Chapter 9: Pluggable Authentication Modules

Overview

The Pluggable Authentication Modules (PAM) system is a generalized API for system authentication. It was originally developed by Sun Microsystems, and a version of this system was developed for Linux systems. This chapter presents a brief overview of PAM and describes how to work with it.

The term authentication refers to the task of confirming that a given user is who he claims to be (i.e., whether the user's claim is "authentic"). This is generally a fancy-pants word for the notion of a username and password combination with which almost all computer users are acquainted. However, there are additional forms of credentials besides passwords that can be used for authentication, such as cryptographic keys or hardware devices such as smart cards or key tokens. Additionally, even the traditional username/password method of authentication has more sophisticated forms, such as the Network Information Services (NIS) or Kerberos systems.

Any program that needs to use a particular authentication mechanism needs to be written to support it. For example, in order to support Kerberos, a program would need to be coded to the Kerberos API. Similarly, any system on which such a program is to be installed needs to have Kerberos installed correctly. Since there are many different authentication schemes in common use, this quickly becomes a problem for both software developers and system administrators.

The purpose of PAM is to make the use and management of authentication schemes easier. PAM provides a software API that developers use when writing their applications. This API is generic and has no knowledge of the details of any particular authentication scheme. Additionally, PAM provides a mechanism for installing modules (called, intuitively enough, PAMs) that support a given scheme.

For example, there would be one PAM for the Kerberos system mentioned earlier and another for the traditional Unix username/password scheme. A program such as login that needs to perform authentication, however, is not written to use either system, but is instead written to use PAM. The same login program can then make use of either Kerberos or the basic username/password scheme, depending on which PAM or PAMs the system administrator has installed.

PAM is fairly straightforward in concept. The following sections discuss the nuances of the installation and configuration of PAM. There are essentially three such tasks: installing the PAM system itself, configuring the PAM system with specific PAM modules, and configuring user applications to make use of the installed PAM modules.

Purpose: The Linux Pluggable Authentication Modules (PAM) architecture provides for a modular, easily configurable solution for flexible system authentication.

Authors: Andrew Morgan, et al

Web site: http://www.kernel.org/pub/linux/libs/pam

Description: The PAM architecture provides two services. First, it allows software applications to be written with support for generic authentication. This allows client software to transparently make use of any authentication mechanism installed on the system without needing to know any details about the mechanism, which makes client software more flexible. Second, PAM allows system administrators to easily install modules for specific authentication mechanisms without having to recompile or reconfigure other applications. Example authentication back-ends supported by PAM include simple Unix username/password pairs, Kerberos, user credentials stored in LDAP, and many others.