Introduction to the PAM Framework
Applications that use PAM, also referred to as PAM consumers
PAM framework, also referred to as the PAM library (seelibpam(3LIB))
PAM configuration, system-wide in/etc/pam.d/ or/etc/pam.conf and on a per-user basispam_user_policy(7)
PAM service modules, also referred to as PAM service providers
The PAM framework consists of four parts:
The framework provides a uniform way for authentication-related activitiesto take place. This approach enables application developers to use PAM services withouthaving to know the semantics of the policy. Algorithms are centrally supplied. Thealgorithms can be modified independently of the individual applications. With PAM,administrators can tailor the authentication process to the needs of a particular systemwithout having to change any applications. Administrators configure PAM through theper-service files in the/etc/pam.d directory.The/etc/pam.conf file contains legacy configuration.
The following figure illustrates the PAM architecture. Applicationscommunicate with the PAM library through the PAM application programming interface(API). PAM modules communicate with the PAM library through the PAM serviceprovider interface (SPI). Thus, the PAM library enables applications and modulesto communicate with each other.
Figure 1 PAM Architecture
PAM Service Modules
A PAM service module is a shared library that provides authenticationand other security services to system entry applications such aslogin,su, andssh.
Authentication service modules(auth) – For granting users access to anaccount or service. Modules that provide this service authenticate users andset up user credentials.
Account management modules(account) – For determining whether the currentuser's account is valid. Modules that provide this service can checkpassword or account expiration and time-restricted access.
Session management modules(session) – For setting up and terminatinglogin sessions.
Password management modules(password) – For enforcing password strengthrules and performing authentication token updates.
The four types of PAM services are:
A PAM module can implement one or more of these services. Because the use of simple moduleswith well-defined tasks increases configuration flexibility, PAM services should beimplemented in separate modules. The services can then be 'stacked', that is, placedin the order of execution in the PAM configuration file. Seepam.conf(5).
For example, the Oracle Solaris OS provides thepam_authtok_check(7) module for system administrators to configure the site'spassword policy. Thepam_authtok_check(7) module checks proposed passwords for various strengthcriteria.
For a complete list of Oracle Solaris PAM modules, seeman pages section 5:Standards, Environments, and Macros. The PAM modules have the prefixpam_.
PAM Library
libpam exports an API,pam(3PAM). Applications can callthis API for authentication, account management, credential establishment,session management, and password changes.
libpam looks for the PAM configuration in/etc/pam.conf before the per-service PAM policyfiles in/etc/pam.d. The PAM configuration specifiesthe PAM module requirements for each available service and is managed by asystem administrator.
libpam imports an SPI,pam_sm(3PAM), which is exported by theservice modules.
ThePAM library,libpam(3LIB),is the central element in the PAM architecture:
PAM Authentication Process
Thelogin application initiates a PAM sessionby callingpam_start(3PAM) and by specifying thelogin service.
The application callspam_authenticate(3PAM), which is part of the PAMAPI that is exported by the PAM library,libpam(3LIB).
The PAM library searches forlogin entries in the PAM configuration corresponding to the service module type of authentication (auth).
For each module in PAM configuration that is configured for theloginservice, the PAM library callspam_sm_authenticate(3PAM). Thepam_sm_authenticate()function is part of the PAM SPI. The control flag field in the PAMconfiguration files combined with the results of each call topam_sm_authenticate() for the configured modulesdetermines whether the user is allowed access to the system. This process isdescribed in more detail inConfiguring PAM inManaging Authentication in Oracle Solaris 11.4.
As an example of how consumers use the PAM libraryfor user authentication, consider howlogin authenticatesa user:
In this way, the PAM library connects PAM applications with the PAMmodules that have been configured by the system administrator.
Requirements for PAM Consumers
PAM consumers must be linked with the PAM librarylibpam.Before an application can use any service that is provided by the modules,the application must initialize its instance of the PAM library by callingpam_start(3PAM). The call topam_start() initializesa handle that must be passed to all subsequent PAM calls. When an applicationis finished with the PAM services,pam_end() is calledto clean up any data that was used by the PAM library.
PAM_AUSER – Authenticated user name
PAM_USER – Currently authenticated user
PAM_RUSER – The untrusted remote user name
PAM_AUTHTOK – Password
PAM_USER_PROMPT – User name prompt
PAM_TTY – Terminal through which the user communicationtakes place
PAM_RHOST – Remote host through which user enters thesystem
PAM_REPOSITORY – Any restrictions on the user accountrepository
PAM_RESOURCE – Any controls on resources
Communicationbetween the PAM application and the PAM modules takes place throughitems. For example, the following items are useful for initialization:
For a complete list of available items, seepam_set_item(3PAM). Items can be set by theapplication throughpam_set_item(3PAM). Values that have been set by themodules can be retrieved by the application throughpam_get_item(3PAM). However, PAM_AUTHTOK and PAM_OLDAUTHTOK cannot beretrieved by the application. The PAM_SERVICE item cannot be set.