dcsimg

Intro to Linux Pluggable Authentication Modules

Every time you log into a Linux system, you're using the Pluggable Authentication Modules (PAM). Let's take a closer look what's going on under the hood.

Every time you log into a Linux system, you’re using the Pluggable Authentication Modules (PAM) behind the scenes. PAM simplifies Linux authentication, and makes it possible for Linux systems to easily switch from local file authentication to directory based authentication in just a few steps. If you haven’t thought about PAM and the role it plays on the system, let’s take a look at what it is and what it does.

Actually, PAM is about more than logging into the system itself. Applications can use the PAM libraries to share authentication — so users can use a single username and password for many applications. The rationale behind PAM is to separate authentication from granting privileges. It should be up to the application how to handle granting an authenticated user privileges, but authentication can be handled separately.

A simple way of looking at this. Imagine going to an all-ages show at a local club. At the door, the bouncer checks ID and tickets. If you’ve got a valid ticket and ID that shows you’re over 21, you get a green wristband. If you’ve got a valid ticket and an ID that shows you’re under 21, you get a red wristband. Once in the club, it’s up to the bartender to grant privileges to buy alcohol (or not), and the club staff to grant seating privileges or direct you to the floor for general admission.

There’s no beer or music involved, but PAM is meant to work in a similar fashion.

Understanding PAM

Out of the box, most Linux installations are configured to use file-based authentication. Note that other systems also have PAM implementations, but for the purpose of this article we’ll stick to Linux.

For file-based authentication on modern Linux systems, users log in and their username and password combination is compared against /etc/shadow. Traditionally this was held in /etc/passwd, but the problem was that many programs needed to be able to read /etc/passwd. This meant that, in effect, anyone with local access could attempt to crack passwords — and without going into the details here, it was not beyond the realm of possibility that they’d be successful. This is doubly true when users are allowed to pick their own passwords and with no form of password policy enforcement.

So now user passwords are held in /etc/shadow, while things like the user shell and group are stored in /etc/passwd.

For single-user systems or small shops, this sort of file-based authentication is manageable. If you’re working with a small number of users on a handful of machines, it’s not difficult at all to deal with user account creation and user management manually using the standard tools provided by the distros.

But imagine if you have a 50-server environment which requires user synchronization across all systems. Suddenly you start dealing with issues of scale. You want to be able to use a directory service like OpenLDAP, or Microsoft’s Active Directory. But how? By switching away from the standard *nix password file method, and switching to an authentication module that supports the method you want to use.

Writing a module for PAM is well beyond the scope of this article. You shouldn’t need to anyway — plenty of modules exist already for any solution you’d want to use.

Take a look under /etc on a Linux system. On most popular distributions like Ubuntu Linux or Red Hat Enterprise you’ll find a directory, pam.d that has several files. Sometimes the configuration is held in /etc/pam.conf, but on many systems it’s broken out into several files by application. Remember, PAM is about more than just the initial login — it can also be used by other system applications that require authentication.

Let’s stick with login for now. Look at /etc/pam.d/login. This is the file used for the shadow login service. Here you’ll see quite a few directives for configuring the types of logins allowed, the type of authentication to be used, how long to delay another login if one fails, and much more. Here’s an example:

auth optional pam_faildelay.so delay=3000000

Basically, you’re calling the pam_faildelay module on authentication. If the user fails the attempt, it sets a delay so that any attacker trying to brute-force the way into a system will spend more time trying user/password combinations. Other PAM modules exist such as pam_succeed_if which will only allow an authentication to occur when an additional requirement such as being member of a certain group or your UID is within a certain range.

What if you want to change the type of authentication the system is using? Then you want to look at /etc/pam.d/common-auth, which defines the type of authentication being used to log into the system. It’s what points the system to /etc/shadow in the first place.

Here you can configure the system to use OpenLDAP, or other directory services. But there’s one more piece that needs to be changed, /etc/nsswitch.conf. This file tells the system what name services and directories to use for authentication, as well as where to look for protocol information (usually /etc/protocols, logically enough) and more. It’s sort of like your system’s Little Black Book, or the index to a Little Black Book.

Again, this goes back to the days when systems had One True Login and One True DNS, rather than a bunch of options. Now you can configure things so that the system uses OpenLDAP or Microsoft Active Directory (via Likewise, or Centrify) for authentication rather than static files. Another benefit of PAM is that it logs both successful and failures in common places, which allows you to use products specializing in reporting functionality to track whether logins are succeeding or failing.

As you can see, there’s a lot going on behind the scenes with PAM. You may have thought that Linux authentication was a simple affair, but there’s a lot of hidden (we hope) complexity and flexibility running the system when you provide your username and password. You’ll also find that Linux is very flexible, and can accommodate just about any authentication mechanism you’d like to use.

Comments on "Intro to Linux Pluggable Authentication Modules"

In order to meet Christmas, as long as the new and old
customers to buy the corresponding product on this site, both
a gift, so stay tuned! ! ! nike shoes,air jordan shoes,nike shox
shoes,gucci shoes ,true religion jeans, ed hardy jeans,coogi

jeans,affliction jeans, Laguna Beach Jeans,ed hardy T-shirts,Coogi T-shirts,Christian Audigier T-shirts,Gucci T-shirts,Polo T-shirts,coach handbag,gucci handbag,prada handbag,chanel
handbag .

