PAM - Pluggable Authentication Modules


Red Hat Software is participating in the *Linux-PAM effort to provide a unified authentication scheme for Linux. This document explains PAM somewhat and provides you with the opportunity to view and experiment with our current development sources, and provide us with feedback.

The case for PAM

Linux originally came with standard UNIX password authentication, with the encrypted password kept along with other user information in the /etc/passwd file. Later, most Linux users and distributions added support for shadow passords, where the encrypted passwords are kept in a file to which access is limited. This involved changing all the applications which needed to check passwords. Shadow didn't solve all the authentication problems; it would be nice to be able to easily add support for one-time-passwords, where each password is used only once, and secure-id cards, which generate encrypted responses to challenges. However, having to re-engineer every application which needs to do user authentication each time a new authentication method is designed is rather painful.

Several engineers at Sun saw the same problem and came up with a general solution: an API which (we hope) is capable of encapsulating all authentication methods, and a structure for the code behind that API that allows system administrators to ``plug in'' authentication methods at will and configure them in a simple and straightforward manner. They called this mechanism ``PAM'', for ``Pluggable Authentication Modules'', and published a specification as *DCE-RFC 86.0. A group of programmers, including five of us at Red Hat Software, have joined together to create a freely redistributable implementation of the PAM specification which is source-compatible with the original.

If you are interested in participating in this effort, join the mailing list. Send email to pam-list-request@redhat.com with the word subscribe in the subject. Then send email to pam-list@redhat.com

Please note that pam-list@redhat.com should only be used for pam development and configuration issues. If you are having a problem with authentication in ``stock'' Red Hat Linux 4.0 or 4.1, please direct your questions to *redhat-list@redhat.com instead.

The code

The *Linux-PAM web page is maintained by the current Linux-PAM maintainer, Andrew Morgan.

Since the release of Red Hat Linux 3.0.4, code-named Rembrandt, all our PAM patches are available in our source packages in the distribution, and we have discontinued our distribution of PAM packages separately via FTP. We will be offering our patches to the official maintainers of these packages, so we hope that soon there will be no need for pam patches for Linux applications...

Please direct PAM-specific comments to pam-list@redhat.com, and comments about the RPM packages for PAM to Michael K. Johnson.

If you are interested in coding, please read our coding standards and join the pam-list@redhat.com list as explained above.