Understanding and configuring PAM

Article Title: Understanding and configuring PAM. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

The plug-in Authentication Module (PAM) API exposes a set of functions that application programmers can use to implement security-related functions, for example, user authentication, data encryption, and LDAP. In this article, get the basic guide for using the PAM module in Linux, learn how to configure PAM, and learn how to use 10 simple steps to design a sample PAM to log on to the application.
For Linux users, securely sharing files is a troublesome task. For example, it is time-consuming to think back to multiple passwords and redesign the system to access applications (such as login, su, password, and ftp. The verification process adds this complexity. In this process, the system recognizes the user and provides access control for the user.

PAM usage history

PAM focuses on how to verify the user's API for the service. Before using PAM, applications such as login (and rlogin, telnet, and rsh) Search for the user name in/etc/passwd, then compare the two and verify the name entered by the user. All applications use these shared services, but do not share the implementation details and the permissions to configure these services.

Next, application developers try to write custom Process Code. In this process, applications and security modules need to be separated (the general security module can be shared between applications and configured as needed ).

The PAM mechanism integrates multiple low-level authentication modes into a high-level API, which allows you to write verification programs independent of the underlying Authentication mode. The main characteristics of PAM are dynamic verification configuration through the/etc/pam. d or/etc/pam. conf file.

PAM can be configured to deny user verification by some programs or give a warning when some programs attempt verification. PAM programs will use PAM modules (Verification modules): These modules can work only when they are bound to the application at runtime.

Figure 1 shows the basic process of the PAM module.

Figure 1. The PAM library parses the configuration file and loads the module into it

Which Operating Systems Support PAM?

PAM was initially developed by Sun Microsystems in 1995 and is supported by the following operating system versions (and later versions:

● RedHat 5.0
● SUSE 6.2
●Debian 2.2
● Mandrake 5.2
● Caldera 1.3
● TurboLinux 3.6
The latest version of Solaris™, AIX®HP-UX and Mac OS®X also supports PAM. PAM was later standardized to X/Open UNIX®A part of the standardized process (in the X/Open Single Sign-On Service (XSSO) architecture.

What PAM can I get?

Although there is no strict division, there are three types of PAM:

1. Linux-PAM: Linux-PAM covers all PAM discussed in this article. The main structure of PAM on any Linux platform is similar to that of Linux-PAM.
2. OpenPAM: OpenPAM is another PAM implementation developed by Dag-Erling Smorgrav of NAI lab and belongs to the DARPA-CHATS research project. Because it is open-source, it is mainly used by FreeBSD, NetBSD, and applications (plus Mac OS X.
3. Java? PAM or JPam: PAM mainly supports standard verification modules for Linux and UNIX. JPam associates the Java part with the common PAM. JPam allows Java-based applications to use PAM modules or tools (such as auth, account, passwd, session, and so on ). It provides JAAS and direct APIs and supports most Unix OS and architectures.
Although these are different PAM, their main functions are still the same.

[1] [2] [3] Next page