19.4 Configuring PAM Using pam-config
The pam-config tool helps you configure the global PAM configuration
files under /etc/pam.d/common-*-pc as well as
several selected application configurations. For a list of supported
modules, use the command pam-config --list-modules.
Use the pam-config command to maintain your PAM
configuration files. Add new modules to your PAM configurations, delete
other modules or modify options to these modules. When changing global
PAM configuration files, no manual tweaking of the PAM setup for
individual applications is required.
A simple real-world use case for pam-config would involve the following:
Auto-generate a fresh Unix-style PAM configuration.
Let pam-config create the simplest possible setup which you can extend
later on. The pam-config --create command creates a
simple UNIX authentication configuration. Pre-existing configuration
files not maintained by pam-config are overwritten, but backup copies
are kept as *.pam-config-backup.
Add a new authentication method.
Adding a new authentication method (for example, LDAP) to your stack
of PAM modules comes down to a simple pam-config --add
--ldap command. LDAP is added wherever appropriate across
all common-*-pc PAM configuration files.
Add debugging for test purposes.
To make sure the new authentication procedure works as planned, turn
on debugging for all PAM-related operations. The pam-config
--add --ldap-debug turns on debugging for LDAP-related PAM
operations. Find the debugging output in
Query your setup.
Before you finally apply your new PAM setup, check whether it contains
all the options you planned to add. The pam-config --query
--module lists both the type and
the options for the queried PAM module.
Remove the debug options.
Finally, remove the debug option from your setup when you are entirely
satisfied with the performance of it. The pam-config --delete
--ldap-debug turns of debugging for LDAP authentication. In
case you had debugging options added for other modules, use similar
commands to turn these off.
When you create your PAM configuration files from scratch using the
pam-config --create command, it creates symbolic links
from the common-* to the
common-*-pc files. pam-config only modifies the
common-*-pc configuration files. Removing these
symbolic links effectively disable pam-config, because pam-config only
operates on the common-*-pc files and these files
are not put into effect without the symbolic links.
For more information on the pam-config command and the
options available, refer to the manual page of