Chapter 2. Using Pluggable Authentication Modules (PAM)
Pluggable authentication modules are a common frmaework for authentication and security. Both of Red Hat Enterprise Linux's single sign-on methods — Kerberos and smart cards — depend on underlying PAM configuration.
Understanding and using PAM can be very beneficial for planning and implementing a secure, efficient singe sign-on solution.
Programs that grant users access to a system use authentication to verify each other's identity (that is, to establish that a user is who they say they are).
Historically, each program had its own way of authenticating users. In Red Hat Enterprise Linux, many programs are configured to use a centralized authentication mechanism called Pluggable Authentication Modules
PAM uses a pluggable, modular architecture, which affords the system administrator a great deal of flexibility in setting authentication policies for the system. PAM is a useful system for developers and administrators for several reasons:
A common authentication scheme that can be used with a wide variety of applications.
Significant flexibility and control over authentication for both system administrators and application developers.
A single, fully-documented library which allows developers to write programs without having to create their own authentication schemes.
PAM has an extensive documentation set with much more detail about both using PAM and writing modules to extend or integrate PAM with other applications. Almost all of the major modules and configuration files with PAM have their own manpages. Additionally, the
/usr/share/doc/pam-version# directory contains a System Administrators' Guide, a Module Writers' Manual, and the Application Developers' Manual, as well as a copy of the PAM standard, DCE-RFC 86.0.
The libraries for PAM are available at https://www.kernel.org/pub/linux/libs/pam/
. This is the primary distribution website for the Linux-PAM project, containing information on various PAM modules, an FAQ, and additional PAM documentation.