Using Pam To Configure A Common Environment For All Shells

ByThe Aha Unix Team

Overview of PAM and User Environments

Pluggable Authentication Modules (PAM) provides a flexible method for authenticating users on a Linux system. Additionally, PAM allows system administrators to configure a common environment that applies across all shells and logins for a given user. This enables central management of environment variables, aliases, default editor, path settings, and more.

When a user logs into a Linux system, the PAM configuration is consulted to determine authentication, account and session management, and environment settings. Through PAM modules and configuration files, variables can be set one time and applied to bash, zsh, and other shells. This provides convenience for end users and consistency across user sessions.

PAM Configuration Files and Modules

The main PAM configuration file is /etc/pam.d/login which handles settings applicable at login time for all users. Additionally each shell or application that uses PAM has its own configuration file, such as /etc/pam.d/bash for bash and /etc/pam.d/sshd for SSH daemon. The PAM configuration uses space-delimited lines with the following four fields:

  • PAM module – The pluggable module that will handle the task
  • Control Flag – Either required, requisite, sufficient, optional, or include
  • PAM Module Arguments – Any options or arguments for the PAM module
  • PAM Module Type – The group the module falls under like auth, session, account, or password

As an example, here is the line that loads the pam_env module for setting the environment: 

session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale

This loads pam_env.so during the session phase, after authentication. The readenv options tell pam_env.so to read the /etc/environment file and supports user-level environment files which will be discussed later.

Setting Environment Variables in PAM

PAM provides a few options for setting environment variables across shells for users:

/etc/environment

The system-wide /etc/environment file sets variables that apply to all users. It is space delimited with one environment variable per line: 

EDITOR=/usr/bin/nano
PAGER=/usr/bin/less

User Environment Files

If user_readenv=1 is set for pam_env.so as shown above, it will also process files like /home/user/.pam_environment for environment variables. The syntax is identical to /etc/environment but it can be customized on a per-user basis.

pam_env.conf

The /etc/security/pam_env.conf file can set environment variables with conditions on shell, user, group, tty, host and domain. For example: 

# Set umask for all bash users 
BASH   default=umask=0022

This sets the umask shell variable to 0022 but only for bash user sessions.

Example PAM Configuration for Bash and Zsh

To enable a robust environment across both bash and zsh shells, you can use the following PAM configuration files.

/etc/pam.d/bash

# User environment set by pam_env
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# umask and nice level
session required pam_env.so user_readenv=1 envfile=/etc/security/pam_env.conf
# Pass locale environment variables
session required pam_env.so readenv=1 
# Set default PATH if not already set
session required pam_env.so readenv=1 envfile=/etc/environment

/etc/pam.d/zsh

# User environment set by pam_env  
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# umask and nice level  
session required pam_env.so user_readenv=1 envfile=/etc/security/pam_env.conf
# Pass locale environment variables
session required pam_env.so readenv=1  
# Set default PATH if not already set
session required pam_env.so readenv=1 envfile=/etc/environment

With this configuration, both bash and zsh will share locale definitions, a default PATH, user-specific settings from ~/.pam_environment, and default umask and nice values from /etc/security/pam_env.conf.

Additional PAM Modules for User Environments

In addition to pam_env, there are some other handy PAM modules that can help configure user environments:

pam_exec

Runs external scripts or binaries during the PAM session phase. This can be used to launch custom environment scripts. 

session optional pam_exec.so seteuid /usr/local/bin/setup_environment.sh
pam_mkhomedir

Automatically creates a user's home directory if it does not exist yet. Saves administrators from having to manually create directories. 

  
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/

pam_namespace

Isolates and virtualizes user access, file paths, network access, and other environments on a per-process level. Useful for enhanced security sandboxes. 

session required pam_namespace.so unshare=network

pam_systemd

Integrates PAM sessions with systemd user instances for management of system services and devices. 

session optional pam_systemd.so

Troubleshooting Issues with PAM and User Environments

If there are issues with inconsistent environments across user sessions, here are some things to check in the PAM and environment configuration:

  • Ensure pam_env.so is loaded only once per application or shell PAM config.
  • Test that /etc/environment and user environment files have correct permissions and contain valid bash syntax.
  • Check any conditions set in pam_env.conf to see if they are behaving as expected.
  • Review the output of pam_env -v to debug variables getting set.
  • Disable other modules like pam_unix to verify they are not interfering.

Inconsistent environments can also result from mixing interactive shells and cron jobs. Be sure to handle cron and at jobs separately.

Best Practices for PAM Environment Configurations

Some tips for smoothly incorporating PAM environment handling:

  • Centrally set variables like PATH, EDITOR, PAGER rather than managing them for each user.
  • Grant access for users to modify their settings with ~/.pam_environment or pam_env.conf.
  • Make sure to load pam_env after authentication for accurate reading of user attributes.
  • Monitor for issues reported in system logs by adding "debug" to module arguments.
  • Test PAM changes manually before relying on them in production. Shells often require re-login to inherit environments.

Using PAM for a unified and consistent environment takes some planning but pays dividends in usability and manageability. Refer to the pam_env and pam documentation for more examples and capabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *