IBM 10 SP1 EAL4 Server User Manual


 
provides a way to develop programs that are independent of the authentication scheme. These programs need
authentication modules to be attached to them at run-time in order to work. Which authentication module is
to be attached is dependent upon the local system setup and is at the discretion of the local system
administrator.
This section briefly describes PAM, protected databases and their functions, trusted programs and their high
level design implementation, and interaction of the identification and authentication subsystem with audit.
For more detailed information, see Linux System Security, 2nd Edition, by Scott Mann, Ellen Mitchell and
Michell Krell; and, the Linux Security HOWTO at http://www.tldp.org/HOWTO/Security-
HOWTO/index.html by Kevin Fenzi and Dave Wreski.
5.11.1 Pluggable Authentication Module
PAM is responsible for the identification and authentication subsystem. PAM provides a centralized
mechanism for authenticating all services. PAM allows for limits on access to applications and alternate,
configurable authentication methods. For more detailed information about PAM, see the PAM project Web
site at http://www.kernel.org/pub/linux/libs/pam.
5.11.1.1 Overview
PAM consists of a set of shared library modules, which provide appropriate authentication and audit services
to an application. Applications are updated to offload their authentication and audit code to PAM, which
allows the system to enforce a consistent identification and authentication policy, as well as generate
appropriate audit records. The following trusted programs are enhanced to use PAM:
login
passwd
su
useradd, usermod, userdel
groupadd, groupmod, groupdelsshd
vsftpd
chage
chfn
chsh
A PAM-aware application generally goes through the following steps:
1. The application makes a call to PAM to initialize certain data structures.
2. The PAM module locates the configuration file for that application from
/etc/pam.d/application_name and obtains a list of PAM modules necessary for servicing
that application. If it cannot find an application-specific configuration file, then it uses
/etc/pam.d/common-*.
3. Depending on the order specified in the configuration file, PAM loads the appropriate modules.
Refer to Section 5.16 for the mechanics of loading a shared library.
4. The pam_loginuid.so object associates the login uid with the login session.
5. The authentication module code performs the authentication, which, depending on the type of
authentication, may require input from the user.
172