BEFORE YOU BEGIN
Make a backup of your existing system-auth-ac
file:
mv /etc/pam.d/system-auth-ac{,-orig}
cp /etc/pam.d/system-auth-ac{-orig,}
This will keep the original with its existing time stamp.
Reset the SELinux label for the new file if SELinux is enabled:
restorecon -vvRF /etc/pam.d/system-auth-ac
INSERTING PRINTED LINES
Any section of PAM configuration can include pam_echo.so
lines, which simply echo the given text to the console during the process.
A snippet from /etc/pam.d/password-auth-ac
to include extra information might be:
auth required pam_env.so
auth optional pam_echo.so "Have passed pam_env"
auth sufficient pam_unix.so nullok try_first_pass
auth optional pam_echo.so "Have passed pam_unix"
ALLOWING MODULES TO LOG
Some modules will log their success or failure to /var/log/secure
unless the quiet keyword is given. For example, to check if this pam_succeed_if
test has passed or not, remove the quiet keyword from it to change:
auth requisite pam_succeed_if.so uid >= 500 quiet
to
auth requisite pam_succeed_if.so uid >= 500
This will allow some more information in your logs.
MODULE DEBUGGING INFORMATION
Most PAM modules will emit extra debugging information to syslog
when the debug
flag is given. For example, adding the debug flag to the pam_unix
module, such as:
auth sufficient pam_unix.so nullok try_first_pass debug
Will allow you to see more information about progress through the pam_unix module.
LOGGING PAM DEBUGGING TO A SEPARATE FILE
syslog
can direct debugging information to a separate file, so as not to clutter existing log files.
Enable debugging log information to a separate file:
On RHEL 4 and RHEL 5
mv /etc/syslog.conf{,-orig}
cp /etc/syslog.conf{-orig,}
echo "*.debug /var/log/debug.log" >> /etc/syslog.conf
service syslogd restart
On RHEL 6
echo "*.debug /var/log/debug.log" >> /etc/rsyslog.d/debugging
service rsyslogd reload
On RHEL 7
echo "*.debug /var/log/debug.log" >> /etc/rsyslog.d/debugging.conf
systemctl restart rsyslog.service
Then modify /etc/pam.d/system-auth-ac
and add debug
to the modules of interest, e.g.:
auth required pam_env.so debug
auth sufficient pam_fprintd.so debug
auth sufficient pam_unix.so nullok try_first_pass debug
auth requisite pam_succeed_if.so uid >= NUMBER quiet debug
auth sufficient pam_sss.so use_first_pass debug
auth required pam_deny.so debug
MANIPULATING THE PROGRESS OF PAM
It is also possible to cause PAM to change course and give any response in any section using the pam_debug.so
module.
For instance, this configuration uses pam_debug.so
in several places to return a 'denied' result under various conditions, allowing the sysadmin to test what would happen in a given situation:
auth requisite pam_permit.so
auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success
auth [default=reset] pam_debug.so auth=success cred=perm_denied
auth [success=done default=die] pam_debug.so
auth optional pam_debug.so auth=perm_denied cred=perm_denied
auth sufficient pam_debug.so auth=success cred=success
RESTORING THE ORIGINAL CONFIGURATION
In order to restore the original configuration file with its original modification timestamp, one can simply use:
mv -f /etc/pam/system-auth-ac{-orig,}
References
The System Administrator's Guide to PAM:
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html