Contents
Abstract
Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
System administrators and programmers often want to restrict access to certain parts of the system or to limit the use of certain functions of an application. Without PAM, applications must be adapted every time a new authentication mechanism, such as LDAP, Samba, or Kerberos, is introduced. This process, however, is rather time-consuming and error-prone. One way to avoid these drawbacks is to separate applications from the authentication mechanism and delegate authentication to centrally managed modules. Whenever a newly required authentication scheme is needed, it is sufficient to adapt or write a suitable PAM module for use by the program in question.
The PAM concept consists of:
PAM modules are a set of shared libraries for a specific authentication mechanism.
A module stack consists of one or more PAM modules.
A PAM-aware service which needs authentication by
using a module stack or PAM modules. Usually a service is a familiar
name of the corresponding application, like login or
su. The service name other
is a
reserved word for default rules.
The execution of a single PAM module can be influenced by several module arguments.
Each result of a single PAM module execution is evaluated. A positive value executes the next PAM module, a negative value depends on the configuration how to proceed. You can configure it as “no influence, proceed” to “terminate immediately” and anything in between.