Pluggable Authentication Modules

---

Overview

PAM modules allow a sysadmin to implement various authentication policies. Desired modules are specified in config files located within the the directory /etc/pam.d. The modules themselves will usually be located in the directory /lib/security and take the form of dynamically loadable object files (see dlopen(3)).

In general, you will not need to alter configuration files for your Red Hat apps. RPM automatically makes the changes necessary to do normal password authentication using PAM. If however, you want to tighten security, you can. For example, to tighten controls on the ftp application so that one could only log in during certain hours of the day, one would add the pam_time.so module and appropriate config parameters into the /etc/pam.d/ftp configuration file.

There several things Acme needs to do viz-a-viz PAM/

1. Identify which Red Hat apps to which we want to apply tightened security. ftp, rlogin, rsh, etc...

2. Identify which modules we want to apply.

3. Decide if any of our homegrown apps should be made PAM-aware, and if so, write the code necessary and re-compile the apps.

 

Advantages of PAM

When used correctly, PAM provides many advantages for a system administrator, such as the following/

1. A common authentication scheme that can be used with a wide variety of applications.

2. PAM can be implemented with various applications without having to recompile the applications to specifically support PAM.

3. Great flexibility and control over authentication for the administrator and application developer.

4. Application developers do not need to develop their program to use a particular authentication scheme. Instead, they can focus purely on the details of their program.