Pluggable Authentication Modules
   HOME

TheInfoList



Click Here for Items Related To - Pluggable Authentication Modules
OR:
Pluggable Authentication Modules on:   [Wikipedia]   [Google]   [Amazon]

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
schemes into a high-level
application programming interface An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...
(API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by
Sun Microsystems Sun Microsystems, Inc. (Sun for short) was an American technology company that sold computers, computer components, software, and information technology services and created the Java programming language, the Solaris operating system, ZFS, t ...
in an
Open Software Foundation The Open Software Foundation (OSF) was a not-for-profit industry consortium for creating an open standard for an implementation of the operating system Unix. It was formed in 1988 and merged with X/Open in 1996, to become The Open Group. Despit ...
Request for Comments A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...
(RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the
Common Desktop Environment The Common Desktop Environment (CDE) is a desktop environment for Unix and OpenVMS, based on the Motif widget toolkit. It was part of the UNIX 98 Workstation Product Standard, and was for a long time the Unix desktop associated with commercial ...
. As a stand-alone
open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized so ...
infrastructure, PAM first appeared in
Red Hat Linux Red Hat Linux was a widely used commercial open-source Linux distribution created by Red Hat until its discontinuation in 2004. Early releases of Red Hat Linux were called Red Hat Commercial Linux. Red Hat published the first non-beta releas ...
3.0.4 in August 1996 in the Linux PAM project. PAM is currently supported in the
AIX operating system AIX (Advanced Interactive eXecutive, pronounced , "ay-eye-ex") is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. Background Originally released for the IBM RT PC RISC work ...
,
DragonFly BSD DragonFly BSD is a free and open-source Unix-like operating system forked from FreeBSD 4.8. Matthew Dillon, an Amiga developer in the late 1980s and early 1990s and FreeBSD developer between 1994 and 2003, began working on DragonFly BSD ...
,
FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...
,
HP-UX HP-UX (from "Hewlett Packard Unix") is Hewlett Packard Enterprise's proprietary implementation of the Unix operating system, based on Unix System V (initially System III) and first released in 1984. Current versions support HPE Integrity Se ...
,
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, whi ...
,
macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and la ...
,
NetBSD NetBSD is a free and open-source Unix operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was forked. It continues to be actively developed and is ava ...
and Solaris. Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, OpenPAM).


Criticisms

Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement Kerberos, the most common type of SSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as SPNEGO and SASL. This lack of functionality is also the reason SSH does its own authentication mechanism negotiation. In most PAM implementations, pam_krb5 only fetches
Ticket Granting Ticket In some computer security systems, a Ticket Granting Ticket or Ticket to Get Tickets (TGT) is a small, encrypted identification file with a limited validity period. After authentication, this file is granted to a user for data traffic protection ...
s, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.PAM-KRB5
/ref>


See also

* Implementations: ** Java Authentication and Authorization Service ** Linux PAM ** OpenPAM * Identity management – the general topic * Name Service Switch – manages user databases *
System Security Services Daemon The System Security Services Daemon (SSSD) is software originally developed for the Linux operating system (OS) that provides a set of daemons to manage access to remote directory services and authentication mechanisms. The beginnings of SSSD l ...
– SSO implementation based on PAM and NSS


References


External links

Specifications:
The Original Solaris PAM RFCX/Open Single Sign-on (XSSO) 1997 Draft Working Paper
Guides: *
Pluggable Authentication Modules for LinuxMaking the Most of Pluggable Authentication Modules (PAM)
Open Group standards Unix authentication-related software Computer access control frameworks Computer security standards Application programming interfaces {{security-software-stub