Pluggable authentication module (PAM) supports authentication mechanism. Applications can make use of this module for implementing authentication mechanism in AIX®. PAM provides different service modules, and each module supports different functionality. Make use of these PAM service modules to enable PAM with authentication, account, password, and session management mechanisms in AIX.

Uma Chandolu (uchandol@in.ibm.com), AIX security developer and support specialist, IBM

Photo of Uma ChandoluUma M. Chandolu works as a development support specialist on AIX. He has over 6 years of extensive hands-on experience in AIX environments and demonstrated expertise in AIX system administration and other subsystems. He has experience interfacing with customers and handling customer-critical situations. He has been recognized as an IBM developerWorks Contributing Author. You can reach him at uchandol@in.ibm.com.


developerWorks Professional author
        level

19 July 2011

Also available in Chinese

Introduction

Managing users and controlling their access is a challenging task in the current environment. AIX provides loadable authentication modules (LAM) for handling user identification and authentication (I & A). Users can write their own LAM modules by using the AIX loadable authentication modules framework (LAMF) interface. Similarly, AIX provides PAM for authentication. Users can integrate the PAM services to their native applications. This article provides an overview of PAM in AIX, usage of PAM library APIs, PAM service modules shipped in AIX, and the differences between LAM and PAM.

PAM framework provides support to integrate multiple authentication mechanisms to existing authentication mechanism. Prior to AIX V5.3 release, PAM module is provided as LAM module for handling native applications.

Figure 1 below provides an overview of PAM in AIX.

Figure 1. Figure 1. Illustration of PAM overview
An illustration of a PAM overview

Overview of PAM

The PAM framework is composed of 3 parts:

  • PAM library: PAM interface library, /usr/lib/libpam.a, contains the PAM APIs. These APIs serves as a common interface to all PAM applications.
  • PAM Configuration file: The /etc/pam.conf file contains service entries for each module type. Applications are registered with the PAM service module under this. This file is used by PAM library to interact with PAM service module.
  • PAM modules: PAM service modules are available under the /usr/lib/security directory. These modules allow multiple authentication mechanisms to be used together or independently on a system.

PAM in AIX

Starting with AIX V5.1 Ml01, the PAM library /usr/lib/libpam.a is included as a part of the AIX release. Also, a standard set of PAM APIs is included under the PAM library; however, existing authentication application could not make use of the PAM.

In AIX V5.2, PAM is fully supported. The PAM module is provided as a LAM module at /usr/lib/security/PAM. Along with that pam_aix service module, the /etc/pam.conf file is also provided. Applications can use the PAM LAM module for authentication. The PAM module needs to be defined in the /usr/lib/security/methods.cfg file along with LAM module for authentication and identification.

Starting with AIX V5.3 and above, PAM is fully integrated into all AIX native applications and commands. The PAM LAM module is no longer required. A default /etc/pam.conf file is shipped along with additional PAM service modules. PAM can also be enabled for the entire system by changing the auth_type attribute to PAM_AUTH in the /etc/security/login.cfg file.

Table 1. Difference between PAM and LAM
LAMPAM
Performs authentication and identification.Performs authentication only.
Entire system uses single authentication service.An application on a system can be configured with multiple authentication services.
LAM modules need to be defined in /usr/lib/security/methods.cfg file. PAM uses /etc/pam.conf file for defining application services.
LAM APIs are defined under AIX security library.PAM APIs are defined under /usr/lib/libpam.a library.

PAM Library

The PAM library provides a set of application program interfaces(APIs). These APIs enable applications to invoke the PAM modules and pass the information to a PAM module.

The following table provides description of some required APIs:

APIDescription
pam_startEstablishes a new PAM session for user authentication. Initial PAM information has to be set with this call.
pam_authenticateAuthenticates user information through defined PAM module in /etc/pam.conf file.
pam_acct_mgmtPerforms various checks to validate user's account. This routine checks user account and password expiration details. This routine should be used based on return type of pam_authenticate.
pam_setcredChanges or removes user's credentials for authentication. This routine is mainly used to change the current PAM session credentials, for example, if a user wants to switch from one account to another account (like su or swrole commands).
pam_open_sessionCreates a new session for authenticated PAM user.
pam_end_sessionCloses currently opened PAM user session.
pam_endEnds an existing PAM authentication session.

The /usr/lib/libpam.a library provides few other APIs. Refer resource section for more information about PAM library APIs.

See the Download section for a sample program using the above APIs.

Elements of /etc/pam.conf file

The /etc/pam.conf file is configured with application service entries for each PAM module type. Application service has to be defined under a valid module type with specific control flags.

Format of /etc/pam.conf file are:

 <service_name> <module_type><control_flag><module_path>[module_options] 
 
 
	#Authentication Management     
    
	login   auth    required        pam_aix   
	telnet  auth    required        pam_aix  
	
	#Account Management 
    
	login   account required        pam_aix 
	telnet  account required        pam_aix 
	
	#Password Management 
    
	login   password  required      pam_aix 
	telnet  password  required      pam_aix 
	
	#Session Management 
	login   session required        pam_aix 
	telnet  session required        pam_aix

The service_name represents the application name which requires PAM service. If an application name is not specified in /etc/pam.conf file, it uses OTHER keyword to follow PAM module.

