modify and editing pam.d

What is the correct way to update pam.d? Due to hardening reason, there are some parameters in password-auth and system-auth has been removed and added some others. However in the beginning of the file it stated "Do not modify this file manually."

After the changes, some accounts unable to ssh and some unable to change password. Do we have any util to test the pam.d or generate based on our selection? Also do pam.d changes required restart to take effect?

I tried to understand by reading the man pam.d but still i have no clue. Hope someone can enlighten me here.

There are utilities that modify PAM files, for example authconfig on RHEL and Centos. The PAM files you mention might also be modified when updating the software. I guess it’s for these reasons that you are not supposed to change them manually.

For testing, some PAM modules have debug options that print more information in the log files.

There is no need to restart anything after changing PAM files.

authconfig has been change to authselect, authselect-migration and authselect profile in rhel8. Not sure in rhel7 or centos7. Try to go through the man of those command but not really understand still.

Quote:

Originally Posted by OnionBoy authconfig has been change to authselect, authselect-migration and authselect profile in rhel8. Not sure in rhel7 or centos7. Try to go through the man of those command but not really understand still.

Rhel/Centos 7 the authconfig tool is deprecated. In addition, authconfig on RHEL 7 is _dangerous_! There are settings that *cannot* be changed with authconfig. If you then run authconfig to change other settings, you will most likely loose the non-authconfig changes.

In other words, don't use authconfig!
Boo to RedHat for still having authconfig in some of their official REHL 7 documentation.