PAM – Understanding Required and Sufficient Control Flags

authenticationpam

I'm studying PAM, and I'm a bit clueless about the meaning of some combination of control flags. From the Red Hat documentation we have:

required
failure of such a PAM will ultimately lead to the PAM-API returning failure
but only after the remaining stacked modules (for this service and type)
have been invoked

requisite
like required, however, in the case that such a module returns a failure,
control is directly returned to the application.

sufficient
success of such a module is enough to satisfy the authentication
requirements of the stack of modules (if a prior required module has failed
the success of this one is ignored). A failure of this module is not deemed
as fatal to satisfying the application that this type has succeeded. If the
module succeeds the PAM framework returns success to the application
immediately without trying any other modules.

So, in my understanding, if a module requisite fails, the entire stack of modules will not be parsed, and the control will be back to the application immediately.
If a module sufficient succeeds, the rest of modules stack will not be parsed and the control will be back to the application immediately.
If a module required fails, the entire stack will be parsed.

Now, I cannot understand what will be the behavior when a certain module required fails and another module sufficient succeeds.

Best Answer

PAM proceeds through the items on the stack in sequence. It only keeps the memory of what state it's in (success or denied, with success meaning success so far), not of how it reached that state.

If an item marked sufficient succeeds, the PAM library stops processing that stack. This happens whether there were previous required items or not. At this point, PAM returns the current state: success if no previous required item failed, otherwise denied.

Similarly, if an item marked requisite fails, the PAM library stops processing and returns a failure. At that point, it's irrelevant whether a previous required item failed.

In other words, required doesn't necessarily cause the whole stack to be processed. It only means to keep going.

Related Solutions

Custom PAM modules and security considerations

When you call into Linux-PAM for some authentication procedure, there is always one and only one stack that is run.

The stack definition is looked up in these places; the first successful attempt determines which file is read:

the file in /etc/pam.d named after the application "service name" (e.g., sshd or gdm), or
the file /etc/pam.d/other if no service-specific file exists, or
the file /etc/pam.conf if directory /etc/pam.d does not exist.

See the documentation for function pam_start for details.

The common-* files are a convention followed by many Linux distributions but are not mandated by the PAM software itself. They are usually included by other PAM files by means of @include statements; for instance the /etc/pam.d/other file on Debian has the following content:

# We fall back to the system default in /etc/pam.d/common-*
@include common-auth
@include common-account
@include common-password
@include common-session

The same @include statements may be used by service-specific file as well, and -indeed- they are in the default configuration on Debian. Note that this is a matter of configuration: a sysadmin is free to change the file in /etc/pam.d not to include any common-* files at all!

Therefore: if your PAM module is specific to your application, create an application-specific service file and call the module from there. Do not automatically add a module to other services' PAM file nor to the fall-back others file, as this may break other applications installed on the system. Management of the PAM software stack is a task for the system administrator, not for the application developers.

Linux – Confused about PAM configuration stanza and the roles of the control-flag parameters

The indication sufficient in the control field means that if pam_unix reports a success, then this stack returns a success immediately. If pam_unix fails (e.g. because the user doesn't have a password, or doesn't exist), then the stack proceeds with the pam_succeed_if. That line, in turn, immediately rejects any login from users with UID < 500. Finally, users with UID ≥ 500 who failed to authenticate in the traditional unix method are denied by this stack, but may be authorized by a calling stack (e.g. through .rhosts if the rshd configuration calls this stack). In other words:

if unix authentication ok then success
else if uid < 500 then fail hard
else fail (but allow caller to proceed)

Network-based authentication methods such as NIS and LDAP would typically be added as sufficient lines just before the pam_deny line. This would allow network accounts only when the UID is above 500, and giving local authentication priority. This way, the NIS or LDAP server cannot supply any system user, only “real” users (conventionally, low UIDs are system users); also, if the network is down, users with a local account can still log in.

Best Answer

Related Solutions

Custom PAM modules and security considerations

Linux – Confused about PAM configuration stanza and the roles of the control-flag parameters

Related Question