PAM Documentation

Pluggable Authentication Modules (PAM) enables the implementation of authentication mechanisms separate from the invocation of those mechanisms in programs.

With PAM, authentication mechanisms are implemented by dynamically linked shared libraries called PAM modules. Many PAM modules are publicly available, covering a range of authentication schemes including standard UNIX System username/password authentication, Kerberos, and .rhosts-based authentication.

UnixWare PAM is based on an open-source version of PAM known as Linux-PAM. This document describes the UnixWare-specific details of the PAM implementation, and points to the Linux-PAM documentation for the generic descriptions of PAM features.

PAM Concepts

In many UNIX System programs and utilities, such as login, much of the code used to authenticate the identity of the person calling the program is specific to the authentication method, and may require detailed knowledge of other subsystems as well that are related to authentication management. The main goal of PAM is to allow use of the following groups of authentication and authentication-related management functions from an application without detailed knowledge of the underlying authentication scheme:

Authentication management
authenticates users and also provides information about users to the application
Account management
establishes whether an authenticated user is permitted to gain access, e.g., by checking that the user name and/or password have not expired
Session management
performs any tasks required at initialization and termination of a session
Password management
sets or changes the user's authentication data

With PAM, these management functions are performed from PAM modules. This allows an administrator to dyamically configure authentication schemes for all PAM-enabled system utilities and applications by adding and removing PAM modules on the running system.

The four management groups shown above also provide the basis for configuring PAM. Each PAM-enabled program requires authentication tasks from one or more of these groups. The PAM configuration files specify which groups are required by each PAM-enabled application, and which PAM modules are to be invoked for each group within each application. The administrator can easily customize system authentication schemes by specifying alternate PAM module(s) to be invoked for particular applications.

Programs that use PAM to perform authentication are said to be PAM-enabled. PAM-enabled programs can be third party applications such as samba, as well as standard system utilities and services such as login, passwd, and rlogind.

PAM-enabled programs perform authentication-related tasks not by calling PAM modules directly, but rather by calling routines provided by the PAM libraries. Note that this separation of PAM modules from PAM-enabled commands means that once an application is coded to use PAM, it can be configured to use different authentication mechanisms without any changes being made to it.

Configuration and management of PAM modules is described in the PAM System Administrator's Guide. See Default PAM Configuration for the list of PAM modules implemented in the PAM libraries on UnixWare.

PAM Libraries

The PAM libraries provide entry points used by both PAM-enabled applications as well as PAM modules. Many library routines, in turn, invoke PAM modules to perform the tasks requested by calling applications. The library determines which PAM module(s) to invoke by reading the PAM configuration file for the calling application.

The primary PAM library is libpam. Two smaller libraries, libpam_misc and libpamc, contain a few infrequently used routines required by some applications and modules.

The PAM libraries and functions are described in the PAM Module Writer's Guide and the PAM Application Developer's Guide.

Stacking PAM Modules

Part of the power of PAM lies in the ability to combine, or, in PAM terminology, stack, PAM authentication modules for a given task. For example, on a system in which rlogind has been PAM-enabled, the administrator can stack the standard UNIX authentication module with an rhosts-based authentication module to implement traditional rlogin-style authentication. The administrator can also choose to remove the rhosts-style authentication module from the stack, disallowing rhosts authentication, or can combine the first two modules with a third module to allow rhosts authentication only for non-root users.

Stacking also allows PAM modules to become highly modular and reusable. For example, the module cracklib performs a variety of checks on a user's requested password, such as ensuring that the new password differs sufficiently from his/her previous password. An administrator can enforce these checks by stacking cracklib with any password-based authentication module, such as standard UNIX authentication or NIS authentication. The password-based authentication modules, in turn, need not include the checks implemented by cracklib. Furthermore, to implement additional password checks, the administrator can implement a PAM module to perform these extra checks and stack that along with cracklib and the standard authentication module.

Default PAM Configuration

The following PAM modules are implemented in the PAM libraries on UnixWare: Their functions and arguments are the same as documented in the PAM System Administrator's Guide, except as noted below.

pam_consoleConsole ModuleImplements the "CONSOLE" and "USERS" defaults feature for login. See login(4). Not implemented in Linux-PAM.
pam_denyLocking Out ModuleReturns an authentication failure.
pam_dialpassDialup Password ModuleImplements /etc/dialups, /etc/d_passwd authentication. See d_passwd(4).
pam_ftpFTP ModuleImplements Anonymoous FTP Authentication (i.e., prompts for an email password.)
pam_lastlogLast Login ModuleMaintains the /var/log/lastlog file.
pam_listfileList-File Module Denies or allows services based on an arbitrary file.
pam_mailMail Module This module looks at the user's mail directory and indicates whether the user has any mail in it.
pam_nologinNo Login ModuleIf /etc/nologin exists but is empty, the message Logins currently disabled is returned and access is denied.
pam_permitPromiscuous ModuleReturns authentication success.
pam_rhostsrhosts ModuleProvides authentication as described on rhosts(4), as used by rlogin, rsh, and similar utilities.
pam_rootokRoot Access ModuleProvides root access without requiring a password.
pam_unixUNIX Password Module

The following options are always enabled:

  • bigcrypt
  • likeauth
  • nis
  • nodelay
  • shadow

If pam_unix was not used to authenticate (e.g. rsh command), the pam_unix account management function skips all password expiration checks.

If the nullok option is not set for the account management function, and the authenticating user has no password, the module returns PAM_NEW_AUTHTOK_REQD (same as if password was expired). This is needed to implement the login PASSREQ and MANDPASS features.

pam_warnWarning Logger Module Logs information about a proposed authentication or password update.

The following system utilities and applications are PAM-enabled:

For More Information on PAM
The Linux-PAM Web Site

© Copyright 2004 The SCO Group, Inc. All rights reserved.