The Module_type specifies the module type for service. Valid module types are

  • Authentication Management - auth
  • Account Management - account
  • Password Management - password
  • Session Management - session
TypeDescription
authAuthenticate users and set, refresh, or destroy credentials.
accountDetermine validity of the user account and subsequent access after identification from authentication module.
passwordPerform password modification and related attribute management.
sessionInitiate and terminate user sessions.

The Control_flag specifies the stacking behavior for module. Valid flags are required, requisite, sufficient, and optional.

FlagDescription
requiredAll required modules in a stack must pass for a successful result. If one or more fail, all of the required modules are attempted, but the error from the first failed required module is returned.
requisiteSimilar to required except that if a requisite module fails, it immediately returns the first failure code from a required or requisite module.
sufficientIf a module flagged as sufficient succeeds and no previous required or sufficient modules have failed, all remaining modules in the stack are ignored and success is returned.
optionalResult ignored unless there are no required modules and no sufficient modules have succeeded.

The Module_path specifies the PAM service module path on the system. The path may be either absolute path or just the module name. If absolute path is not specified, it assumes that /usr/lib/security for 32-bit applications and /usr/lib/security/64 for 64-bit applications.

The Module_options specifies a list of options supported by PAM service module. Some common options are:

OptionDescription
debugLog debugging information to syslog.
nowarnDo not display error messages.
try_first_passTry a previously entered password. If it fails, prompt for a new one.
use_first_passUse a previously entered password, do not prompt for a new one.

PAM modules

The PAM service modules are a set of dynamically loadable objects invoked by the PAM-SPI (PAM-service provider interface) to provide a particular type of user authentication. AIX currently provides some PAM service modules, these provides at least one of module type described as above.

Quick reference table for all provided PAM service modules are:

Module nameDescription
pam_aixPerform AIX style authentication.
pam_allowReturns PAM_SUCCESS for all invocations.
pam_allowrootReturns PAM_SUCCESS if invoking user is root (uid = 0).
pam_ckfileProvides checks similar to /etc/nologin.
pam_permissionProvides enhanced /etc/ftpusers type checking.
pam_prohibitReturns a PAM failure code for all invocations.
pam_rhosts_authPerforms rhosts authentication.

The pam_aix module supports authentication, account, password and sessions management module types. This module can be configured in the /etc/pam.conf file to validate user's credentials on all databases. pam_aix module defines some of the SPI functions. These functions internally map with AIX security functions to handle user management tasks under different directories.

The pam_allow module simply returns PAM_SUCCESS for all invocations if the specified PAM handle is valid. For pam_sm_authenticate, the user must also be provided. This module should be used by system administrators with caution as it provides no real authentication. In most cases, this module should only be used for debugging purposes.

The pam_allowroot module requires invoking an application's real user ID; it should be 0 (zero). If the UID of the authenticating user is zero, then only pam_allowroot module returns PAM_SUCCESS. This module should typically be used as a sufficient module to allow root to bypass authentication or account management checks.

The pam_mkuserhome module creates the user's home directory automatically during a user's login if it doesn't already exist. This module should be used as optional in case of session module. It doesn't provide any other module types. It returns PAM_SUCCESS if the home directory already exists, or the home directory is successfully created on the system.

The pam_permission module checks for the existence of an optionally specified file and then reads the file to determine if a user/group is granted/denied access. Using this module, Authentication and Account Management module types are supported. This module supports following options:

  • file

    Specify absolute path of the filename to allow user and groups. If no file is specified it reads /etc/ftpusers.

    Entries in the file should follow the following format:

    [+|-][@]<name>

    where:

    • + Grants access.
    • - Denies access.
    • @ Signifies the name is a group
  • found

    The default value is prohibit, optional values are:

    ValueEntry match behavior
    allow, permit, passGrant Access
    prohibit, deny, failDeny Access
  • debug

    The debug option logs debugging information to the syslog file.

  • nowarn

    This option does not display warning information.

The pam_prohibit module returns a module specific failure for all services which are not specified in the /etc/pam.conf file. This module should be used by system administrators with caution as it provides no real authentication. In most cases, this module should be used to disable a module type or used in the OTHER service. The functionality works opposite to the pam_allow module. This supports all the PAM module types.

The pam_rhosts_module provides rhosts type of authentication facility similar to r-cmds like rlogin, rsh, and rexec. This module checks for username and hostname in /etc/hosts.equiv and followed by $HOME/.rhosts file. If a match is not found in the files, it returns PAM_AUTH_ERR failure code. It supports authentication PAM module type.

The pam_ckfile module allows or denies authentication based on existence of a file. This module provides functionality similar to the historic behavior of the /etc/nologin file. If the specified file exists, only the root user may authenticate. This module supports Authentication and Account Management module types. This module recognizes the file, debug, and nowarn options. The format of the options will be same as above.

Conclusion

AIX security commands and applications can be configured to call PAM modules through the use of existing loadable authentication framework. AIX supports PAM services from AIX V5.1 release. PAM is fully integrated into AIX from AIX V5.3 release. Users can use PAM library APIs in their applications for user/group authentication and account management. PAM also provides flexibility to integrate their existing authentication mechanism with PAM service module.


Download

DescriptionNameSize
Sample C program with PAM APIsPAM-API.zip10KB

Resources

Learn

Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
  • Try out IBM software. Download a trial version, log into an online trial, work with a product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM product trials.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=741721
ArticleTitle=AIX pluggable authentication modules
publish-date=07192011