Table of Contents
Advertisement
24
Authentication with PAM
Linux uses PAM (pluggable authentication modules) in the authentication process as
a layer that mediates between user and application. PAM modules are available on a
systemwide basis, so they can be requested by any application. This chapter describes
how the modular authentication mechanism works and how it is configured.
System administrators and programmers often want to restrict access to certain parts
of the system or to limit the use of certain functions of an application. Without PAM,
applications must be adapted every time a new authentication mechanism, such as
LDAP, Samba or, Kerberos, is introduced. This process, however, is rather time-con-
suming and error-prone. One way to avoid these drawbacks is to separate applications
from the authentication mechanism and delegate authentication to centrally managed
modules. Whenever a newly required authentication scheme is needed, it is sufficient
to adapt or write a suitable PAM module for use by the program in question.
Every program that relies on the PAM mechanism has its own configuration file in the
directory /etc/pam.d/programname. These files define the PAM modules used
for authentication. In addition, there are global configuration files for PAM modules
under /etc/security, which define the exact behavior of these modules (examples
include pam_env.conf, pam_pwcheck.conf, pam_unix2.conf, and time
.conf). Every application that uses a PAM module actually calls a set of PAM func-
tions, which then process the information in the various configuration files and return
the result to the calling application.
Authentication with PAM
495
Advertisement
Table of Contents
Troubleshooting
