PAM
Features
Independent authentication protocols/mechanisms.
Linux password, S/Key, smartcards, biometrics, etc.
One module per protocol/mechanism.
Orchestration of protocols/mechanisms.
Alone or combined.
AND and OR combinations.
Application-independent.
Several interface approaches.
Input from text consoles of graphical windows.
Access to special devices (smart-cards, biometric readers, etc.).
Modular and extensible architecture.
Dynamic loading of required modules.
Handling of several actions besides authentication.
Password management.
Accounting management.
Session management.
Default orchestration per host.
Defined by the administrator.
Username/password, biometrics, smart-cards, etc.
Application-specific orchestrations.
Each application can use a unique orchestration.
Classic Unix authentication
Requested input: username + password.
Validation
An active account for username.
Entry with the username in the
/etc/passwd
file.
Transformed password for that username.
Entry with the username in the
/etc/shadow
file.
Transformation of the provided password with the function and the salt used for that username.
Comparison with the stored transformation.
Obtained credentials
UID + GID [+ list of secondary GIDs]
New process descriptor (login shell)
Architecture
Actions
Authentication (auth).
Identity verification.
Account Management (account).
Enforcement of access policies based on account properties.
Password Management (password).
Management of authentication credentials.
Session Management (session).
Verification of operational parameters.
Setup of session parameters.
max memory, max file descriptions, graphical interface configuration, ...
Modules
Dynamically loaded (shared libraries).
/lib/security/pam_*.so
/lib/x86_64-linux-gnu/security/pam_*.so
Standard API.
Functions provided by the modules that are used.
C interfaces.
Python wrapper exists.
The decision is provided on the returned code.
AM_SUCCESS
PAM_AUTH_ERR, PAM_AUTHINFO_UNAVAIL, etc…
Not all functions need to be implemented.
A module does not need to implement all 4 actions.
Orchestration files
Typically, one per PAM client application.
e.g.
/etc/pam.d/ftp
or/etc/pam.d/ssh
Can use shared files:
/etc/pam.d/common-auth
Specify how the actions should be applied.
Their mechanisms (modules).
Their parameters.
Their termination, with or without success.
Each module uses a particular set of resources.
Local files.
/etc/passwd
,/etc/shadow
,/etc/groups
, etc.
Distributed information or located in remote servers.
NIS, Kerberos, LDAP, etc.
Detailed Architecture
Last updated