Movatterモバイル変換

[0]ホーム

Jump to content

Pluggable Authentication Module

Edit links

From Wikipedia, the free encyclopedia

(Redirected fromPluggable Authentication Modules)

Flexible mechanism for authenticating users

This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Pluggable Authentication Module" – news ·newspapers ·books ·scholar ·JSTOR(May 2011) (Learn how and when to remove this message)

Apluggable authentication module (PAM) is a mechanism to integrate multiple low-levelauthentication schemes into a high-levelapplication programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed bySun Microsystems in anOpen Software Foundation Request for Comments (RFC) 86.0 dated October 1995.^[1] It was adopted as the authentication framework of theCommon Desktop Environment. As a stand-aloneopen-source infrastructure, PAM first appeared inRed Hat Linux 3.0.4 in August 1996 in theLinux PAM project. PAM is currently supported in theAIX operating system,DragonFly BSD,^[2]FreeBSD,HP-UX,Linux,macOS,NetBSD andSolaris.

Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of theX/Open UNIX standardization process, resulting in theX/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example,OpenPAM).

Criticisms

[edit]

Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implementKerberos, the most common type ofSSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such asSPNEGO andSASL. This lack of functionality is also the reasonSSH does its own authentication mechanism negotiation.

In most PAM implementations, pam_krb5 only fetchesTicket Granting Tickets, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.^[3]

References

[edit]

External links

[edit]

Specifications:

Guides:

PAM and password control at theWayback Machine (archived August 19, 2013)
Pluggable Authentication Modules for Linux
Making the Most of Pluggable Authentication Modules (PAM)
Oracle Solaris Administration: Security Services: Using PAM

v t e Authentication
Authentication APIs	BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)
Authentication protocols	ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam
Category Commons