Results 1 to 4 of 4

Thread: PAM (Pluggable Authentication Modules) Security

  1. #1
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002

    PAM (Pluggable Authentication Modules) Security

    Pluggable Authentication Modules (PAM)

    Hello Everyone.

    This is a short introduction on PAM (Pluggable Authentication Modules. I hope it comes in handy to some of you who are interested in other ways of authentication other than the normal password styles.

    The Pluggable Authentication Modules for Linux is a collection of shared libraries, which provide the authentication modules. A Linux system administrator can choose (if his systems are PAM compatible) how certain programs are to authenticate the users.

    If for example a user logs into a Linux system, the application called “login” is involved. Login requests from the user a username and a password to go along with that username. The password is then encrypted and compared to the encrypted password in /etc/shadow. If the 2 encrypted passwords match, the program login allows access for that user into the system by validating that users login shell. If the two encrypted passwords do not match, access will be denied.

    This is normally enough, aslong as the authentication is to be performed with Linux/Unix passwords. If other authentication mechanisms are to be used such as chip cards instead of passwords, then several programs have to be executed which perform an authentication which will work together with a chip card. Before PAM was introduced, login had to be extended in order to be compatible with chip cards. Also the conversion towards the shadow-password had to be modified and translated from login and a lot of other programs which performed the authentication process were involved. For example the ftp server or the secure shell.

    Thanks to PAM, everything is easier now. PAM creates a software layer with a very clear defined interface between the application (ie. “login”) and the actual used authentication mechanism (ie. Chip card). The program-code which communicates with a chip card-reader or with /etc/shadow instead of /etc/passwd must not be available anymore in every program. Every PAM compatible program can use the program-code from PAM, which is nothing else than a few shared libraries. The PAM module is not linked dynamically with the applications like other normal shared libraries. Instead PAM offers the possibility to link the runtime configuration to the PAM-specific shared libraries. Due to this, its possible without the use of link- and compiler-”runs” <---(i hope this definition is correct) to reconfigure the runtimes for the different authentication mechanisms along with the different applications. All that is needed in order to do this, is a PAM compatible Linux system (all modern Linux systems are compatible) along with the needed PAM modules.

    This is not where the possibilities of PAM end though, there is more to come . Since PAM creates a layer between an application and the authentication mechanism, many other “single-steps” for the authentication process can be configured here with great detail. An example of this is /etc/securetty/

    The PAM configuration files are located in /etc/pam.d/ (also do a man pam for help). If for example you wish to allow remote root access and are using yast1/yast2 (suse) then the 5th or 6th line in /etc/pam.d/login will be uncommented, which is the responsible entry needed for /etc/securetty.


    auth requisite nullok #set_secrpc
    auth required
    auth required
    #auth required
    auth required
    auth required
    account required
    password required nullok
    password required nullok use_first_pass use_authtok
    session required none # debug or trace
    session required

    The documentation for pam can be found in /usr/share/doc/packages/pam/, in the man pages under man pam, or on the Internet. If you are using SuSE Linux, then also have a look at /usr/share/doc/packages/pam/modules/.

    Also have a look at which provide information on many compatible smart cards, token cards, and secure-ID. Also the authentication against a windows NT machine acting as a server is possible, helping to synchronize the microsoft world with the Linux world inside a heterogeneous network environment. PAM is also a way to use biometrical authentication methods, but this my dear friends, is another story

    I hope this helps you get started with PAM. Good luck to all of you.



    Incase you want to test your results, but dont have any chip cards, etc.... try this.

    Normally a remote root connection using telnet is not possible. Try to setup your PAM to allow remote root access using telnet. This will help you understand and give you a little practice on setting up PAM.

    Note: I highly recomend to not use telnet for many other sucurity reasons, this is only for you to test if your PAM experiment works.

    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Great tut instronics, i can always use info like this. Tho it'd be better if you explained a detailed sample working configuration.

    BTW, this is rather off-topic, but i notice that between 9-11 GMT, AO has the least members online, you may get more views outside that period.

    Peace always,
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds

  3. #3
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Hi. Yes, i'm working on a complete configuration sample at this moment. The one i posted was just a brief introduction. I will edit it and add it, to avoid having 2 tuts on the same subject. Thank you for your interest. Im having a hard time making it understandable, since all my source is in the german language. I will do my best.

    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  4. #4
    Junior Member
    Join Date
    Oct 2008

    Unhappy hello

    hello, I followed your instructions read for the pam but did not provide an answer to my problem and so you ask the question.
    I make the pam to authenticate users remotely using a web services! How do I do?
    thanks for your help ..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts