Debugging PAM configuration

BEFORE YOU BEGIN

Make a backup of your existing system-auth-ac file:

Raw

mv /etc/pam.d/system-auth-ac{,-orig}
cp /etc/pam.d/system-auth-ac{-orig,}

This will keep the original with its existing time stamp.
Reset the SELinux label for the new file if SELinux is enabled:

Raw

restorecon -vvRF /etc/pam.d/system-auth-ac

INSERTING PRINTED LINES

Any section of PAM configuration can include pam_echo.so lines, which simply echo the given text to the console during the process.

A snippet from /etc/pam.d/password-auth-ac to include extra information might be:

Raw

auth        required      pam_env.so
auth        optional      pam_echo.so "Have passed pam_env"
auth        sufficient    pam_unix.so nullok try_first_pass
auth        optional      pam_echo.so "Have passed pam_unix"

ALLOWING MODULES TO LOG

Some modules will log their success or failure to /var/log/secure unless the quiet keyword is given. For example, to check if this pam_succeed_iftest has passed or not, remove the quiet keyword from it to change:

Raw

auth        requisite     pam_succeed_if.so uid >= 500 quiet

to

Raw

auth        requisite     pam_succeed_if.so uid >= 500

This will allow some more information in your logs.

MODULE DEBUGGING INFORMATION

Most PAM modules will emit extra debugging information to syslog when the debug flag is given. For example, adding the debug flag to the pam_unix module, such as:

Raw

auth        sufficient    pam_unix.so nullok try_first_pass debug

Will allow you to see more information about progress through the pam_unix module.

LOGGING PAM DEBUGGING TO A SEPARATE FILE

syslog can direct debugging information to a separate file, so as not to clutter existing log files.

Enable debugging log information to a separate file:

On RHEL 4 and RHEL 5

Raw

mv /etc/syslog.conf{,-orig}
cp /etc/syslog.conf{-orig,}
echo "*.debug      /var/log/debug.log" >> /etc/syslog.conf
service syslogd restart

On RHEL 6

Raw

echo "*.debug      /var/log/debug.log" >> /etc/rsyslog.d/debugging
service rsyslogd reload

On RHEL 7

Raw

echo "*.debug      /var/log/debug.log" >> /etc/rsyslog.d/debugging.conf
systemctl restart rsyslog.service

Then modify /etc/pam.d/system-auth-ac and add debug to the modules of interest, e.g.:

Raw

auth        required      pam_env.so debug
auth        sufficient    pam_fprintd.so debug
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= NUMBER quiet debug
auth        sufficient    pam_sss.so use_first_pass debug
auth        required      pam_deny.so debug

MANIPULATING THE PROGRESS OF PAM

It is also possible to cause PAM to change course and give any response in any section using the pam_debug.so module.

For instance, this configuration uses pam_debug.so in several places to return a 'denied' result under various conditions, allowing the sysadmin to test what would happen in a given situation:

Raw

auth    requisite       pam_permit.so
auth    [success=2 default=ok]  pam_debug.so auth=perm_denied cred=success
auth    [default=reset]         pam_debug.so auth=success cred=perm_denied
auth    [success=done default=die] pam_debug.so
auth    optional        pam_debug.so auth=perm_denied cred=perm_denied
auth    sufficient      pam_debug.so auth=success cred=success

RESTORING THE ORIGINAL CONFIGURATION

In order to restore the original configuration file with its original modification timestamp, one can simply use:

Raw

mv -f /etc/pam/system-auth-ac{-orig,}

References

The System Administrator's Guide to PAM:
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html