|
|
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users.
In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. Indeed, one may entirely upgrade the local authentication system without touching the applications themselves.
Historically an application that has required a given user to be
authenticated, has had to be compiled to use a specific authentication
mechanism. For example, in the case of traditional UN*X systems, the
identity of the user is verified by the user entering a correct
password. This password, after being prefixed by a two character
``salt'', is encrypted (with crypt(3)). The user is then authenticated
if this encrypted password is identical to the second field of the
user's entry in the system password database (the /etc/passwd
file). On such systems, most if not all forms of privileges are
granted based on this single authentication scheme. Privilege comes in
the form of a personal user-identifier (uid) and membership of
various groups. Services and applications are available based on the
personal and group identity of the user. Traditionally, group
membership has been assigned based on entries in the
/etc/group file.
Unfortunately, increases in the speed of computers and the widespread introduction of network based computing, have made once secure authentication mechanisms, such as this, vulnerable to attack. In the light of such realities, new methods of authentication are continuously being developed.
It is the purpose of the Linux-PAM project to separate the
development of privilege granting software from the development of
secure and appropriate authentication schemes. This is accomplished
by providing a library of functions that an application may use to
request that a user be authenticated. This PAM library is configured
locally with a system file, /etc/pam.conf (or a series of
configuration files located in /etc/pam.d/) to authenticate a
user request via the locally available authentication modules. The
modules themselves will usually be located in the directory
/lib/security and take the form of dynamically loadable
object files (see dlopen(3)).