The pam-config tool helps you configure the global PAM configuration files
under /etc/pam.d/common-*-pc
. Use the
pam-config command to maintain your PAM configuration
files. Add new modules to your PAM configurations, delete other modules or
modify options to these modules. As these changes concern only the global
PAM configuration files, no manual tweaking of the PAM setup for individual
applications is required.
A simple real-world use case for pam-config would involve the following:
Auto-generate a fresh Unix-style PAM configuration. Let pam-config create the simplest possible setup which you can
extend later on. The pam-config --create command
creates a simple UNIX authentication configuration. Pre-existing
configuration files not maintained by pam-config are overwritten, but
backup copies are kept as *.pam-config-backup
.
Add a new authentication method. Adding a new authentication method (e.g. LDAP) to your stack of PAM
modules comes down to a simple pam-config --add
--ldap command. LDAP is added wherever appropriate across all
common-*-pc
PAM configuration files.
Add debugging for test purposes. To make sure the new authentication procedure works as planned,
turn on debugging for all PAM-related operations. The
pam-config --add --ldap-debug turns on debugging for
LDAP-related PAM operations. Find the debugging output in
/var/log/messages
.
Query your setup. Before you finally apply your new PAM setup, check whether it
contains all the options you planned to add. The pam-config
--query --module
lists both the
type and the options for the queried PAM module.
Remove the debug options. Finally, remove the debug option from your setup when you are entirely satisfied with the performance of it. The pam-config --delete --ldap-debug turns of debugging for LDAP authentication. In case you had debugging options added for other modules, use similar commands to turn these off.
When you create your PAM configuration files from scratch using the
pam-config --create command, it creates symbolic links
from the common-*
to the
common-*-pc
files. pam-config only modifies the
common-*-pc
configuration files. Removing these
symbolic links effectively disable pam-config, because pam-config only
operates on the common-*-pc
files and these files are
not put into effect without the symbolic links.
For more information on the pam-config command and the options available, refer to the manual page of pam-config, pam-config(8).