PAM [Pluggable Authentication Module] for Linux is used by Admins to choose how applications authenticate users.
To accomplish this PAM provides a library of functions, that Admins can use for user authentication with an application.
It can be said that PAM is the glue between authentication methods [eg one-time pwds, kerberos, smart cards] and applications requiring authentication services [eg ftpd, sshd, imapd] etc. It is another layer on 1st-Level defence in Linux.
PAM Basics for Fedora 14
PAM Manual :- /usr/share/doc/pam-1.1.1/html/Linux-PAM_SAG.html
Files in 4 dirs concern us :-
/lib/libpam* -> PAM System Libs
/lib/security/.so -> PAM Loadable Modules [PLM]
/etc/pam.d/
/etc/security/ -> 6 .conf files and some other files/dirs
PAM Config File :- /etc/pam.d/login
module-type control-flag module-path [args]
========= =========== ========== ======
auth required defaults to /lib/security/*.so debug
account requisite no_warn
password sufficient use_first_pass
session optional try_first_pass
expose_account
Module Types
============
1. auth : Serves 2 fns - first authenticating users to be who they claim to be, and second allowing other privileges to be granted to the users
2. account : Provides account-mgmt options not related to authentication. Typically used to restrict based on factors such as origin [eg only non-root users allow remote login, or time of day]
3. password: Called only when updating the auth token associated with the user
4. session : Tasks to be performed before/after the user is allowed access.
To accomplish this PAM provides a library of functions, that Admins can use for user authentication with an application.
It can be said that PAM is the glue between authentication methods [eg one-time pwds, kerberos, smart cards] and applications requiring authentication services [eg ftpd, sshd, imapd] etc. It is another layer on 1st-Level defence in Linux.
PAM Basics for Fedora 14
PAM Manual :- /usr/share/doc/pam-1.1.1/html/Linux-PAM_SAG.html
Files in 4 dirs concern us :-
/lib/libpam* -> PAM System Libs
/lib/security/.so -> PAM Loadable Modules [PLM]
/etc/pam.d/
/etc/security/ -> 6 .conf files and some other files/dirs
PAM Config File :- /etc/pam.d/login
module-type control-flag module-path [args]
========= =========== ========== ======
auth required defaults to /lib/security/*.so debug
account requisite no_warn
password sufficient use_first_pass
session optional try_first_pass
expose_account
Module Types
============
1. auth : Serves 2 fns - first authenticating users to be who they claim to be, and second allowing other privileges to be granted to the users
2. account : Provides account-mgmt options not related to authentication. Typically used to restrict based on factors such as origin [eg only non-root users allow remote login, or time of day]
3. password: Called only when updating the auth token associated with the user
4. session : Tasks to be performed before/after the user is allowed access.