-pc except that it will not contain pam_systemd.so. It should be included by services which don't do a full user login. E.g. su' should include common-session-nonlogin-pc while su-l should include common-session-pc.

postlogin-account-pc

This file is used for non-authentication-based account management, which applies to only this services, which do a real "login" process. So e.g. login, but not cron or chsh. It's included after common-account.

postlogin-auth-pc

This file contains the modules for authenticating the user, which are common to login services like login or sshd, but not e.g. chsh. It's included after common-auth.

postlogin-password-pc

This file contains the modules for updating the authentication token associated with the user, which are common to login services like login or sshd, but not e.g. chsh. It's included after common-password.

postlogin-session-pc

This file contains all the modules associated with doing things that need to be done for the user before/after they can be given service and are common, but limited to login services like login or 'sshd. This are e.g. pam_lastlog2.so creating the lastlog entry and pam_wtmpdb.so creating the wtmp entry for this session. It's included after common-session.

Here is the github page of the project.

Manual changes

The common-{account,auth,password,session,session-nonlogin} and postlogin-{account,auth,password,session} files are symlinks pointing to the corresponding common-*-pc and postlogin-*-pc files. To disable pam-config, replace the symlinks with real files containing your manual configuration. pam-config will no longer modify them.

PAM service files

PAM service files like pam.d/login or pam.d/sshd will not be touched by pam-config (it's possible for some few cases, but shouldn't be used). If an admin needs to modify this files, they need to be copied into /etc/pam.d. No package will ever touch them again, the admin has to manual merge changes doen via package updates.

A typical configuration file for the login service would look like:

 #%PAM-1.0
 auth      requisite  pam_nologin.so
 auth      substack   common-auth
 auth      include    postlogin-auth
 account   substack   common-account
 account   include    postlogin-account
 password  substack   common-password
 password  include    postlogin-password
 session   required   pam_loginuid.so
 session   optional   pam_keyinit.so force revoke
 session   substack   common-session
 session   include    postlogin-session
 session   optional   pam_motd.so
 session   optional   pam_mail.so standard

For the sshd service:

 #%PAM-1.0
 auth        requisite   pam_nologin.so
 auth        substack    common-auth
 auth        include     postlogin-auth
 account     requisite   pam_nologin.so
 account     substack    common-account
 account     include     postlogin-account
 password    substack    common-password
 password    include     postlogin-password
 session     required    pam_loginuid.so
 session     substack    common-session
 session     optional    pam_keyinit.so   force revoke
 session     include     postlogin-session
 session     optional    pam_motd.so

For the sudo service:

 #%PAM-1.0
 auth     include        common-auth
 account  include        common-account
 password include        common-password
 session  optional       pam_keyinit.so revoke
 session  include        common-session-nonlogin

Backward compatibility with SLE12/SLE15

This PAM configuration files are NOT compatible with SLE12/SLE15. For this, you need to decide at build time, which configuration file to include in the binary RPM: the old one or the new one.