
A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
schemes into a high-level
application programming interface
An application programming interface (API) is a connection between computers or between computer programs. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standard that des ...
(API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by
Sun Microsystems
Sun Microsystems, Inc., often known as Sun for short, was an American technology company that existed from 1982 to 2010 which developed and sold computers, computer components, software, and information technology services. Sun contributed sig ...
in an
Open Software Foundation
The Open Software Foundation, Inc. (OSF), was a not-for-profit industry consortium for creating an open standard for an implementation of the operating system Unix. It was formed in 1988 and merged with X/Open in 1996, to become The Open Group.
...
Request for Comments
A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or ...
(RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the
Common Desktop Environment
The Common Desktop Environment (CDE) is a desktop environment for Unix and OpenVMS, based on the Motif (software), Motif widget toolkit. It was part of the UNIX 98, UNIX 98 Workstation Product Standard, and was for a long time the Unix desktop a ...
. As a stand-alone
open-source
Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...
infrastructure, PAM first appeared in
Red Hat Linux
Red Hat Linux was a widely used commercial open-source Linux distribution created by Red Hat until its discontinuation in 2004.
Early releases of Red Hat Linux were called Red Hat Commercial Linux. Red Hat published the first non-beta release ...
3.0.4 in August 1996 in the
Linux PAM project. PAM is currently supported in the
AIX operating system,
DragonFly BSD
DragonFly BSD is a free and open-source Unix-like operating system forked from FreeBSD 4.8. Matthew Dillon, an Amiga developer in the late 1980s and early 1990s and FreeBSD developer between 1994 and 2003, began working on DragonFly BSD in ...
,
FreeBSD
FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...
,
HP-UX
HP-UX (from "Hewlett Packard Unix") is a proprietary software, proprietary implementation of the Unix operating system developed by Hewlett Packard Enterprise; current versions support HPE Integrity Servers, based on Intel's Itanium architect ...
,
Linux
Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...
,
macOS
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
,
NetBSD
NetBSD is a free and open-source Unix-like operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was fork (software development), forked. It continues to ...
and
Solaris.
Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the
X/Open X/Open group (also known as the Open Group for Unix Systems and incorporated in 1987 as X/Open Company, Ltd.) was a consortium founded by several European UNIX systems manufacturers in 1984 to identify and promote open standards in the field of info ...
UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example,
OpenPAM).
Criticisms
Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement
Kerberos, the most common type of
SSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as
SPNEGO and
SASL. This lack of functionality is also the reason
SSH does its own authentication mechanism negotiation.
In most PAM implementations, pam_krb5 only fetches
Ticket Granting Tickets, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.
PAM-KRB5
/ref>
See also
* Implementations:
** Java Authentication and Authorization Service
** Linux PAM
** OpenPAM
*Identity management
Identity and access management (IAM or IdAM) or Identity management (IdM), is a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate acce ...
– the general topic
* Name Service Switch – manages user databases
* System Security Services Daemon – SSO implementation based on PAM and NSS
References
External links
Specifications:
The Original Solaris PAM RFC
X/Open Single Sign-on (XSSO) 1997 Draft Working Paper
Guides:
*
Pluggable Authentication Modules for Linux
Making the Most of Pluggable Authentication Modules (PAM)
Open Group standards
Unix authentication-related software
Computer access control frameworks
Computer security standards
Application programming interfaces
{{security-software-stub