Pluggable Authentication Module configuration

This module provides parsing for PAM configuration files. PamConf is a parser for /etc/pam.conf files. Sample input is provided in the examples.

PamConf - file /etc/pam.conf

Sample file data:

vsftpd      auth        required
vsftpd      auth        requisite nullok
vsftpd      auth        sufficient
vsftpd      account     optional
other       password    include retry=3 logging=verbose
other       password    required shadow nullok use_authtok
other       session     required


>>> type(pam_conf)
<class 'insights.parsers.pam.PamConf'>
>>> len(pam_conf)
>>> pam_conf[0].service
>>> pam_conf[0].interface
>>> pam_conf[0].control_flags
[ControlFlag(flag='required', value=None)]
>>> pam_conf[0].module_name
>>> pam_conf[0].module_args is None
>>> pam_conf.file_path

PamDConf - used for specific PAM configuration files

PamDConf is a base class for the creation of parsers for /etc/pam.d service specific configuration files.

Sample file from /etc/pam.d/sshd:

auth       required
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional prepare
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    required
session    optional force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional prepare


>>> type(pamd_conf)
<class 'insights.parsers.pam.PamDConf'>
>>> len(pamd_conf)
>>> pamd_conf[0]._errors == [] # No errors in parsing
>>> pamd_conf[0].service
>>> pamd_conf[0].interface
>>> pamd_conf[0].control_flags
[ControlFlag(flag='required', value=None)]
>>> pamd_conf[0].module_name
>>> pamd_conf[0].module_args is None
>>> pamd_conf.file_path
>>> pamd_conf[3].module_name
>>> pamd_conf[3].ignored_if_module_not_found

Normal use of the PamDConf class is to subclass it for a parser. In insights/specs/

pam_sshd = simple_file("etc/pam.d/sshd")

In the parser module (e.g. insights/parsers/

from insights import parser
from insights.parsers.pam import PamDConf
from insights.specs import Specs

class PamSSHD(PamDConf):


class insights.parsers.pam.PamConf(context)[source]

Bases: insights.parsers.pam.PamDConf

Base class for parsing pam config file /etc/pam.conf.

Based on the PamDConf parser class, but the service must be given as the first element of the line, rather than assumed from the file name.


This method must be implemented by classes based on this class.

class insights.parsers.pam.PamConfEntry(line, pamd_conf=False, service=None)[source]

Bases: object

Contains information from one PAM configuration line.

Parses a single line of either a /etc/pam.conf file or a service specific /etc/pam.d conf file. The difference is that for /etc/pam.conf, the service name is the first column of the input line. If a service specific conf file then the service name is not present in the line and must be provided as the service parameter as well as setting the pamd_conf to True.

  • line (str) -- One line of the pam conf info.
  • pamd_config (boolean) -- If this is set to False then line will be parsed as a line from the etc/pam.conf file, if True then the line will be parsed as a line from a service specific etc/pam.d/ conf file. Default is True.
  • service (str) -- If pamd_conf is True then the name of the service file must be provided since it is not present in line.

The service name (taken from the line or from the file name if not parsing pam.conf)


The type clause - should be one of 'account', 'auth', 'password' or 'session'.  If the line was invalid this is set to ``None.


If the type clause is preceded by '-', then this is set to True and it indicates that PAM would skip this line rather than reporting an error if the given module is not found.


A list of ControlFlag named tuples. If the control flag was one of 'required', 'requisite', 'sufficient', 'optional', 'include', or 'substack', then this is the only flag in the list and its value is set to True. If the control flag started with [, then the list inside the square brackets is interpreted as a list of key=value tuples.


the raw control flag string before parsing, for reference.


the PAM module name (including the ‘.so’)


the PAM module arguments, if any. This is not parsed.


The original line in the PAM configuration.


A list of parsing errors detected in this line.



>>> pam_conf_line = 'vsftpd      auth        requisite nullok'
>>> entry = PamConfEntry(pam_conf_line)
>>> entry.service
>>> entry.control_flags[0].flag
>>> entry.module_args
>>> pamd_conf_line = '''
... auth        [success=2 default=ok] auth=perm_denied cred=success
... '''.strip()
>>> entry = PamConfEntry(pamd_conf_line, pamd_conf=True, service='vsftpd')
>>> entry.service
>>> entry.control_flags
[ControlFlag(flag='success', value='2'), ControlFlag(flag='default', value='ok')]
>>> entry.module_args
'auth=perm_denied cred=success'
Raises:ValueError -- If pamd_conf is True and service name is not provided, or if the line doesn’t contain any module information.

A named tuple with the ‘flag’ and ‘value’ properties, used to store information about the control flags in a PAM configuration line.

class ControlFlag(flag, value)

Bases: tuple

class insights.parsers.pam.PamDConf(context)[source]

Bases: insights.core.Parser

Base class for parsing files in /etc/pam.d

Derive from this class for parsers of files in the /etc/pam.d directory. Parses each line of the conf file into a list of PamConfEntry. Configuration file format is:

module_interface    control_flag    module_name module_arguments
Sample input::
>>> pam_sshd = '''
... auth        required
... auth        requisite nullok
... auth        sufficient
... auth        [success=2 default=ok] auth=perm_denied cred=success
... account     optional
... password    include retry=3 logging=verbose
... password    required shadow nullok use_authtok
... '''
>>> from insights.tests import context_wrap
>>> class YourPamDConf(PamDConf):  # A trivial example
...     pass
>>> conf = YourPamDConf(context_wrap(pam_sshd, path='/etc/pam.d/sshd'))

The service property of each PamConfEntry is set to the complete path name of the PAM config file.


List containing a PamConfEntry object for each line of the conf file in the same order as lines appear in the file.



>>> conf[0].module_name  # Can be used like a list of objects
>>> account_rows = list('account'))
>>> len(account_rows)
>>> account_rows[0].interface
>>> account_rows[0].module_name
>>> account_rows[0].control_flags
[ControlFlag(flag='optional', value=None)]

This method must be implemented by classes based on this class.


Search the pam.d configuration file by keyword. This is provided by the insights.parsers.keyword_search() function - see its documentation for more information.

Searching on the list of PAM configuration entries is exactly like they were dictionaries instead of objects with properties. In addition, the ‘control_flags’ property becomes a dictionary of keywords and values, so that ‘control_flags__contains’ allows searching for a particular control flag.

Returns:A list of PamConfEntry objects that match the given search criteria.
Return type:(list)