Pluggable Authentication Modules

Edit online

The pluggable authentication module (PAM) framework provides system administrators with the ability to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules.

Applications enabled to make use of PAM can be plugged-in to new technologies without modifying the existing applications. This flexibility allows administrators to do the following:

  • Select any authentication service on the system for an application
  • Use multiple authentication mechanisms for a given service
  • Add new authentication service modules without modifying existing applications
  • Use a previously entered password for authentication with multiple modules

The PAM framework consists of a library, pluggable modules, and a configuration file. The PAM library implements the PAM application programming interface (API) and serves to manage PAM transactions and invoke the PAM service programming interface (SPI) defined in the pluggable modules. Pluggable modules are dynamically loaded by the library based on the invoking service and its entry in the configuration file. Success is determined not only by the pluggable module but also by the behavior defined for the service. Through the concept of stacking, a service can be configured to authenticate through multiple authentication methods. If supported, modules can also be configured to use a previously submitted password rather than prompting for additional input.

The system administrator can configure an AIX® system to use PAM through modification of the auth_type attribute in the usw stanza of the/etc/security/login.cfg file. Setting auth_type = PAM_AUTH configures PAM-enabled commands to invoke the PAM API directly for authentication rather than use the historic AIX authentication routines. This configuration is a run-time decision and does not require a reboot of the system to take affect. For further information about the auth_type attribute, see the /etc/security/login.cfg file reference. The following native AIX commands and applications have been modified to recognize the auth_type attribute and enabled for PAM authentication:
  • login
  • passwd
  • su
  • ftp
  • telnet
  • rlogin
  • rexec
  • rsh
  • snappd
  • imapd
  • dtaction
  • dtlogin
  • dtsession

The following illustration shows the interaction between PAM-enabled applications, PAM library, configuration file, and PAM modules on a system that has been configured to use PAM. PAM enabled applications invoke the PAM API in the PAM library. The library determines the appropriate module to load based on the application entry in the configuration file and calls the PAM SPI in the module. Communication occurs between the PAM module and the application through the use of a conversation function implemented in the application. Success or failure from the module and the behavior defined in the configuration file then determine if another module needs to be loaded. If so, the process continues; otherwise, the result is passed back to the application.

Figure 1. PAM Framework and Entities. This illustration shows how PAM enabled commands use the PAM library to access the appropriate PAM module.