Identification, Authentication and Authorization

PAM

Features

Independent authentication protocols/mechanisms.

  • Linux password, S/Key, smartcards, biometrics, etc.

  • One module per protocol/mechanism.

Orchestration of protocols/mechanisms.

  • Alone or combined.

  • AND and OR combinations.

  • Application-independent.

Several interface approaches.

  • Input from text consoles of graphical windows.

  • Access to special devices (smart-cards, biometric readers, etc.).

Modular and extensible architecture.

  • Dynamic loading of required modules.

  • Handling of several actions besides authentication.

    • Password management.

    • Accounting management.

    • Session management.

Default orchestration per host.

  • Defined by the administrator.

    • Username/password, biometrics, smart-cards, etc.

Application-specific orchestrations.

  • Each application can use a unique orchestration.

Classic Unix authentication

Requested input: username + password.

Validation

  • An active account for username.

    • Entry with the username in the /etc/passwd file.

  • Transformed password for that username.

    • Entry with the username in the /etc/shadow file.

  • Transformation of the provided password with the function and the salt used for that username.

  • Comparison with the stored transformation.

Obtained credentials

  • UID + GID [+ list of secondary GIDs]

  • New process descriptor (login shell)

Architecture

Actions

  • Authentication (auth).

    • Identity verification.

  • Account Management (account).

    • Enforcement of access policies based on account properties.

  • Password Management (password).

    • Management of authentication credentials.

  • Session Management (session).

    • Verification of operational parameters.

    • Setup of session parameters.

      • max memory, max file descriptions, graphical interface configuration, ...

Modules

Dynamically loaded (shared libraries).

  • /lib/security/pam_*.so

  • /lib/x86_64-linux-gnu/security/pam_*.so

Standard API.

  • Functions provided by the modules that are used.

    • C interfaces.

    • Python wrapper exists.

  • The decision is provided on the returned code.

    • AM_SUCCESS

    • PAM_AUTH_ERR, PAM_AUTHINFO_UNAVAIL, etc…

  • Not all functions need to be implemented.

    • A module does not need to implement all 4 actions.

Orchestration files

Typically, one per PAM client application.

  • e.g. /etc/pam.d/ftp or /etc/pam.d/ssh

  • Can use shared files: /etc/pam.d/common-auth

Specify how the actions should be applied.

  • Their mechanisms (modules).

  • Their parameters.

  • Their termination, with or without success.

Each module uses a particular set of resources.

  • Local files.

    • /etc/passwd, /etc/shadow, /etc/groups, etc.

  • Distributed information or located in remote servers.

    • NIS, Kerberos, LDAP, etc.

Detailed Architecture

PreviousMotivationNextPAM APIs

Last updated