8

How do I test the changes to the pam.d configuration files:

  • Do I need to restart the PAM service to test the changes?
  • Should I go through every service listed in the /etc/pam.d/ directory?

I'm about to make changes to the pam.d/common-* files in an effort to put an Ubuntu box into an active directory controlled network.

I'm just learning what to do, so I'm preparing the configuration in a VM, which I plan to deploy in metal in the coming week.

It is a clean install of Ubuntu 10.04 Beta 2 server, so other than SSH daemon, all other services are stock.

Jamie
  • 1,274
  • 7
  • 22
  • 39

3 Answers3

6

PAM configuration files are read dynamically. To test, you can authenticate to the appropriate software and view the logs.

It is often wise to understand all the configuration files in question if you are attempting to make expansive configuration changes.

PAM man page

Warner
  • 23,440
  • 2
  • 57
  • 69
  • 6
    '... often wise ...' No arguments there. But unfortunately I haven't the luxury of becoming a subject matter expert (I do this type of thing once every couple of years) and must rely on best practices for testing. – Jamie Apr 21 '10 at 15:03
  • I'm not sure why knowing how the config files work and testing your configuration should be mutually exclusive. Hopefully you get it right first time but it's still a good idea to test it. – Adam Luchjenbroers Feb 12 '18 at 11:47
3

I usually use the pamtester for checking the pam configuration, this way I can check whatever all restrictions are working correctly on all services that have specific config files without using specific clients for each and every service.

Hubert Kario
  • 6,351
  • 6
  • 33
  • 65
-1

Try using OsSec http://ossec-docs.readthedocs.io/en/latest/index.html it notifies you about the changes to pam.d/common

wudpecker
  • 1