Suggest methods for testing changes to ‘pam.d/common-*’ files

Suggest methods for testing changes to “pam.d/common-*” files

https://serverfault.com/questions/134448/suggest-methods-for-testing-changes-to-pam-d-common-files

Asked 15 years, 8 months ago Modified 9 years, 5 months ago Viewed 17k times 8

How do I test the changes to the pam.d configuration files:

Do I need to restart the PAM service to test the changes? Should I go through every service listed in the /etc/pam.d/ directory? I’m about to make changes to the pam.d/common-* files in an effort to put an Ubuntu box into an active directory controlled network.

I’m just learning what to do, so I’m preparing the configuration in a VM, which I plan to deploy in metal in the coming week.

It is a clean install of Ubuntu 10.04 Beta 2 server, so other than SSH daemon, all other services are stock.

linuxubuntupamubuntu-10.04 Share Improve this question Follow asked Apr 21, 2010 at 14:36 Jamie’s user avatar Jamie 1,36488 gold badges2222 silver badges4141 bronze badges Add a comment 3 Answers Sorted by:

Highest score (default) 6

PAM configuration files are read dynamically. To test, you can authenticate to the appropriate software and view the logs.

It is often wise to understand all the configuration files in question if you are attempting to make expansive configuration changes.

PAM man page

Share Improve this answer Follow answered Apr 21, 2010 at 14:40 Warner’s user avatar Warner 24.2k22 gold badges6363 silver badges6969 bronze badges 6 ‘… often wise …’ No arguments there. But unfortunately I haven’t the luxury of becoming a subject matter expert (I do this type of thing once every couple of years) and must rely on best practices for testing. – Jamie CommentedApr 21, 2010 at 15:03 I’m not sure why knowing how the config files work and testing your configuration should be mutually exclusive. Hopefully you get it right first time but it’s still a good idea to test it. – Adam Luchjenbroers CommentedFeb 12, 2018 at 11:47 Add a comment 3

I usually use the pamtester for checking the pam configuration, this way I can check whatever all restrictions are working correctly on all services that have specific config files without using specific clients for each and every service.

Share Improve this answer Follow answered Sep 29, 2010 at 18:57 Alicja Kario’s user avatar Alicja Kario 6,45977 gold badges4040 silver badges6767 bronze badges Is the animal you speak of? pamtester.sourceforge.net – Jamie CommentedOct 1, 2010 at 17:03 Add a comment -1

Try using OsSec http://ossec-docs.readthedocs.io/en/latest/index.html it notifies you about the changes to pam.d/common

Share Improve this answer Follow answered Jul 18, 2016 at 23:16