Authentication through PAM

How does it work?

Writing applications to use the PAM APIs to delegate authentication offers the freedom to use any authentication method that you wish. For instance, if you currently use /etc/shadow and want to have a centralized LDAP server provide authentication instead, all you have to do is update PAM's configuration settings. Applications themselves are unaware of the change.

On a Linux system, PAM configuration files live either in /etc/pamd.conf, or in /etc/pamd./ . If the latter, each application must have a corresponding file in /etc/pam.d/, eg. ftp, imap, etc.

A PAM configuration file consists of a few lines, with the following format:

module-type control-flag module-path arguments
Module types Description
auth Prompts the user for identification
account Checks account settings (aging, etc.)
session Provides functions before and after session establishment
password Used with the auth type to update the user authentication token. Possible values are nullok (lets the user change from a null password), use_authok (set the new password as received from the previous module), md5 or bigcrypt (uses stronger hashing than standard crypt), shadow or radius or unix (transfers passwords to another database)