Title: Overview of PAM and PAM modules

KBTAG: kben10000018
URL: http://www.securityportal.com/lskb/10000000/kben10000018.html
Date created: 17/04/2000
Date modified: 30/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: General overview of PAM and some modules
Keywords: PAM

Summary:

"Pluggable Authentication Modules for Linux is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users." Straight from the PAM documentation, I don't think I could have said it any better. But what does this actually mean? For example; take the program “login”, when a user connects to a tty (via a serial port or over the network) a program answers the call (getty for serial lines, usually telnet or SSH for network connections) and starts up the “login” program, “login” then typically requests a username, followed by a password, which it checks against the /etc/passwd file. This is all fine and dandy until you have a spiffy new digital card authentication system and want to use it. Well you will have to recompile login (and any other apps that will do authentication via the new method) so they support the new system. As you can imagine this is quite laborious and prone to errors. 

More information:

PAM introduces a layer of middleware between the application and the actual authentication mechanism. Once a program is PAM'ified, any authentication methods PAM supports will be usable by the program. In addition to this PAM can handle account, and session data which is something normal authentication mechanisms don't do very well. For example using PAM you can easily disallow login access by normal users between 6pm and 6am, and when they do login you can have them authenticate via a retinal scanner. By default Red Hat systems are PAM aware, and newer versions of Debian are as well (see bellow for a table of PAM’ified systems). Thus on a system with PAM support all I have to do to implement shadow passwords is convert the password and group files; and possibly add one or two lines to some PAM config files (if they weren't already added). Essentially, PAM gives you a great deal of flexibility when handling user authentication, and will support other features in the future such as digital signatures with the only requirement being a PAM module or two to handle it. This kind of flexibility will be required if Linux is to be an enterprise-class operating system. Distributions that do not ship as "PAM-aware" can be made so but it requires a lot of effort (you must recompile all your programs with PAM support, install PAM, etc), it is probably easier to switch straight to a PAM'ified distribution if this will be a requirement. PAM usually comes with complete documentation, and if you are looking for a good overview you should visit: http://www.sun.com/software/solaris/pam/

Downloads:

PAM chroot module

ftp://ferret.lmh.ox.ac.uk/users/weejock/

PAM Cryptocard module

http://www.jdimedia.nl/igmar/pam/

PAM Smartcard module

http://www.linuxnet.com/applications/applications.html

PAM module for SMB (Windows authentication)

http://rpmfind.net/linux/RPM/pam_smb.html

http://www.csn.ul.ie/~airlied/pam_smb/