PAM is a suite of shared libraries that provide an alternate way of providing user authentication in programs. The
pam USE flag is enabled by default in Gentoo. Although the default PAM settings in Gentoo are reasonable, there is always room for improvement.
First install sys-libs/cracklib to allow password policies to be set:
emerge --ask sys-libs/cracklib
auth required pam_unix.so shadow nullok account required pam_unix.so password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 password required pam_unix.so md5 use_authtok session required pam_unix.so
This will add the cracklib which will ensure that the user passwords are at least 8 characters and contain a minimum of 2 digits, 2 other characters, and are more than 3 characters different from the last password. The PAM cracklib documentation can be reviewed for more available options.
auth required pam_unix.so nullok auth required pam_shells.so auth required pam_nologin.so auth required pam_env.so account required pam_unix.so password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 use_authtok password required pam_unix.so shadow md5 session required pam_unix.so session required pam_limits.so
Every service not configured with a PAM file in /etc/pam.d will use the rules in /etc/pam.d/other. The defaults are set to deny, as they should be.
Also, pam_warn.so can be added to generate more elaborate logging. And pam_limits can be used, which is controlled by /etc/security/limits.conf. See the /etc/security/limits.conf section for more on these settings.
auth required pam_deny.so auth required pam_warn.so account required pam_deny.so account required pam_warn.so password required pam_deny.so password required pam_warn.so session required pam_deny.so session required pam_warn.so
- PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.