Pluggable Authentication Modules

Pluggable authentication modules or PAM are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API), which allows programs that rely on authentication to be written independently of the underlying authentication scheme. PAM was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) dated October, 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development in Red Hat Linux 3.0.4 in August 1996. PAM is currently supported in the AIX operating system, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris. PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard.

The pluggable nature of PAM is one reason for using dynamic linking of system binaries. However, this necessitates the availability of a recovery mechanism in case a problem develops in the linker or shared libraries; for example both NetBSD and FreeBSD supply a [http://www.freebsd.org/cgi/man.cgi?query=rescue /rescue] directory containing statically linked versions of important system binaries.

As the XSSO standard differs from both the original RFC, Linux and Sun APIs, and also from most other implementations, PAM implementations do not all operate in the same manner. For this and other reasons, OpenBSD has chosen to adopt BSD Authentication, an alternative authentication framework which originated from BSD/OS.

Criticisms of PAM

Despite PAM being part of the X/Open Single Sign-on (XSSO) standard, PAM on its own cannot implement Kerberos, the most common type of SSO used in Unix environments. Due to limits of the PAM API, it is not possible for a pam module to request a Kerberos service ticket from a Kerberos Key Distribution Center (KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets.

See also

* BSD Authentication
* Identity management
* Java Authentication and Authorization Service
* Linux PAM
* Name Service Switch
* OpenPAM
* Single sign-on

External links

* [http://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz The original PAM RFC]
* [http://www.kernel.org/pub/linux/libs/pam/ Linux-PAM page]
* [http://www.sun.com/software/solaris/pam/ Sun PAM page]
* [http://www.openpam.org/ OpenPAM page] a DARPA-sponsored implementation of PAM conforming to XSSO and the Solaris API, as used by FreeBSD and NetBSD
* [http://jpam.sourceforge.net/ Java-PAM bridge]
* [http://sharvil.nanavati.net/projects/ocamlpam/ OCaml-PAM bridge]
* [http://www.linux.ie/articles/pam.php PAM and password control]
* [http://www.linuxjournal.com/article/2120 Pluggable Authentication Modules for Linux]
* [http://www.informit.com/articles/article.aspx?p=20968 Making the Most of Pluggable Authentication Modules (PAM)]