Air jordan(1-24)shoes $30
Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35
Handbags(Coach lv fendi d&g) $35
Tshirts (Polo ,ed hardy,lacoste) $14
Jeans(True Religion,ed hardy,coogi) $35
Sunglasses(Oakey,coach,gucci,Armaini) $14
New era cap $10

Bikini (Ed hardy,polo) $18
free shipping

http://www.soozone.com

utopiazh

Authentication is an important aspect of linux life, generalization as PAM will allow for much more flexibility; for upper layer applications, this will provide another abstract layer and thus reduces the complexity,

Awesome, thanks for this article.

I loved your blog post.Really thank you! Much obliged.

I precisely had to thank you so much again. I do not know the things I could possibly have followed without those opinions revealed by you directly on that subject. It seemed to be a horrifying concern for me personally, however , being able to view this specialised fashion you treated that made me to weep with contentment. I am just grateful for this guidance and thus sincerely hope you are aware of a powerful job you happen to be getting into instructing people today using your website. I know that you have never met all of us.

say thanks to so considerablya lot for your site it assists a whole lot

Superb read, I just passed this onto a friend who was doing a little study on that. And he really bought me lunch because I found it for him smile So let

WjPg2D It as hard to come by experienced people for this topic, but you seem like you know what you are talking about! Thanks

We came across a cool internet site which you may possibly delight in. Take a appear should you want.

greatly appreciated…there shall be more! It is just a matter of time!

You are my aspiration, I own few web logs and very sporadically run out from to brand.

Very couple of internet sites that take place to become detailed beneath, from our point of view are undoubtedly properly worth checking out.

Usually posts some incredibly interesting stuff like this. If you?re new to this site.

Sites of interest we have a link to.

Just beneath, are a lot of completely not associated internet sites to ours, nevertheless, they may be certainly really worth going over.

Here are some hyperlinks to internet sites that we link to because we assume they’re worth visiting.

Wonderful story, reckoned we could combine a few unrelated information, nonetheless seriously worth taking a search, whoa did 1 find out about Mid East has got much more problerms too.

nice article,it is useful to me and others,please just keep it….

Thanks-a-mundo for the article post.Thanks Again. Cool.

Appreciating the hard work you put into your site and in depth information you
offer. It’s awesome to come across a blog every once in a while that isn’t the same
unwanted rehashed material. Fantastic read! I’ve saved your site and I’m including your RSS feeds to my Google account.

The time to read or stop by the content material or internet sites we have linked to beneath.

Justin bieber’s real phone number!! 781-437-6349 testblasttest.com

We came across a cool website that you simply could get pleasure from. Take a appear if you want.

I have an exclusive offer for the best price on the new movie Deadpool! Buy it here: http://j.gs/7v3 Also, check out the best scene (in my opinion) here: https://youtu.be/z5wqkNPdJ_Y

Please go to the sites we comply with, such as this one particular, because it represents our picks from the web.

Here is a great Weblog You may Uncover Interesting that we encourage you to visit.

Check below, are some absolutely unrelated web sites to ours, even so, they’re most trustworthy sources that we use.

Check below, are some completely unrelated web sites to ours, on the other hand, they are most trustworthy sources that we use.

The time to read or visit the content or internet sites we have linked to beneath.

Here is an excellent Weblog You might Obtain Exciting that we encourage you to visit.

Here are some hyperlinks to internet sites that we link to due to the fact we assume they’re worth visiting.

Usually posts some quite interesting stuff like this. If you are new to this site.

The details talked about in the write-up are a number of the top available.

Here are some links to web pages that we link to since we feel they may be worth visiting.

Although internet websites we backlink to below are considerably not connected to ours, we feel they may be actually really worth a go by, so have a look.

Below you will uncover the link to some websites that we consider you need to visit.

Here is a great Weblog You might Locate Interesting that we encourage you to visit.

The time to read or pay a visit to the content or sites we’ve linked to below.

Please visit the websites we adhere to, which includes this one, because it represents our picks in the web.

Below you?ll discover the link to some web pages that we assume you must visit.

Below you?ll come across the link to some internet sites that we feel you must visit.

Although websites we backlink to beneath are considerably not associated to ours, we feel they are truly really worth a go through, so have a look.

Below you will locate the link to some websites that we assume you need to visit.

Please check out the sites we follow, like this one particular, as it represents our picks in the web.

Please pay a visit to the internet sites we comply with, such as this one particular, as it represents our picks from the web.

The time to read or pay a visit to the content or internet sites we’ve linked to below.

We came across a cool site that you just may possibly love. Take a search when you want.

Please pay a visit to the web sites we comply with, which includes this a single, as it represents our picks from the web.

Check below, are some totally unrelated internet sites to ours, nevertheless, they are most trustworthy sources that we use.

Always a huge fan of linking to bloggers that I appreciate but don?t get lots of link enjoy from.

Leave a Reply