Programs which give privileges to users must properly authenticate each user. For instance, when you log into a system, you provide your username and password, and the log in process uses this username and password to verify your identity.
Pluggable Authentication Modules (PAM) allows the system administrator to set authentication policies for PAM-aware applications without having to recompile authentication programs. PAMdos this by utilizing a pluggable, modular architecture. Which modules PAM calls for a particular application is determined by looking at that application's PAM configuration file in the /etc/pam.d/ directory.
In most situations, you will never need to alter the default PAM configuration files for a PAM-aware application. Whenever you use RPM to install programs that require authentication, they automatically make the changes necessary to do normal password authentication using PAM. However, if you need to customize the PAM configuration file, you must understand the structure of this
Advantages of PAM
When used correctly, PAM provides the following advantages for a system administrator:
. It provides a common authentication scheme that can be used with a wide variety of applications. . It allows great fiexibility and control over authentication for both the system administrator and
application developer.. It allows application developers to develop their program without implementing a particular authentication scheme. Instead, they can focus purely on the details of their program.
PAM Configuration Files
The directory /etc/pam.d/ contains the PAM configuration files for PAM-aware applications. In
earlier versions of PAM, the file /etc/pam.conf was used, but this file is now deprecated. The
pam.conf file is only read if the /etc/pam.d/ directory does not exist.
Each PAM-aware application or service . as applications designed to be used by many users are
commonly known . has its own file within the /etc/pam.d/ directory.
These files have a specific layout containing calls to modules usually located in the /lib/security/
directory. Additionally, each line within a PAM configuration file specifies a module type, a control
fiag, a path to the module, and, sometimes, module arguments.
PAM Service Names
Each PAM configuration file in the /etc/pam.d/ directory is named after the service for which it
controls access. It is up to the PAM-aware program to define its service name and install its PAM
configuration file in the pam.d directory. For example, the login program defines its service name
as /etc/pam.d/login.
In general, the service name is the name of the program used to access the service, not the program used to provide the service. This is why the service wu-ftpd, defines its service name as /etc/pam.d/ftp. The next four sections will describe the basic format of PAM configuration files and how they use
PAM modules to perform authentication for PAM-aware applications.
PAM Modules
There are four types of PAM modules used to control access to services. These types correlate to
different aspects of the authorization process:
. auth . These modules are used to authenticate the user by, for example, asking for and checking
a password. It can also set credentials, such as group membership or Kerberos tickets.
. account . These modules are used to make sure access is allowed. For example, it can check if
the account is expired, or it can check if the user is allowed to log in at a particular time of day.
. password. These modules are used to set passwords.
. session . These modules are used after a user has been authenticated to manage the user's
session. This module type can also perform additional tasks which are needed to allow access, like
mounting a user's home directory or making his mailbox available.
