Ask Your Question

What is the proper way to configure PAM?

asked 2019-03-20 04:06:52 -0500

90634 gravatar image

updated 2019-03-20 06:03:12 -0500

I need to make an encrypted home directory for myself (the owner and administrator of the system). I decided to do it using the pam_exec module to mount an encrypted partition on my login. Then I started to look into the PAM docs in Fedora and quickly spotted, that the current PAM config files are generated by another tool, authselect, and the files have a warning not to modify them manually:

$cat /etc/pam.d/postlogin
#Generated by authselect on Tue Mar 12 08:04:20 2019
#Do not modify this file manually.

So I started to look into the authselect docs, tried a command sudo authselect check to check whether my current authselect profile's config is correct and it reported an error:

[error] [/etc/nsswitch.conf] is not a symbolic link!
[error] [/etc/nsswitch.conf] was not created by authselect!
Current configuration is not valid. It was probably modified outside authselect.

The file nsswitch.conf has not been changed since I installed the system, so I'm sure it's Fedora's default (it also has the same head warning as the PAM config files and the same date of creation). So it looks like Fedora itself pays no heed to the warning not to modify those files manually.

So my questions are:

  • what is the proper way to modify PAM config files?
  • am I supposed to use authselect?
  • may I change the config files manually?

If someone has a better way to make an encrypted home directory, I would appreciate to learn about it.

I found a couple of reported bugs related to various files' modifications made by other tools, while the files are supposed to be modified only by authselect:

So currently I've decided to disregard the authselect warning and just edit PAM config manually (I might need to make the same changes after a system upgrade).

Thank you in advance

edit retag flag offensive close merge delete



Hi~!! See the related article for fedora System.
simmon gravatar imagesimmon ( 2019-03-20 09:53:59 -0500 )edit

1 Answer

Sort by » oldest newest most voted

answered 2019-03-21 13:16:47 -0500

villykruse gravatar image

You may want to run authselect if you want to use ldap or Windows Active Directory instead of or in addition to using /etc/passwd for logging in. For a single user system you normally don't need to run it.

It is correct that some packages modifies /etc/nsswitch.conf on initial installation; they have just not gotten around to make this compatible with authselect and also compatible when authselect is not used -- or not even installed.

Modifying the pam configuration with your favourite editor is certainly possible, but if something goes wrong when doing so, it can be difficult to get help fixing it.

As for setting up encrypted file system, this is normally done during initial installation using LUKS. This could be a subject for a new question you may want to ask.

edit flag offensive delete link more


thank you for the suggestion to disable authselect. This can be considered an appropriate answer in my situation. As for the encrypted directory and pam_exec I found that cryptsetup and pam_exec are a bit buggy working with each other, at least I gave up on attempts to make pam_exec use cryptsetup. Instead I resorted to the crypttab/fstab files. It won't work on a system with several users, since each of them will be required to know passwords for each mounted encrypted volume, but on a system with a single user it's an acceptable temporary approach.

90634 gravatar image90634 ( 2019-03-25 00:30:29 -0500 )edit

Question Tools



Asked: 2019-03-20 02:21:17 -0500

Seen: 306 times

Last updated: Mar 21 '19