Overview#
Pluggable Authentication Modules (PAM) is an Authentication Method to integrate multiple low-level authentication schemes into a high-level API, which allows for programs that rely on authentication to be written independently of the underlying authentication scheme.The Pluggable Authentication Modules framework provides a uniform way for authentication-related activities to take place. This approach enables application developers to use PAM services without having to know the semantics of the policy. Algorithms are centrally supplied. The algorithms can be modified independently of the individual applications. With PAM, administrators can tailor the authentication process to the needs of a particular system without having to change any applications. Adjustments are made through pam.conf, the PAM configuration file.
The following figure illustrates the PAM architecture. Applications communicate with the PAM library through the PAM application programming interface (API). PAM modules communicate with the PAM library through the PAM service provider interface (SPI). Thus, the PAM library enables applications and modules to communicate with each other.
 |
PAM Configuration file syntax#
PAM Service Types#
There are four PAM Service TypesPAM Control Flags#
All PAM modules generate a success or failure result when checked. PAM Control Flags flags tell PAM what do with the result.PAM module-arguments#
Pluggable Authentication Modules utilizes PAM module-arguments to pass information to a pluggable module during authentication for a particular PAM Service Types.PAM module#
History#
Pluggable authentication modules or PAM
are a mechanism to integrate multiple low-level authentication schemes into a high-level API, which allows for programs that rely on authentication to be written independently of the underlying authentication scheme.
Our interest in Pluggable Authentication Modules is for the setup of LDAP for Linux and Unix Clients.
PAM Documentation#
PAM Implementations#
This information is *OLD* This is of course not current, but is provided to show the many differences.| Distribution | Version | PAM-Version | Features | Release Date |
|---|---|---|---|---|
| SuSE Linux Enterprise Server | 8 | 0.76 | July2002 | |
| 9 | .077 | Some third party modules | September 2002 | |
| 9.3 | 0.77 | Some third party modules | December 2005 | |
| 10 | 0.99.3 | January 2006 | ||
| Red Hat Enterprise Linux | 3.6 | 0.75 | April 2001 | |
| 4 | 0.77 | September 2002 | ||
| 4.4 | 0.77 | newer build | April 2006 | |
| Fedora Core | 5 | 0.78 | November 2004 | |
| 6 | 0.99.6.2 | November 2006 | ||
| Debian GNU/Linux | 3.1.2 | 0.76 | Many Third Party Modules | July 2002 |
| 4.0 | 0.79 | Many Third Party Modules | December 2006 | |
| Ubunta Linux | 5.10 | 0.75 | Many Third Party Modules | October 2005 |
| 6.06 | 0.77 | Many Third Party Modules | July 2006 | |
| 6.10 | 0.79 | Many Third Party Modules | November 2006 | |
| Arch Linux | 0.7.1 | 0.81 | November 2005 |
More Information#
There might be more information for this subject on one of the following:- Authentication Agent
- Debugging PAM Issues
- DirXML Fan-Out System Intercept
- Glossary Of LDAP And Directory Terminology
- Java Authentication and Authorization Service
- Kerberos
- LDAP for Linux and Unix Clients
- LinixUnixLDAPClientSoftware
- Name Service Switch
- PAM
- PAM Control
- PAM module-arguments
- PAM_LDAP
- Samba
- UnixLinux