Debugging PAM Issues

Overview of PAM #

Overview of Pluggable Authentication Modules

Enable Debugging for PAM#

Although this is a generalized for Solaris, it would be similar on other Unix platforms. To turn debugging on for Pam, do the following:
  • First make a copy of the etc/pam.conf as /etc/pam.debug.conf.
  • Make a second copy as /etc/pam.nodebug.conf. This allows for a backup and a non-debug pam.conf
  • Edit the /etc/pam.debug.conf file by finding the lines you added into the file and adding the word 'debug' to the end of the line. Make sure there is a space before the word debug. The word debug should also be lowercase. Adding the word debug causes the PAM module to write debugging records to syslog. (See Debug Example for etc/pam.conf below)
  • The syslog should now record entries from the /etc/pam.conf file. Normally this file is in the /var/adm/messages directory. Typically the /var/adm/messages is normally set up for log rotate so the file will be called syslog with an extension of a number.
  • The etc/syslog.conf file can be edited to set the level of debugging.

Debug Example for etc/pam.conf#

For the PAM Module Name you require debugging information from add the "debug" PAM module-arguments to the end of the line.
sshd    auth    sufficient      /usr/lib/security/pam_ascauth.so stats debug 

Debugging PAM on AIX#

Syslog Facility#

Make sure "debug" priority messages are logged somewhere from /etc/syslog.conf

More Information#

There might be more information for this subject on one of the following: