Monday, 15 August 2011

PAM Basics for Linux

PAM [Pluggable Authentication Module] for Linux is used by Admins to choose how applications authenticate users.

To accomplish this PAM provides a library of functions, that Admins can use for user authentication with an application.

It can be said that PAM is the glue between authentication methods [eg one-time pwds, kerberos, smart cards] and applications requiring authentication services [eg ftpd, sshd, imapd] etc. It is another layer on 1st-Level defence in Linux.

PAM Basics for Fedora 14


PAM Manual :- /usr/share/doc/pam-1.1.1/html/Linux-PAM_SAG.html

Files in 4 dirs concern us :-

    /lib/libpam*       ->    PAM System Libs
    /lib/security/.so  ->    PAM Loadable Modules [PLM]
    /etc/pam.d/      
    /etc/security/     ->    6 .conf files and some other files/dirs

PAM Config File :- /etc/pam.d/login

module-type      control-flag      module-path                           [args]
=========  ===========   ==========                       ======         
auth               required           defaults to /lib/security/*.so     debug
account         requisite                                                            no_warn
password      sufficient                                                           use_first_pass
session          optional                                                             try_first_pass
                                                                                                expose_account

                Module Types
              ============

  1. auth :    Serves 2 fns - first authenticating users to be who they claim to be, and second allowing other privileges to be granted to the users

  2. account : Provides account-mgmt options not related to authentication. Typically used to restrict based on factors such as origin [eg only non-root users allow remote login, or time of day]

  3. password: Called only when updating the auth token associated with the user

  4. session : Tasks to be performed before/after the user is allowed access.