man-pages/man7/PAM.7.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of PAM</TITLE>
</HEAD><BODY>
<H1>PAM</H1>
Section: Linux-PAM Manual (7)<BR>Updated: 05/18/2018<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>





















<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

PAM, pam - Pluggable Authentication Modules for Linux
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>

<P>

This manual is intended to offer a quick introduction to
<B>Linux-PAM</B>. For more information the reader is directed to the
<B>Linux-PAM system administrators' guide</B>.
<P>

<B>Linux-PAM</B>
is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface - API) that privilege granting programs (such as
<B><A HREF="/cgi-bin/man/man2html?1+login">login</A></B>(1)
and
<B><A HREF="/cgi-bin/man/man2html?1+su">su</A></B>(1)) defer to to perform standard authentication tasks.
<P>

The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service-providing applications will authenticate users. This dynamic configuration is set by the contents of the single
<B>Linux-PAM</B>
configuration file
/etc/pam.conf. Alternatively, the configuration can be set by individual configuration files located in the
/etc/pam.d/
directory. The presence of this directory will cause
<B>Linux-PAM</B>
to
<I>ignore</I>/etc/pam.conf.
<P>

Vendor-supplied PAM configuration files might be installed in the system directory
/usr/lib/pam.d/
instead of the machine configuration directory
/etc/pam.d/. If no machine configuration file is found, the vendor-supplied file is used. All files in
/etc/pam.d/
override files with the same name in
/usr/lib/pam.d/.
<P>

From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the
<B>Linux-PAM</B>
library. The important point to recognize is that the configuration file(s)
<I>define</I>
the connection between applications
(<B>services</B>) and the pluggable authentication modules
(<B>PAM</B>s) that perform the actual authentication tasks.
<P>

<B>Linux-PAM</B>
separates the tasks of
<I>authentication</I>
into four independent management groups:
<B>account</B>
management;
<B>auth</B>entication management;
<B>password</B>
management; and
<B>session</B>
management. (We highlight the abbreviations used for these groups in the configuration file.)
<P>

Simply put, these groups take care of different aspects of a typical user's request for a restricted service:
<P>

<B>account</B>
- provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service?
<P>

<B>auth</B>entication - authenticate a user and set up user credentials. Typically this is via some challenge-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication - such is the flexibility of
<B>Linux-PAM</B>.
<P>

<B>password</B>
- this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the
<B>auth</B>
group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password-based access is the obvious example: please enter a replacement password.
<P>

<B>session</B>
- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The
<B>session</B>
management group is important as it provides both an opening and closing hook for modules to affect the services available to a user.
<A NAME="lbAD">&nbsp;</A>
<H2>FILES</H2>

<P>

/etc/pam.conf
<DL COMPACT><DT id="1"><DD>
the configuration file
</DL>

<P>

/etc/pam.d
<DL COMPACT><DT id="2"><DD>
the
<B>Linux-PAM</B>
configuration directory. Generally, if this directory is present, the
/etc/pam.conf
file is ignored.
</DL>

<P>

/usr/lib/pam.d
<DL COMPACT><DT id="3"><DD>
the
<B>Linux-PAM</B>
vendor configuration directory. Files in
/etc/pam.d
override files with the same name in this directory.
</DL>

<A NAME="lbAE">&nbsp;</A>
<H2>ERRORS</H2>

<P>

Typically errors generated by the
<B>Linux-PAM</B>
system of libraries, will be written to
<B><A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A></B>(3).
<A NAME="lbAF">&nbsp;</A>
<H2>CONFORMING TO</H2>

<P>

DCE-RFC 86.0, October 1995. Contains additional features, but remains backwardly compatible with this RFC.
<A NAME="lbAG">&nbsp;</A>
<H2>SEE ALSO</H2>

<P>

<B><A HREF="/cgi-bin/man/man2html?3+pam">pam</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+pam_authenticate">pam_authenticate</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+pam_sm_setcred">pam_sm_setcred</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+pam_strerror">pam_strerror</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?7+PAM">PAM</A></B>(7)
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="4"><A HREF="#lbAB">NAME</A><DD>
<DT id="5"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="6"><A HREF="#lbAD">FILES</A><DD>
<DT id="7"><A HREF="#lbAE">ERRORS</A><DD>
<DT id="8"><A HREF="#lbAF">CONFORMING TO</A><DD>
<DT id="9"><A HREF="#lbAG">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:09 GMT, March 31, 2021
</BODY>
</HTML>