For the uninitiated, we begin by considering an example. We take an application that grants some service to users; login is one such program. Login does two things, it first establishes that the requesting user is whom they claim to be and second provides them with the requested service: in the case of login the service is a command shell running with the identity of the user.
Traditinally, the former step is achieved by the login application prompting the user for a password and then verifying that it agrees with that located on the system; hence verifying that the so far as the system is concerned the user is who they claim to be. This is the task that is delegated to Linux-PAM.
From the perspective of the application programmer (in this case the person that wrote the login application), Linux-PAM takes care of the task of verifying the identity of the user.
The flexibility of Linux-PAM is that you, the system
administrator, have the freedom to stipulate which authentication
scheme is to be used. You have the freedom to set the scheme for
any/all PAM-aware applications on your Linux system. That is, you can
authenticate from anything as naive as simple trust
(pam_permit) to something as paranoid as a combination of a
retinal scan, a voice print and a one-time password!
To illustrate the flexibility you face, consider the following situation: a system administrator (parent) wishes to improve the mathematical ability of her users (children). She can configure their favorite ``Shoot 'em up game'' (PAM-aware of course) to authenticate them with a request for the product of a couple of random numbers less than 12. It is clear that if the game is any good they will soon learn their multiplication tables. As they mature, the authentication can be upgraded to include (long) division!
Linux-PAM deals with four separate types of (management)
task. These are: authentication management; account
management; session management; and password management.
The association of the preferred management scheme with the behavior
of an application is made with entries in the Linux-PAM
configuration file, /etc/pam.conf.
The management functions are performed by modules specified in
the /etc/pam.conf file. The syntax for this file is discussed
in the next section.
Here is a figure that describes the overall organization of Linux-PAM.
+----------------+
| application: X |
+----------------+ / +----------+ +================+
| authentication-[---->--\--] Linux- |--<--| /etc/pam.conf |
| + [----<--/--] PAM | |================|
|[conversation()][--+ \ | | | X auth .. a.so |
+----------------+ | / +-n--n-----+ | X auth .. b.so |
| | | __| | | _____/
| service user | A | | |____,-----'
| | | V A
+----------------+ +------|-----|---------+ -----+------+
+---u-----u----+ | | |
| auth.... |--[ a ]--[ b ]--[ c ]
+--------------+
| acct.... |--[ b ]--[ d ]
+--------------+
| password |--[ b ]--[ c ]
+--------------+
| session |--[ e ]--[ c ]
+--------------+
/etc/pam.conf file and
loads the modules that are appropriate for application-X. These
modules fall into one of four management groups (lower-center) and are
stacked in the order they appear in the configuaration file. These
modules, when called by Linux-PAM, perform the various
authentication tasks for the application. Textual information,
required from/or offered to the user, can be exchanged through the use
of the application-supplied conversation function.
Next Chapter, Previous Chapter
Table of contents of this chapter, General table of contents
Top of the document, Beginning of this Chapter