Welcome to the wonderful world of PAM. PAM is an acronym for Pluggable Authentication Modules. Together with boot loaders PAM lives a quiet life—only a few specialists know and care about their existence.
PAM can do many things for you but the primary focus is to authenticate your users. Moreover, PAM lets you set up the environment the users will work in. And when the users log out, PAM will tear down the working environment in a controlled way.
The history of PAM goes back to 1995 when developers from Sun Microsystems implemented a generic framework for Solaris. When Solaris 2.6 was released in August 1997, PAM was an integrated component of the operating system. Ever since then, Solaris has been using PAM for authentication. In February 1997, the Linux-PAM project began, and most GNU/Linux distributions today are using PAM.
The official website of Linux PAM is http://www.kernel.org/pub/linux/libs/pam/, while SUN Microsystems documents the Solaris PAM at http://www.sun.com/software/solaris/pam/, and OpenPAM used by FreeBSD can be found at http://trac.des.no/openpam/. PAM implementations are based on an open standard from the Open Group named XSSO, which can be found at http://www.opengroup.org/pubs/catalog/p702.htm.
The primary operating system of this book is GNU/Linux, but PAM does exist for many operating systems. Configuration files are almost identical across Linux and UNIX operating systems—module names might differ slightly and some modules are not supported on every contemporary UNIX. This means that the examples in this book can be carried from one UNIX environment to another with minor adjustment.
The examples in the book have been tested under Ubuntu Linux 6.06 LTS or SuSE Linux Enterprise Server 9 SP2 (as VMware guests).
Before you can begin working with your computer, you have to log in. At least, this is true in the UNIX world and corporate Windows world. In order to gain access to the computer, the installed software, and data, you have to prove who you are. This is the authentication problem (or solution, depending on your view). Typically, you have to provide two items: a user name and a password. Only if the user name exists in the user database and the password matches, will you gain or be granted access.
Traditionally, UNIX authentication is done by comparing the (encrypted) password for the user in the password file (/etc/shadow
for most modern UNIX and Linux systems, and /etc/passwd
in the old days), but each program that requires authentication implements its own authentication mechanisms. The wilderness of authentication mechanisms becomes more visible when you add various applications that are doing some sort of authentication. Logging in directly to a graphical user interface requires a display manager, which must be able to validate the users. Now add services like FTP, TELNET, IMAP, SSH, and possibly a growing set of web applications, which require authentication of their users. As a system administrator you will end up spending a lot of time maintaining many user databases besides /etc/passwd
. Your might have a nightmare if the user databases become inconsistent, for example, a misspelled user name in one place can be difficult to find. Moreover, the users have to remember many user names and passwords.
PAM and PAM-aware applications reduce the complexity of authentication. With PAM, the system administrator can use the same user database for every login process of your system—if he or she wishes to do so. Moreover, it is possible to use more than one underlying authentication mechanisms (or back end)—controlled by PAM and transparent to the users. The good news for the systems administrator is that knowledge in one UNIX operating system (one particular PAM implementation) can easily be carried over on to another UNIX operating system. Learning PAM will make you a better UNIX systems administrator.
PAM has a well defined API, and PAM-aware applications will not break if the system administrator changes the underlying authentication configuration.
Furthermore, the password file does not scale. It might work with 100 users, but working with 5000 users is a completely different story. PAM can easily scale to tens of thousands depending on the chosen back end; changing the back end user database, for example, from a flat file to an LDAP server will be painful if you are not using PAM.
Application programmers can take advantage of PAM if an application requires some kind of authentication. Using PAM for authentication requires much less programming than developing a complete set of authentication functions, and the application programmer can rely on the system administrator to choose an appropriate back end to store user names and passwords.
In general, the Linux distributions, the BSD family, and Solaris come with a PAM implementation bundled with the operating system as part of the operating environment. In these cases, installation is done as you install the operating system. Slackware is one of the last PAM-free Linux distributions and in UNIX operating systems like AIX, PAM is an add-on product.
In this section, the installation of Linux PAM on Slackware 11 is explained. Installing PAM can be dangerous since you can leave your computer in a state where you cannot log in and correct mistakes.
Linux PAM can be downloaded from its website hosted by kernel.org. Currently the 0.99.6.3 version of Linux PAM is used. The following commands download and unpack Linux PAM:
# wget http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.99.6.3.tar.gz # tar xzf Linux-PAM-0.99.6.3.tar.gz
The source code is now located in a directory called Linux-PAM-0.99.6.3
. But if you are going use PAM, you will need to have PAM-aware applications. The Linux utility (the name of the package is linux-utils
) contains a set of applications that are used for letting users log in. Downloading and unpacking this package is done by the following two commands:
# wget http://www.kernel.org/pub/linux/utils/util-linux/util-linux-2.12r.tar.gz # tar xzf util-linux-2.12r.tar.gz
Both source code archives are 1-2 MB in size.
After you have downloaded and unpacked the files, you are ready to compile the source code.
