Understanding PAM Configuration: Key Differences Between /etc/pam.d/login and /etc/pam.d/system-auth for Securetty Implementation


28 views

Linux's Pluggable Authentication Modules (PAM) system provides a flexible framework for authentication. The key distinction between /etc/pam.d/login and /etc/pam.d/system-auth lies in their scope and inclusion hierarchy:

# Typical PAM stack inclusion
auth      include     system-auth
account   include     system-auth
password  include     system-auth
session   include     system-auth

login applies specifically to local terminal logins (tty devices), while system-auth serves as a global template included by multiple services:

# /etc/pam.d/login structure
auth       required     pam_securetty.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

# /etc/pam.d/system-auth typical content
auth       required     pam_env.so
auth       sufficient   pam_unix.so nullok try_first_pass
auth       requisite    pam_succeed_if.so uid >= 1000 quiet

When implementing pam_securetty.so, placement matters significantly:

# This will block all root access (including SSH)
auth       required     pam_securetty.so  # In system-auth

# This only affects local console logins
auth       required     pam_securetty.so  # In login

For implementing securetty restrictions while maintaining SSH access:

  1. Modify /etc/securetty to list only permitted terminals (e.g., console)
  2. Add the securetty module ONLY to /etc/pam.d/login
  3. Verify SSH PAM configuration doesn't include system-auth with higher priority
# Recommended securetty implementation
$ cat /etc/securetty
console

$ grep -A5 securetty /etc/pam.d/login
auth       required     pam_securetty.so

Use pam_tally2 or pam_test to verify your configuration:

# Test authentication flow
$ pam_test auth root

# View active PAM stack for a service
$ grep -r "include system-auth" /etc/pam.d/

When working with PAM (Pluggable Authentication Modules) on Linux systems, two critical configuration files often cause confusion: /etc/pam.d/login and /etc/pam.d/system-auth. The fundamental difference lies in their scope and when they're invoked during the authentication process.

/etc/pam.d/login is specifically processed during local terminal logins (tty devices), while /etc/pam.d/system-auth serves as a central authentication template used by many services including SSH.

Based on your scenario with pam_securetty.so, here's what happens in each configuration:

# When added to system-auth (affects all authentication methods):
auth required pam_securetty.so

# When added to login (affects only local terminal logins):
auth required pam_securetty.so

Many services include system-auth through the @include directive. For example, a typical SSH PAM configuration:

# /etc/pam.d/sshd
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

To properly restrict root access while maintaining SSH functionality:

  1. Place pam_securetty.so in /etc/pam.d/login only
  2. Maintain minimal entries in /etc/securetty
  3. Consider additional SSH-specific restrictions in /etc/ssh/sshd_config:
# Example SSH configuration for root access control
PermitRootLogin prohibit-password

For granular control, you might create a custom PAM stack:

# /etc/pam.d/custom-root-access
auth requisite pam_securetty.so
auth required pam_listfile.so item=user sense=allow file=/etc/secureusers onerr=fail

Then reference it in specific services while keeping system-auth clean for general authentication.