23.0 Authentication with PAM
Linux uses PAM (pluggable authentication modules) in the authentication
process as a layer that mediates between user and application. PAM modules
are available on a systemwide basis, so they can be requested by any
application. This chapter describes how the modular authentication mechanism
works and how it is configured.
System administrators and programmers often want to restrict access to
certain parts of the system or to limit the use of certain functions of an
application. Without PAM, applications must be adapted
every time a new authentication mechanism, such as LDAP or SAMBA, is
introduced. This process, however, is rather time-consuming and error-prone.
One way to avoid these drawbacks is to separate applications from the
authentication mechanism and delegate authentication to centrally managed
modules. Whenever a newly required authentication scheme is needed, it is
sufficient to adapt or write a suitable PAM module for use by the
program in question.
Every program that relies on the PAM mechanism has its own configuration file
in the directory
/etc/pam.d/programname. These
files define the PAM modules used for authentication. In addition, there are
global configuration files for most PAM modules under
/etc/security, which define the exact behavior of these
modules (examples include pam_env.conf,
pam_pwcheck.conf, pam_unix2.conf,
and time.conf). Every application that uses a PAM module
actually calls a set of PAM functions, which then process the information in
the various configuration files and return the result to the calling
application.
