DOKK / manpages / debian 12 / libpam-runtime / pam-auth-update.8.en
PAM-AUTH-UPDATE(8) System Manager's Manual PAM-AUTH-UPDATE(8)

pam-auth-update - manage PAM configuration using packaged profiles

pam-auth-update [--package [--remove profile [profile...]]] [--force] [--enable profile [profile...]] [--disable profile [profile...]]

pam-auth-update is a utility that permits configuring the central authentication policy for the system using pre-defined profiles as supplied by PAM module packages. Profiles shipped in the /usr/share/pam-configs/ directory specify the modules, with options, to enable; the preferred ordering with respect to other profiles; and whether a profile should be enabled by default. Packages providing PAM modules register their profiles at install time by calling pam-auth-update --package. Selection of profiles is done using the standard debconf interface. The profile selection question will be asked at `medium' priority when packages are added or removed, so no user interaction is required by default. Users may invoke pam-auth-update directly to change their authentication configuration.

The script makes every effort to respect local changes to /etc/pam.d/common-*. Local modifications to the list of module options will be preserved, and additions of modules within the managed portion of the stack will cause pam-auth-update to treat the config files as locally modified and not make further changes to the config files unless given the --force option.

If the user specifies that pam-auth-update should override local configuration changes, the locally-modified files will be saved in /etc/pam.d/ with a suffix of .pam-old.

Indicate that the caller is a package maintainer script; lowers the priority of debconf questions to `medium' so that the user is not prompted by default.
Disable the specified profiles in system configuration. This can be used from system administration scripts to disable profiles.
Enable the specified profiles in system configuration. This is used to enable profiles that are not on by default.
Remove the specified profiles from the system configuration. pam-auth-update --remove should be used to remove profiles from the configuration before the modules they reference are removed from disk, to ensure that PAM is in a consistent and usable state at all times during package upgrades or removals.
Overwrite the current PAM configuration, without prompting. This option must not be used by package maintainer scripts; it is intended for use by administrators only.

/etc/pam.d/common-*

Global configuration of PAM, affecting all installed services.

/usr/share/pam-configs/

Package-supplied authentication profiles.

Steve Langasek <steve.langasek@canonical.com>

Copyright (C) 2008 Canonical Ltd.

PAM(7), pam.d(5), debconf(7)

08/23/2008 Debian