PAM Authentication
Posted 06-25-2009 at 12:55 AM by vap16oct1984
PAM - Pluggable Authentication Modules for Linux
Linux-PAM Is a system of libraries that handle the authentication tasks
of applications (services) on the system. The library provides a sta-
ble general interface (Application Programming Interface - API) that
privilege granting programs (such as login(1) and su(1)) defer to to
perform standard authentication tasks
Linux-PAM separates the tasks of authentication into four independent
management groups: account management; authentication management; pass-
word management; and session management. (We highlight the abbrevia-
tions used for these groups in the configuration file.)
Simply put, these groups take care of different aspects of a typical
user's request for a restricted service:
account - provide account verification types of service: has the user's
password expired?; is this user permitted access to the requested ser-
vice?
authentication - establish the user is who they claim to be. Typically
this is via some challenge-response request that the user must satisfy:
if you are who you claim to be please enter your password. Not all
authentications are of this type, there exist hardware based authenti-
cation schemes (such as the use of smart-cards and biometric devices),
with suitable modules, these may be substituted seamlessly for more
standard approaches to authentication - such is the flexibility of
Linux-PAM.
password - this group's responsibility is the task of updating authen-
tication mechanisms. Typically, such services are strongly coupled to
those of the auth group. Some authentication mechanisms lend themselves
well to being updated with such a function. Standard UN*X password-
based access is the obvious example: please enter a replacement pass-
word.
session - this group of tasks cover things that should be done prior to
a service being given and after it is withdrawn. Such tasks include the
maintenance of audit trails and the mounting of the user's home direc-
tory. The session management group is important as it provides both an
opening and closing hook for modules to affect the services available
to a user.
Linux-PAM Is a system of libraries that handle the authentication tasks
of applications (services) on the system. The library provides a sta-
ble general interface (Application Programming Interface - API) that
privilege granting programs (such as login(1) and su(1)) defer to to
perform standard authentication tasks
Linux-PAM separates the tasks of authentication into four independent
management groups: account management; authentication management; pass-
word management; and session management. (We highlight the abbrevia-
tions used for these groups in the configuration file.)
Simply put, these groups take care of different aspects of a typical
user's request for a restricted service:
account - provide account verification types of service: has the user's
password expired?; is this user permitted access to the requested ser-
vice?
authentication - establish the user is who they claim to be. Typically
this is via some challenge-response request that the user must satisfy:
if you are who you claim to be please enter your password. Not all
authentications are of this type, there exist hardware based authenti-
cation schemes (such as the use of smart-cards and biometric devices),
with suitable modules, these may be substituted seamlessly for more
standard approaches to authentication - such is the flexibility of
Linux-PAM.
password - this group's responsibility is the task of updating authen-
tication mechanisms. Typically, such services are strongly coupled to
those of the auth group. Some authentication mechanisms lend themselves
well to being updated with such a function. Standard UN*X password-
based access is the obvious example: please enter a replacement pass-
word.
session - this group of tasks cover things that should be done prior to
a service being given and after it is withdrawn. Such tasks include the
maintenance of audit trails and the mounting of the user's home direc-
tory. The session management group is important as it provides both an
opening and closing hook for modules to affect the services available
to a user.
Total Comments 0