Linux Commands Examples

A great documentation place for Linux commands


manage PAM configuration using packaged profiles

see also : debconf


pam-auth-update [--package [--remove profile [profile...]]] [--force]

add an example, a script, a trick and tips

: email address (won't be displayed)
: name

Step 2

Thanks for this example ! - It will be moderated and published shortly.

Feel free to post other examples
Oops ! There is a tiny cockup. A damn 404 cockup. Please contact the loosy team who maintains and develops this wonderful site by clicking in the mighty feedback button on the side of the page. Say what happened. Thanks!


if [ "$(omv_config_get "//services/ldap/enable")" = "1" ]; then
pam-auth-update --force --package ldap
pam-auth-update --force --package --remove ldap


pam-auth-update is a utility that permits configuring the central authentication policy for the system using pre-defined profiles as supplied by PAM module packages. Profiles shipped in the /usr/share/pam-configs/ directory specify the modules, with options, to enable; the preferred ordering with respect to other profiles; and whether a profile should be enabled by default. Packages providing PAM modules register their profiles at install time by calling pam-auth-update --package. Selection of profiles is done using the standard debconf interface. The profile selection question will be asked at ’medium’ priority when packages are added or removed, so no user interaction is required by default. Users may invoke pam-auth-update directly to change their authentication configuration.

The script makes every effort to respect local changes to /etc/pam.d/common-*. Local modifications to the list of module options will be preserved, and additions of modules within the managed portion of the stack will cause pam-auth-update to treat the config files as locally modified and not make further changes to the config files unless given the --force option.

If the user specifies that pam-auth-update should override local configuration changes, the locally-modified files will be saved in /etc/pam.d/ with a suffix of .pam-old.



Indicate that the caller is a package maintainer script; lowers the priority of debconf questions to ’medium’ so that the user is not prompted by default.

--remove profile [profile...]

Remove the specified profiles from the system configuration. pam-auth-update --remove should be used to remove profiles from the configuration before the modules they reference are removed from disk, to ensure that PAM is in a consistent and usable state at all times during package upgrades or removals.


Overwrite the current PAM configuration, without prompting. This option must not be used by package maintainer scripts; it is intended for use by administrators only.


Copyright (C) 2008 Canonical Ltd.



Global configuration of PAM, affecting all installed services.


Package-supplied authentication profiles.

see also

PAM, pam.d, debconf


Steve Langasek <steve.langasek[:at:]canonical[:dot:]com>

How can this site be more helpful to YOU ?

give  feedback