Service manual
Appendix J Linux-PAM 182
Cyclades-TS Installation & Service Manual
APPENDIX J LINUX-PAM
Overview
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system
administrator to choose how applications authenticate users.
In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the
authentication mechanism(s) it uses. Indeed, one may entirely upgrade the local authentication system without
touching the applications themselves.
It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the
development of secure and appropriate authentication schemes. This is accomplished by providing a library of
functions that an application may use to request that a user be authenticated. This PAM library is configured
locally with a system file, /etc/pam.conf (or a series of configuration files located in /etc/pam.d/) to authenticate a
user request via the locally available authentication modules. The modules themselves will usually be located in
the directory /lib/security and take the form of dynamically loadable object files.
The Linux-PAM authentication mechanism gives to the system administrator the freedom to stipulate which
authentication scheme is to be used. He has the freedom to set the scheme for any/all PAM-aware applications
on your Linux system. That is, he can authenticate from anything as naive as simple trust (pam_permit) to something
as paranoid as a combination of a retinal scan, a voice print and a one-time password!
Linux-PAM deals with four separate types of (management) task. These are: authentication management; account
management; session management; and password management. The association of the preferred management