Book Image

Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers

By : Kenneth Geisshirt
Book Image

Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers

By: Kenneth Geisshirt

Overview of this book

<p>PAM-aware applications reduce the complexity of authentication. With PAM you can use the same user database for every login process. PAM also supports different authentication processes as required. Moreover, PAM is a well-defined API, and PAM-aware applications will not break if you change the underlying authentication configuration.<br /><br />The PAM framework is widely used by most Linux distributions for authentication purposes. Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX. <br /><br />PAM is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. PAM can be implemented with various applications without having to recompile the applications to specifically support PAM.</p>

Related Content you might be interested in

Current Title:

Small book image
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers
Kenneth Geisshirt
Jan, 2007 | 124 pages
No titles found
Table of Contents (13 chapters)
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
Preface
Preface
Free Chapter
1
Introduction to PAM
Introduction to PAM
History of PAM
PAM Solves the Authentication Problem
Need for PAM
Installing Linux-PAM
PAM Implementations
Summary
2
Theory of Operation
Theory of Operation
PAM File System Layout
The PAM Framework
Online Documentation
Services
Management Groups
Stacking
Control Flags
Consolidating Your PAM Configuration
Securing Your Environment
Summary
3
Testing and Debugging
Testing and Debugging
Where to Test?
Leaving a Back Door Open
Test Cases
Getting Backstage
The pamtester Utility
Automating PAM Tests
Bad Example
Summary
4
Common Modules
Common Modules
Parameters
Modules Related to User Environments
Modules Used to Restrict Access
Modules Related to Back-End Storage
Summary
5
Recipes
Recipes
Encrypted Home Directories
Working with Secure Shell
Apache htaccess Made Smart
Directory Services
Limiting r-Services
Limiting Resources
Summary
6
Developing with PAM
Developing with PAM
PAM-aware Applications
Developing your Own PAM Modules
Summary
Source code
Source code
Vault – Secure Database
The ssh_tunnels Module
Index
Index

Services

Those applications that require authentication can register at PAM using a service name. The name of the service is determined by the application at the initial call to the PAM library during the authentication process, which is a call to the library function pam_start. It is rare that the name can be set by the user in a configuration file. The Linux box has the following services:

pamela@pamela:~$ ls /etc/pam.d/
atd    common-auth          groupadd   other    useradd
charge common-pammount      groupdel   passwd   userdel
chfn   common-password      groupmod   ppp      usermod
chsh   common-session       login      su
       common-account cron  newusers   sudo

Besides the file names beginning with common, each file represents a service, and PAM will use a configuration file named as the service if the /etc/pam.d directory exists. If PAM is configured by the single file, /etc/pam.conf, the service name is written in the configuration file in the first column:

login auth   required...
Previous Section
End of Section 5
Next Section