Pluggable Authentication Module

INTRODUCTION


PAM stands for Pluggable authentication module. PAM is a centralized API for authentication related services. PAM provides framework related to authentication in Linux. Directory /etc/pam.d/ contains services which supports PAM.

Bellow Image shows how PAM authentication works when request comes from any service related to PAM authentication.







PAM MODULE INTERFACES

Four types of PAM module interface are currently available. Each of those corresponds to a different aspects of authorization process.

1) Auth : Authenticates, Verifies validity of password.
2) Account : Whether access is allowed, account expiry, timed based login.
3) Password : Changing password (Specify password complexity)
4) Session :  Configures and manages sessions. Mounting / creating users home directories.Making users mailbox              available.



PAM CONTROL FLAGS


All PAM module generate a success or failure result when called. Control flags tell PAM what to do with result.The control flag determine how important the success or failure of a particular module is the overall goal of authenticating the user to the service.

1) Required : Must pass to result success.
2) Requisite : Must pass otherwise no further modules are run.
3) Sufficient : Ignored if fails.
4) Optional : Result ignored not mandatory. Used only when the only module  in interface.
5) Include : Fetches all the lines from other file. 

There are number of PAM modules available. If you want to check details of any  PAM module.
Use man module name. eg.

# man pam_cracklib

Man page will provide you detailed info available about that PAM module.

If a program is going to use PAM, then it has to have PAM functions explicitly coded into the program. If you have access to the source code you can add the appropriate PAM functions. If you do not have access to the source code, and the binary does not have the PAM functions included, then it is not possible to use PAM.


Q) How to disable password while switching from normal user to super user ?

Ans: While switching from normal user to Super user /etc/pam.d/su file is refered.
         We need to add bellow 2 lines in that file.
         auth sufficient pam_permit.so trust use_uid
         account_sufficient pam_succeed_if.so uid>1000 use_uid quiet
 
        After adding above two line normal user will get access to root without password through su.
        pam_permit module will always permit access.
        pam_succeed_if.so module will permit or denied access based on account i.e. uid greater than 1000

REFERENCES:
http://www.linux-pam.org/Linux-PAM-html/


Comments