The PAM framework, includes the PAM library ( libpam.so.1 ), which consists of an interface library and multiple authentication service modules that are the layer implementing the PAM API.
It is outside the scope of this section to detail every single API and function. However, the most commonly used and well-known APIs are presented here. The PAM API can be grouped into five functional categories:
These functions enable an application to invoke the PAM service modules and to communicate information to these modules. The functions are described in the following sections.
PAM Framework Functions
These framework functions are PAM transaction routines for establishing and terminating a PAM session.
PAM Authentication Functions
These authentication functions are used to authenticate the user and the current process. The term credentials, means whatever the PAM service module stack defines it to mean. That is each of the PAM service modules defines whatcredentials mean to them. In the case of pam_unix_cred(5) , it provides functions that establish user credential information. Among other things, pam_sm_setcred() initializes the user's privilege sets and initializes or updates the user's audit context if it hasn't already been initialized . And in the case of pam_krb5(5):
pam_sm_setcred() creates and modifies the user's credential cache. This function will initialize the user's credential cache, if it doesn't already exist, and store the initial credentials for later use by Kerberized network applications. It is important to understand that the authentication and credential setup are distinct actions. In the case of pam_krb5 , pam_sm_authenticate() performs a Kerberos authentication. pam_sm_setcred() sets up the local Kerberos ticket cache as described in kinit(1). The Kerberos credential db is later used by the GSS/Kerberos applications such as telnet and Kerberized NFS to enable single sign-on.
The following flags may be set in the flags field. They are best described by their effect on the user's credential cache.
Typically, this process is done after the user has been authenticated (after the p am_authenticate() function succeeds).
Account Management Function
This account management function is used to validate the users account information. It typically includes checking for password and account expiration, valid login times, and etc.
Session Management Functions
These session management functions are called on the initiation and termination of a login session.
The pam_unix_session module implements these calls to update the /var/adm/lastlog information. These functions can also support session auditing.
Password Management Function
This password management function is called to change the authentication token (password) associated with the user.