Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Red Hat This forum is for the discussion of Red Hat Linux.


  Search this Thread
Old 08-01-2014, 04:02 PM   #1
LQ Newbie
Registered: Sep 2011
Posts: 25

Rep: Reputation: Disabled
Smile /etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd

I'm trying to grasp a better understanding of PAM configuration in Red Hat. Our policies are all normally set in /etc/pam.d/system-auth-ac, but I've discovered that account lock accounts don't really seem to be getting enforced for incoming ssh connections.

So I did a little research, and found this page. I tested it, and sure enough pam_tally2 works great now. I always thought Linux account lock outs went to /etc/shadow before this, similar to Unix. Now I've learned it tracks it all by the pam_tally2 outside of /etc/shadow and our lock out policies actually haven't been working.

My question is that after reading the pages below I'm finding I now have more questions than I started with.

1. Red Hat PAM documentation
2. Red Hat PAM configuration files
3. serverfault - login vs system-auth
4. More login vs system-auth discussion

My question is that in a lot of my reading I see a lot of conflicting information on when to use the /etc/pam.d/system-auth and/or the /etc/pam.d/password-auth files, and/or /etc/pam.d/sshd. Even Red Hat's documentation doesn't explain it well. What are the true purposes of each of these files in relation to each other?

Inquiring minds want to know...

Old 08-01-2014, 06:26 PM   #2
Ser Olmy
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,063

Rep: Reputation: Disabled
An application that uses PAM can have a configuration file bearing its name in /etc/pam.d/. If such a file exists, the rules in that file are processed whenever the application calls a PAM authentication function.

If no application-specific file exists, PAM will fall back to the rules in /etc/pam.d/other, if it exists. If neither this file nor an application-specific file exists, the authentication will fail.

Files like /etc/pam.d/system-auth and to a larger extent /etc/pam.d/password-auth are somewhat distribution-specific. Since no applications identify themselves as "system-auth" or "password-auth", these files are actually never called on their own. Instead, the contents of these files are pulled into other PAM configuration files with the "include" directive. That way, common settings for multiple applications can be stored in a single file.
1 members found this post helpful.
Old 08-01-2014, 07:08 PM   #3
LQ Newbie
Registered: Sep 2011
Posts: 25

Original Poster
Rep: Reputation: Disabled
Thank you so much! That was a very helpful answer.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
multiple auth methods in pam.d/sshd? ghughes5669 Linux - Security 1 07-01-2014 05:26 AM
Config /etc/pam.d/system-auth for account Lockout and Password Minumum mccartjd Linux - Security 3 02-18-2010 08:45 AM
Password Complexity after changing the /etc/pam.d/system-auth the system dies kprakashc Linux - Newbie 0 08-27-2008 09:50 PM
code for /etc/pam.d/system-auth(password complexity) moinpasha Programming 0 09-18-2006 01:23 AM
pam.d/system-auth and LDAP? SheldonPlankton Linux - General 0 04-28-2005 01:11 PM > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 08:37 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration