📑 Table of Contents
Structure

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) 86.0 dated October 1995.[1] It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone open-source infrastructure, PAM first appeared in Red Hat Linux 3.0.4 in August 1996 in the Linux PAM project. PAM is currently supported in the AIX operating system, DragonFly BSD,[2] FreeBSD, HP-UX, Linux, macOS, NetBSD and Solaris.

Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, OpenPAM).

Criticisms

edit

Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement Kerberos, the most common type of SSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as SPNEGO and SASL. This lack of functionality is also the reason SSH does its own authentication mechanism negotiation.

In most PAM implementations, pam_krb5 only fetches Ticket Granting Tickets, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.[3]

See also

edit

References

edit
  1. ^ The Original Solaris PAM RFC
  2. ^ PAM manual page of DragonFly BSD
  3. ^ PAM-KRB5
edit

Specifications:

Guides:


Stub icon

This security software article is a stub. You can help Wikipedia by adding missing information.

📚 Artikel Terkait di Wikipedia

Java Authentication and Authorization Service

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM)

Linux PAM

Linux Pluggable Authentication Modules (PAM) is a suite of libraries that allow a Linux system administrator to configure methods to authenticate users

Hardware security module

digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external

Lastlog

/var/log/btmp). The file is updated by the pam_lastlog.so Pluggable Authentication Module. The module has been deprecated since 2023, and is announced to be

List of computing and IT abbreviations

auto-config PAM—Pluggable Authentication Module PAM—Privileged Access Management PAN—Personal Area Network PAP—Password Authentication Protocol PARC—Palo

Login manager

no longer maintained ConsoleKit. BSD Authentication Name Service Switch passwd Pluggable authentication module "Configuring Login Manager". Solaris Common

GNOME Display Manager

Greeter – the graphical login window (provided by GNOME Shell) Pluggable authentication module (PAM) Until version 2.22, GDM had a few Easter eggs, in the

Name Service Switch

implements it almost identically. BSD Authentication Group (database) Name server Pluggable Authentication Modules "Name Service Switch (The GNU C Library)"