
A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
schemes into a high-level
application programming interface
An application programming interface (API) is a connection between computers or between computer programs. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standard that des ...
(API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by
Sun Microsystems
Sun Microsystems, Inc., often known as Sun for short, was an American technology company that existed from 1982 to 2010 which developed and sold computers, computer components, software, and information technology services. Sun contributed sig ...
in an
Open Software Foundation Request for Comments
A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or ...
(RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the
Common Desktop Environment. As a stand-alone
open-source infrastructure, PAM first appeared in
Red Hat Linux 3.0.4 in August 1996 in the
Linux PAM project. PAM is currently supported in the
AIX operating system,
DragonFly BSD
DragonFly BSD is a free and open-source Unix-like operating system forked from FreeBSD 4.8. Matthew Dillon, an Amiga developer in the late 1980s and early 1990s and FreeBSD developer between 1994 and 2003, began working on DragonFly BSD in ...
,
FreeBSD,
HP-UX,
Linux
Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...
,
macOS
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
,
NetBSD and
Solaris.
Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the
X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example,
OpenPAM).
Criticisms
Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement
Kerberos, the most common type of
SSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as
SPNEGO and
SASL. This lack of functionality is also the reason
SSH does its own authentication mechanism negotiation.
In most PAM implementations, pam_krb5 only fetches
Ticket Granting Tickets, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.
PAM-KRB5
/ref>
See also
* Implementations:
** Java Authentication and Authorization Service
** Linux PAM
** OpenPAM
* Identity management – the general topic
* Name Service Switch – manages user databases
* System Security Services Daemon – SSO implementation based on PAM and NSS
References
External links
Specifications:
The Original Solaris PAM RFC
X/Open Single Sign-on (XSSO) 1997 Draft Working Paper
Guides:
*
Pluggable Authentication Modules for Linux
Making the Most of Pluggable Authentication Modules (PAM)
Open Group standards
Unix authentication-related software
Computer access control frameworks
Computer security standards
Application programming interfaces
{{security-software-stub