hacktricks/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md



<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## WhiteIntel

<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for **free** at:

{% embed url="https://whiteintel.io" %}

---


## Basic Information

**PAM (Pluggable Authentication Modules)** acts as a security mechanism that **verifies the identity of users attempting to access computer services**, controlling their access based on various criteria. It's akin to a digital gatekeeper, ensuring that only authorized users can engage with specific services while potentially limiting their usage to prevent system overloads.

### Configuration Files

- **Solaris and UNIX-based systems** typically utilize a central configuration file located at `/etc/pam.conf`.
- **Linux systems** prefer a directory approach, storing service-specific configurations within `/etc/pam.d`. For instance, the configuration file for the login service is found at `/etc/pam.d/login`.

An example of a PAM configuration for the login service might look like this:

```text
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
```

### **PAM Management Realms**

These realms, or management groups, include **auth**, **account**, **password**, and **session**, each responsible for different aspects of the authentication and session management process:

- **Auth**: Validates user identity, often by prompting for a password.
- **Account**: Handles account verification, checking for conditions like group membership or time-of-day restrictions.
- **Password**: Manages password updates, including complexity checks or dictionary attacks prevention.
- **Session**: Manages actions during the start or end of a service session, such as mounting directories or setting resource limits.

### **PAM Module Controls**

Controls dictate the module's response to success or failure, influencing the overall authentication process. These include:

- **Required**: Failure of a required module results in eventual failure, but only after all subsequent modules are checked.
- **Requisite**: Immediate termination of the process upon failure.
- **Sufficient**: Success bypasses the rest of the same realm's checks unless a subsequent module fails.
- **Optional**: Only causes failure if it's the sole module in the stack.

### Example Scenario

In a setup with multiple auth modules, the process follows a strict order. If the `pam_securetty` module finds the login terminal unauthorized, root logins are blocked, yet all modules are still processed due to its "required" status. The `pam_env` sets environment variables, potentially aiding in user experience. The `pam_ldap` and `pam_unix` modules work together to authenticate the user, with `pam_unix` attempting to use a previously supplied password, enhancing efficiency and flexibility in authentication methods.

## References
* [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434)


## WhiteIntel

<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for **free** at:

{% embed url="https://whiteintel.io" %}


<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

arte 2024-01-06 22:58:52 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:58:52 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:58:52 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-06 14:12:47 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).`
arte 2024-01-06 22:58:52 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

wi 2024-04-18 03:10:20 +00:00			`## WhiteIntel`

f 2024-04-18 03:13:38 +00:00			`<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>`
wi 2024-04-18 03:10:20 +00:00
			`[WhiteIntel](https://whiteintel.io) is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.`

			`Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.`

			`You can check their website and try their engine for free at:`

			`{% embed url="https://whiteintel.io" %}`

			`---`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-02-07 04:06:18 +00:00			`## Basic Information`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`PAM (Pluggable Authentication Modules) acts as a security mechanism that verifies the identity of users attempting to access computer services, controlling their access based on various criteria. It's akin to a digital gatekeeper, ensuring that only authorized users can engage with specific services while potentially limiting their usage to prevent system overloads.`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`### Configuration Files`

			- Solaris and UNIX-based systems typically utilize a central configuration file located at `/etc/pam.conf`.
			- Linux systems prefer a directory approach, storing service-specific configurations within `/etc/pam.d`. For instance, the configuration file for the login service is found at `/etc/pam.d/login`.

			`An example of a PAM configuration for the login service might look like this:`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
			```text
			`auth required /lib/security/pam_securetty.so`
			`auth required /lib/security/pam_nologin.so`
			`auth sufficient /lib/security/pam_ldap.so`
			`auth required /lib/security/pam_unix_auth.so try_first_pass`
			`account sufficient /lib/security/pam_ldap.so`
			`account required /lib/security/pam_unix_acct.so`
			`password required /lib/security/pam_cracklib.so`
			`password required /lib/security/pam_ldap.so`
			`password required /lib/security/pam_pwdb.so use_first_pass`
			`session required /lib/security/pam_unix_session.so`
			```

a 2024-02-07 04:06:18 +00:00			`### PAM Management Realms`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`These realms, or management groups, include auth, account, password, and session, each responsible for different aspects of the authentication and session management process:`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`- Auth: Validates user identity, often by prompting for a password.`
			`- Account: Handles account verification, checking for conditions like group membership or time-of-day restrictions.`
			`- Password: Manages password updates, including complexity checks or dictionary attacks prevention.`
			`- Session: Manages actions during the start or end of a service session, such as mounting directories or setting resource limits.`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`### PAM Module Controls`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`Controls dictate the module's response to success or failure, influencing the overall authentication process. These include:`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`- Required: Failure of a required module results in eventual failure, but only after all subsequent modules are checked.`
			`- Requisite: Immediate termination of the process upon failure.`
			`- Sufficient: Success bypasses the rest of the same realm's checks unless a subsequent module fails.`
			`- Optional: Only causes failure if it's the sole module in the stack.`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			`### Example Scenario`
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-07 04:06:18 +00:00			In a setup with multiple auth modules, the process follows a strict order. If the `pam_securetty` module finds the login terminal unauthorized, root logins are blocked, yet all modules are still processed due to its "required" status. The `pam_env` sets environment variables, potentially aiding in user experience. The `pam_ldap` and `pam_unix` modules work together to authenticate the user, with `pam_unix` attempting to use a previously supplied password, enhancing efficiency and flexibility in authentication methods.
GitBook: [master] 3 pages modified 2021-06-23 17:08:03 +00:00
a 2024-02-08 03:06:37 +00:00			`## References`
a 2024-02-07 04:06:18 +00:00			`* [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

wi 2024-04-18 03:10:20 +00:00			`## WhiteIntel`

f 2024-04-18 03:13:38 +00:00			`<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>`
wi 2024-04-18 03:10:20 +00:00
			`[WhiteIntel](https://whiteintel.io) is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.`

			`Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.`

			`You can check their website and try their engine for free at:`

			`{% embed url="https://whiteintel.io" %}`


Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

arte 2024-01-06 22:58:52 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:58:52 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:58:52 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-06 14:12:47 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).`
arte 2024-01-06 22:58:52 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`