[Introduction]

Unix Incompatibility Notes:
PAM Pluggable Authentication Module

Jan Wolter

Traditionally the code to do Unix authentication was imbedded in login, su, passwd and all the other programs that do authentication. If you wanted to make any change to the database in which passwords were stored, or change the ground rules for how authentication was done, you had to modify and rebuild all those programs.

With PAM the authenticators are implemented as dynamically-linked shared library files. A single standard API is used by all authentication programs, and a configuration file read at run time determines which authenticators are actually used for each program. Thus you can revise how authentication works by just installing new modules and/or editting the configuration files. You don't need to rebuild the application programs.

PAM was originally developed by Sun for Solaris. A DCE/OSF-RFC document describes it (not completely accurately). An open source version called Linux-PAM is widely used, and can be installed on most versions of Unix, not just Linux. It is standard on recent Linux distributions, FreeBSD 3.1 or greater, and probably lots of others. A newer open source version called OpenPAM is used in FreeBSD 5.0 and later. HP-UX supports PAM, but I have no experience with their version.

The normal config file formats for Linux and Solaris PAM are slightly different, and the names of the standard modules are entirely different. There are probably interesting portability issues involved in writing PAM modules which I haven't studied. This page discusses mainly the issues involved in invoking PAM modules.

Things to be aware of:


Jan Wolter (E-Mail)
Tue Sep 28 12:17:40 EDT 2004 - Original Release.