Compiling Linux PAM is straightforward. The following sequence of commands will compile and install Linux PAM:
# cd Linux-PAM-0.99.6.3 # ./configure # make # make install # cp conf/pam.conf /etc
The last command will copy a simple configuration file. Chapter 2 will explain in detail how this configuration file is written.
Turning to the linux-utils
package, the compilation requires a bit more work. The source code is unpacked in the directory util-linux-2.12r
. In this directory, you have to edit a file named MCONFIG
. The file is a long series of configuration options for the utilities. The important option is called HAVE_PAM
. In order to have the Linux utilities use PAM, set this option to YES
. The line in the MCONFIG
file should read:
Compilation is now done by the following commands:
The login
program is used to validate the user at the console as he or she tries to log in. The last command above replaces the original version with a PAM-aware version. The next log in will be authenticated by PAM. Slackware stores log messages for authentication in the file /var/log/secure
, it is possible to check if PAM is being used by reading this file.
The last few line of /var/log/secure
should be:
Dec 10 17:27:10 pamela login: pam_unix(login:session) session opened for user root by LOGIN(uid=0) Dec 10 17:27:10 pamela login: ROOT LOGIN ON tty1
Linux PAM is distributed with a large set of modules but you might be in the situation where you wish to use a third-party module. In Chapter 2, an example is presented. This example uses a PAM module called pam_mount. This module is not distributed with Linux PAM or any other PAM implementation.
The module is downloaded from its website (http://pam-mount.sourceforge.net). Once the module is downloaded, it is compiled and installed by the following commands:
# tar xjf pam-mount-0.18.tar.bz2 # cd pam_mount-0.18 # ./configure # make # make install
Fortunately, most modules can be compiled in a similar way using the following commands:
As mentioned previously, PAM is not a new framework. Today, many operating systems are using PAM for authentication, including Solaris, GNU/Linux, FreeBSD, NetBSD, Mac OS X, AIX 5L, and HP-UX 11. OpenVMS does not implement PAM but uses a similar concept called ACME, and OpenBSD does not use PAM but PAM can be added.
FreeBSD and NetBSD share the code base for PAM. In older versions of FreeBSD, Linux-PAM is used, but in newer versions (5.x and 6.x) OpenPAM is used. According to the design principles of OpenPAM, it tries to take the best from the PAM implementations under Solaris and GNU/Linux. The OpenPAM implementation has a limited number of modules in the default installation but in the port collection (archive of FreeBSD packages) a larger set of PAM modules can be found.
The situation in the Linux world is somewhat more complicated. The Linux-PAM project lives a quiet life and has just reach version 0.99 (April 2006). The major Linux distributions are using PAM, including Novell/SuSE, Red Hat, and Debian/Ubuntu. It seems that Slackware is probably the last pocket of resistance. The table below correlates the version of the distributions and Linux-PAM. As the table indicates the diversity is large. The current versions of Linux-PAM is 0.99.6 and it seems that the Linux distributions do not follow the advancement of Linux-PAM development, as they are using older versions. For example, Ubuntu Linux is a very popular distribution due to its frequent updates to recent version of software. But in the case of PAM, Ubuntu 6.10 (November 2006) is using a version of Linux-PAM released in March 2005. Exceptions are SuSE Linux Enterprise Server 10 and Fedora Core 6, which use recent versions of Linux-PAM.
Distribution |
Version |
PAM version |
Features |
Released |
---|---|---|---|---|
SuSE Linux Enterprise Server |
8 |
0.76 |
July 2002 | |
9 |
0.77 |
Some third-party modules |
September 2002 | |
9 service pack 3 |
0.77 |
Some third-party modules |
December 2005 | |
10 |
0.99.3 |
January 2006 | ||
Red Hat Enterprise Linux |
3 update 6 |
0.75 |
April 2001 | |
4 |
0.77 |
September 2002 | ||
4 update 4 |
0.77 |
Newer build |
April 2006 | |
Fedora Core |
5 |
0.78 |
November 2004 | |
6 |
0.99.6.2 |
November 2006 | ||
Debian GNU/Linux |
3.1 release 2 |
0.76 |
Many third-party modules |
July 2002 |
4.0 |
0.79 |
Many third-party modules |
Excepted December 2006 | |
5.10 |
0.76 |
Many third-party modules |
October 2005 | |
6.06 |
0.77 |
Many third-party modules |
July 2006 | |
6.10 |
0.79 |
Many third-party modules |
November 2006 | |
Arch Linux |
0.7.1 |
0.81 |
November 2005 |
This chapter outlines the problem and the roots of complexity of authentication, and discusses how the framework of Pluggable Authentication Modules (PAM) can provide solutions and reduce the complexity. This chapter also discusses installing Linux PAM: downloading its packages as well as compiling them. A brief introduction about extra PAM modules is provided at the end.
PAM is a concept and a framework. It can be implemented in many different ways, for example, PAM for Solaris, GNU/Linux, and FreeBSD/NetBSD are implemented independently. Even among the GNU/Linux distributions we see differences due to different versions. PAM bridges the UNX operating systems since PAM implementations are very similar. This book may be focused on GNU/Linux, but you should be able to apply the concepts to your favorite UNIX operating system.