Linux-PAM

 

Overview

PAM allows the system administrator to stipulate different authentication schemes for PAM-aware applications. One can authenticate from anything as naive as simple trust (pam_permit) to something as paranoid as a combination of a retinal scan, a voice print and a one-time password!

Linux-PAM deals with four separate types of (management) tasks:

  1. authentication management
  2. account management
  3. session management
  4. password management

The association of the preferred management scheme with the behavior of an application is made with entries in the relevant configuration file.

 

Q&A

Why bother, is it really worth all the trouble?

If you running Linux as a single user system, or in an environment where all the users are trusted, then there is no real advantage for using PAM.

In a networked environment, it is clear that you need to think a little more about how users etc., are authenticated:]

If you are running Linux as a server, where several different services are being provided (e.g., WWW with areas restricted by password control, PPP), then there can be some real and interesting value for PAM. In particular, through the use of modules, PAM can enable a program to search through several different password databases, even if that program is not explicitly coded for that particular database. Here are some examples of the possibilities that this enables.

  1. Apache has a module that provides PAM services. Now authentication to use particular directories can be conducted by PAM, which means that the range of modules that are available to PAM can be used, including RADIUS, NIS, NCP (which means that Novell password databases can be used).

  2. pppd has a PAMified version (available from Red Hat) Now it is possible to use a series of databases to authenticate ppp users. In addition to the normal Linux-based password databases (such as /etc/passwd and /etc/shadow), you can use PAM modules to authenticate against Novell password databases or NT-based password databases.

  3. The preceding two examples can be combined. Imagine that the persons in your office/department are already registered with a username and password in a Novell or NT LAN. If you wanted to use this database on your Linux server (for PPP access, for web access, or even for normal shell access), you can use PAM to authenticate against this existing database, rather than maintain a separate database on both Linux and the LAN server.

Can I use PAM for any program that requires authentication?

Yes and no. Yes, if you have access to the source code, and can add the appropriate PAM functions. No, if you do not have access to the source code, and the binary does not have the PAM functions included.

In other words, if a program is going to use PAM, then it has to have PAM functions explicitly coded into the program. If they are not, then it is not possible to use PAM.

How can I tell whether a program has PAM coded into it or not?

A quick-and-dirty (but not always reliable) method is to ldd <programname> If libpam and libpam_misc are not among the libraries that the program uses, then it is not going to work with PAM. However, it is possible that the libraries are included, but there are still problems, because the PAM coding in the program does not work as it should. So a more reliable method is to make the follow tests.

In the /etc/pam.d directory, one needs to make a configuration file for the program that one wants to run. The exact name of the configuration file is hard-coded into the program. Usually, it is the same name as the program, but not always. For sake of illustration, let's assume that the program is named "pamprog" and the name of the configuration file is /etc/pam.d/pamprog.

In the /etc/pam.d/pamprog but the following two lines: 

auth    required  pam_permit.so
auth    required  pam_warn.so

Now try to use pamprog. The first line in the configuration file says that all users are permitted. The second line will write a warning to your syslog file (or whether you syslog is writing messages). If this test succeeds, then you know that you have a program that can understand pam, and you can start the more interesting work of deciding how to stack modules in your /etc/pam.d/pamprog file.

Author: Michael Pareene