22

I'm studying PAM, and I'm a bit clueless about the meaning of some combination of control flags. From the Red Hat documentation we have:

  • required
    failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked

  • requisite
    like required, however, in the case that such a module returns a failure, control is directly returned to the application.

  • sufficient
    success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules.

So, in my understanding, if a module requisite fails, the entire stack of modules will not be parsed, and the control will be back to the application immediately. If a module sufficient succeeds, the rest of modules stack will not be parsed and the control will be back to the application immediately. If a module required fails, the entire stack will be parsed.

Now, I cannot understand what will be the behavior when a certain module required fails and another module sufficient succeeds.

ceving
  • 3,461
  • 5
  • 21
  • 30
ludiegu
  • 1,607
  • 5
  • 21
  • 31

2 Answers2

22

PAM proceeds through the items on the stack in sequence. It only keeps the memory of what state it's in (success or denied, with success meaning success so far), not of how it reached that state.

If an item marked sufficient succeeds, the PAM library stops processing that stack. This happens whether there were previous required items or not. At this point, PAM returns the current state: success if no previous required item failed, otherwise denied.

Similarly, if an item marked requisite fails, the PAM library stops processing and returns a failure. At that point, it's irrelevant whether a previous required item failed.

In other words, required doesn't necessarily cause the whole stack to be processed. It only means to keep going.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • But if any `required` item failed, why does `PAM` need to keep going through the stack? if it will finally fail anyway? – Mohammed Noureldin Aug 21 '17 at 12:31
  • 4
    @MohammedNoureldin Even if a login attempt fails, some things must be done, such as logging, adding a timeout against brute-force attempts, etc. Also usually the system doesn't reveal the exact reason for the failure, e.g. if looking up the username fails then the user is still prompted for a password. – Gilles 'SO- stop being evil' Aug 21 '17 at 18:17
  • The order is the order in which they are listed in the config? – OrangeDog May 29 '19 at 12:27
  • @OrangeDog Yes. The module listed on the first line is executed, then the second line is executed (or skipped depending on the result of the first line), etc. – Gilles 'SO- stop being evil' May 29 '19 at 12:42
1

In my opinion, a required control flag has to be always successful in order for a module to be successful.

A sufficient flagged module is ignored if it fails. If it is successful and no required flagged modules above have failed then, no other modules of the same type have to be checked and the module is considered successful. So basically, the required flag has higher priority than the sufficient flag but the latter one has ability to stop checking the rest of them if the previous required ones succeeded.

Example:

1 auth       required     /lib/security/pam_nologin.so
2 auth       required     /lib/security/pam_securetty.so
3 auth       required     /lib/security/pam_env.so
4 auth       sufficient   /lib/security/pam_rhosts_auth.so
5 auth       required     /lib/security/pam_stack.so service=system-auth

If lines 1, 2, 3 and 4 are successful then, the line 5 can be skipped and the module auth is successful. If the line 4 is not successful it is ignored and the line 5 is checked. If any of the lines 1, 2, 3 has failed then, the line 4 is not taken into account.

dsmsk80
  • 3,038
  • 1
  • 15
  • 20
  • 1
    I think his question is what happens if 1 fails and 2-4 succeed. Does 5 get run? If 1 had succeeded, 5 would not be run. Or in other words, does the "stop after sufficient succeeds" apply if a previous required module failed? – cjm Dec 21 '13 at 19:05
  • No, the auth module would fail with such combination. – dsmsk80 Dec 22 '13 at 18:23
  • 2
    The question isn't whether the authorization will fail. It will. The question is whether module 5 will run before that failure is reported to the application. – cjm Dec 22 '13 at 20:39