Pluggable Authentication Modules
Encyclopedia
Pluggable authentication modules (PAM) are a mechanism to integrate multiple low-level authentication
schemes into a high-level application programming interface
(API). It allows programs that rely on authentication to be written independent of the underlying authentication scheme. PAM was first proposed by Sun Microsystems
in an Open Software Foundation
Request for Comments
(RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment
. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development in Red Hat Linux
3.0.4 in August 1996. PAM is currently supported in the AIX operating system
, DragonFly BSD
, FreeBSD
, HP-UX
, Linux
, Mac OS X
, NetBSD
and Solaris. PAM was later standardized as part of the X/Open
UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard.
The XSSO standard differs from both the original RFC, and from the Linux and Sun APIs — from most other implementations. Also, they are not implemented similarly. For these and other reasons, OpenBSD
has chosen to adopt BSD Authentication
, which is an alternative authentication framework, originally from BSD/OS
.
used in Unix environments.
Due to limits of the PAM API, it is not possible for a PAM module to request a Kerberos service ticket from a Kerberos Key Distribution Center
(KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
schemes into a high-level application programming interface
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
(API). It allows programs that rely on authentication to be written independent of the underlying authentication scheme. PAM was first proposed by Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
in an Open Software Foundation
Open Software Foundation
The Open Software Foundation was a not-for-profit organization founded in 1988 under the U.S. National Cooperative Research Act of 1984 to create an open standard for an implementation of the UNIX operating system.-History:...
Request for Comments
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
(RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment
Common Desktop Environment
The Common Desktop Environment is a desktop environment for Unix and OpenVMS, based on the Motif widget toolkit.- Corporate history :...
. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development in Red Hat Linux
Red Hat Linux
Red Hat Linux, assembled by the company Red Hat, was a popular Linux based operating system until its discontinuation in 2004.Red Hat Linux 1.0 was released on November 3, 1994...
3.0.4 in August 1996. PAM is currently supported in the AIX operating system
AIX operating system
AIX AIX AIX (Advanced Interactive eXecutive, pronounced "a i ex" is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms...
, DragonFly BSD
DragonFly BSD
DragonFly BSD is a free Unix-like operating system created as a fork of FreeBSD 4.8. Matthew Dillon, an Amiga developer in the late 1980s and early 1990s and a FreeBSD developer between 1994 and 2003, began work on DragonFly BSD in June 2003 and announced it on the FreeBSD mailing lists on July...
, FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, HP-UX
HP-UX
HP-UX is Hewlett-Packard's proprietary implementation of the Unix operating system, based on UNIX System V and first released in 1984...
, Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
and Solaris. PAM was later standardized as part of the X/Open
X/Open
X/Open Company, Ltd. was a consortium founded by several European UNIX systems manufacturers in 1984 to identify and promote open standards in the field of information technology. More specifically, the original aim was to define a single specification for operating systems derived from UNIX, to...
UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard.
The XSSO standard differs from both the original RFC, and from the Linux and Sun APIs — from most other implementations. Also, they are not implemented similarly. For these and other reasons, OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
has chosen to adopt BSD Authentication
BSD Authentication
BSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by some Unix-like operating systems, specifically OpenBSD and BSD/OS, and accompanying system and application software such as OpenSSH and Apache...
, which is an alternative authentication framework, originally from BSD/OS
BSD/OS
BSD/OS was a proprietary version of the BSD operating system developed by Berkeley Software Design, Inc. ....
.
Criticisms of PAM
Despite PAM being part of the X/Open Single Sign-on (XSSO) standard, PAM on its own cannot implement Kerberos, the most common type of SSOSingle sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
used in Unix environments.
Due to limits of the PAM API, it is not possible for a PAM module to request a Kerberos service ticket from a Kerberos Key Distribution Center
Key distribution center
In cryptography, a key distribution center is part of a cryptosystem intended to reduce the risks inherent in exchanging keys. KDCs often operate in systems within which some users may have permission to use certain services at some times and not at others.-Security overview:For instance, an...
(KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.
See also
- BSD AuthenticationBSD AuthenticationBSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by some Unix-like operating systems, specifically OpenBSD and BSD/OS, and accompanying system and application software such as OpenSSH and Apache...
- Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
- Java Authentication and Authorization ServiceJava Authentication and Authorization ServiceJava Authentication and Authorization Service, or JAAS, pronounced "Jazz", is a Java security framework for user-centric security to augment the Java code-based security...
- Linux PAMLinux PAMLinux Pluggable Authentication Modules provide dynamic authorization for applications and services in a Linux system. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture.There are four groups for independent management:...
- Name Service SwitchName Service SwitchThe Name Service Switch is a facility in Unix-like operating systems that provides a variety of sources for common configuration databases and name resolution mechanisms...
- OpenPAMOpenPAMOpenPAM is an implementation of PAM used by FreeBSD, NetBSD, DragonFly BSD and Mac OS X ,and offered as an alternative to Linux PAM in certain Linux distributions....
- Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
External links
- The original PAM RFC
- Sun PAM page
- OpenPAM page a DARPA-sponsored implementation of PAM conforming to XSSO and the Solaris API, as used by FreeBSDFreeBSDFreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
and NetBSDNetBSDNetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,... - Java-PAM bridge
- OCaml-PAM bridge
- PAM and password control
- Pluggable Authentication Modules for Linux
- Making the Most of Pluggable Authentication Modules (PAM)