Groups | Search | Server Info | Login | Register

Groups > alt.os.linux.mint > #47468

Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

From Axel <none@not.here>
Newsgroups alt.os.linux.mint, alt.os.linux.ubuntu
Subject Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
Date 2026-05-12 08:56 +1000
Message-ID <n6f541Fkqh4U3@mid.individual.net> (permalink)
References <n6a6hvFrlkkU1@mid.individual.net> <10tp11m$4q6j$1@dont-email.me> <18ae2eb6ecff44b9$15390$2895151$4296dcc3@news.newsgroupdirect.com> <10tqqqc$l25d$2@dont-email.me>

Cross-posted to 2 groups.

Show all headers | View raw

CtrlAltDel wrote:
> On Sun, 10 May 2026 11:51:04 +0100, PC-3FingerSalute wrote:
>
>> If CtrlAltDel is trying to make a joke of sorts, then it is a very lame
>> joke.
>>
>> If CtrlAltDel really cannot see the difference between "PAM" and "RAM"
>> at 32px, the headline font size on that web page, then a visit to the
>> optician is needed.
> What's the difference between PAM and RAM, Mr. Genius?
>
>

Google AI says..

PAM stands for Pluggable Authentication Modules.

In simple terms, it is a flexible framework that Linux uses to handle 
how you log in and prove who you are to the system. Instead of every 
single app (like SSH, your desktop login, or sudo) having its own code 
to check passwords, they all talk to PAM.

Think of PAM like a universal wall socket: different "plugs" (modules) 
can be swapped in or out without changing the appliance (the 
application) itself.

Why does it matter?
     • Decoupling: Developers don't have to write custom code for every 
authentication method (fingerprints, passwords, LDAP, etc.). They just 
ask PAM, "Is this person who they say they are?"
     • Flexibility: As an admin, you can change your system from using 
standard passwords to using YubiKeys or Google Authenticator just by 
editing a text file, without ever touching the source code of your apps.

How it works
PAM organizes its work into four main "management groups," often seen in 
configuration files:
     • auth (Authentication): Verifies the user's identity (e.g., "Enter 
your password").
     • account (Account Management): Checks if the account is actually 
allowed to log in right now (e.g., has the password expired? Is it after 
work hours?).
     • password (Password Management): Handles the process of updating 
the authentication token (e.g., when you run the passwd command).
     • session (Session Management): Handles tasks that happen at the 
start and end of a session (e.g., mounting a home directory or logging 
the login time).

Key Files and Directories
If you want to see PAM in action on your own system, look at these 
locations:
     • /etc/pam.d/: This directory contains the configuration files for 
every PAM-aware application (e.g., sshd, sudo, login).
     • /usr/lib/security/: This is usually where the actual module files 
(ending in .so) are stored. These are the "plugins" that do the heavy 
lifting.

A Practical Example
If you look at the Arch Linux Wiki on PAM, you'll see that when you run 
sudo, it checks its configuration in /etc/pam.d/sudo. That file might 
tell PAM to first check your password using pam_unix.so and then check 
if you're in the right group using pam_wheel.so.

Warning: Be very careful when editing these files! One typo can lock 
everyone (including the root user) out of the system entirely. It is 
always a good idea to keep a root terminal open while testing changes so 
you can undo them if things break.

-- 
Linux Mint 22.3

Back to alt.os.linux.mint | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Axel <none@not.here> - 2026-05-10 11:49 +1000
  Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials CtrlAltDel <Altie@BHam.com> - 2026-05-10 04:20 +0000
    Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Axel <none@not.here> - 2026-05-10 16:04 +1000
      Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials german newsgroups <usualsuspectrider@gmail.com> - 2026-05-10 08:20 +0200
      Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials CtrlAltDel <Altie@BHam.com> - 2026-05-10 07:27 +0000
    Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials PC-3FingerSalute <pc3fs@grand-fenwick.int> - 2026-05-10 11:51 +0100
      Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials CtrlAltDel <Altie@BHam.com> - 2026-05-10 20:46 +0000
        Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Axel <none@not.here> - 2026-05-12 08:56 +1000
          Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-05-12 02:16 +0000
  Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Jeff Layman <Jeff@invalid.invalid> - 2026-05-10 09:21 +0100
    Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials rbowman <bowman@montana.com> - 2026-05-10 19:01 +0000

csiph-web