Book Image

Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers

By : Kenneth Geisshirt
Book Image

Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers

By: Kenneth Geisshirt

Overview of this book

<p>PAM-aware applications reduce the complexity of authentication. With PAM you can use the same user database for every login process. PAM also supports different authentication processes as required. Moreover, PAM is a well-defined API, and PAM-aware applications will not break if you change the underlying authentication configuration.<br /><br />The PAM framework is widely used by most Linux distributions for authentication purposes. Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX. <br /><br />PAM is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. PAM can be implemented with various applications without having to recompile the applications to specifically support PAM.</p>

Related Content you might be interested in

Current Title:

Small book image
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers
Kenneth Geisshirt
Jan, 2007 | 124 pages
No titles found
Table of Contents (13 chapters)
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
Preface
Preface
Free Chapter
1
Introduction to PAM
Introduction to PAM
History of PAM
PAM Solves the Authentication Problem
Need for PAM
Installing Linux-PAM
PAM Implementations
Summary
2
Theory of Operation
Theory of Operation
PAM File System Layout
The PAM Framework
Online Documentation
Services
Management Groups
Stacking
Control Flags
Consolidating Your PAM Configuration
Securing Your Environment
Summary
3
Testing and Debugging
Testing and Debugging
Where to Test?
Leaving a Back Door Open
Test Cases
Getting Backstage
The pamtester Utility
Automating PAM Tests
Bad Example
Summary
4
Common Modules
Common Modules
Parameters
Modules Related to User Environments
Modules Used to Restrict Access
Modules Related to Back-End Storage
Summary
5
Recipes
Recipes
Encrypted Home Directories
Working with Secure Shell
Apache htaccess Made Smart
Directory Services
Limiting r-Services
Limiting Resources
Summary
6
Developing with PAM
Developing with PAM
PAM-aware Applications
Developing your Own PAM Modules
Summary
Source code
Source code
Vault – Secure Database
The ssh_tunnels Module
Index
Index

Control Flags

The primitive view of the stack discussed in the previous section is that a module can either return OK/success or not-OK/failure. Some answers are more important than others, and the control flags can change the flow and how decisions are made. The control flags are listed in the second or third column in the configuration file depending on whether the /etc/pam.d or /etc/pam.conf style of configuration is used.

The following control flags are addressed in the following sections:

  • Requisite

  • Required

  • Sufficient

  • Optional

In particular Solaris (version 8 and later) has a much richer set of control flags.

Requisite

The requisite flag is probably the strongest of the flags. If a module is flagged as requisite, and it fails (returns not-OK), PAM will return to the calling application instantly and report the failure.

Required

The return code for a required module is stored. In the case of failure, execution is not stopped but continues to the next module. When the stack of modules has been...

Previous Section
End of Section 8
Next Section