Chapter 25: Pluggable Authentication Modules (PAM)

Programs that give privileges to users must properly authenticate each user. For instance, when you log in to a system, you provide your username and password, and the login process uses this information to verify your identity. Pluggable Authentication Modules (PAM) allows the system administrator to set authentication policies for PAM-aware applications without having to recompile authentication programs. PAM does this by utilizing a pluggable, modular architecture. Which modules PAM calls for a particular application is determined by that application’s PAM configuration file in the /etc/pam.d/ directory.

In most situations, you will never need to alter the default PAM configuration files for a PAM-aware application. Whenever you use RPM to install programs that require authentication, they automatically make the changes necessary to do normal password authentication using PAM. However, if you need to customize the PAM configuration file, you must understand the structure of this file (see the section “PAM Configuration Files” for more information).

Advantages of PAM

When used correctly, PAM provides the following advantages for a system administrator:

• It provides a common authentication scheme that can be used with a wide variety of applications.

• It allows great flexibility and control over authentication for both the system administrator and application developer.

• It allows application developers to develop their program without implementing a particular authentication scheme. Instead, they can focus purely on the details of their program.