https://wiki.sarg.dev/index.php?action=history&feed=atom&title=Pluggable_Authentication_ModulePluggable Authentication Module - Revision history2026-04-13T06:47:38ZRevision history for this page on the wikiMediaWiki 1.44.2https://wiki.sarg.dev/index.php?title=Pluggable_Authentication_Module&diff=396042&oldid=previmported>The RedBurn: +rfc ref2025-02-08T10:43:42Z<p>+rfc ref</p>
<p><b>New page</b></p><div>{{Short description|Flexible mechanism for authenticating users}}<br />
{{refimprove|date=May 2011}}<br />
[[File:PAM Diagramm.svg|thumb|right|Structure]]<br />
A '''pluggable authentication module''' ('''PAM''') is a mechanism to integrate multiple low-level [[authentication]] schemes into a high-level [[application programming interface]] (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by [[Sun Microsystems]] in an [[Open Software Foundation]] [[Request for Comments]] (RFC) 86.0 dated October 1995.<ref>[https://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz The Original Solaris PAM RFC]</ref> It was adopted as the authentication framework of the [[Common Desktop Environment]]. As a stand-alone [[open-source]] infrastructure, PAM first appeared in [[Red Hat Linux]] 3.0.4 in August 1996 in the [[Linux PAM]] project. PAM is currently supported in the [[AIX operating system]], [[DragonFly BSD]],<ref>[http://leaf.dragonflybsd.org/cgi/web-man?command=pam&section=ANY PAM manual page of DragonFly BSD]</ref> [[FreeBSD]], [[HP-UX]], [[Linux]], [[macOS]], [[NetBSD]] and [[Solaris (operating system)|Solaris]].<br />
<br />
Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the [[X/Open]] UNIX standardization process, resulting in the '''X/Open Single Sign-on''' ('''XSSO''') standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, [[OpenPAM]]).<br />
<br />
==Criticisms==<br />
Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement [[Kerberos (protocol)|Kerberos]], the most common type of [[Single sign-on|SSO]] used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as [[SPNEGO]] and [[Simple Authentication and Security Layer|SASL]]. This lack of functionality is also the reason [[Secure Shell|SSH]] does its own authentication mechanism negotiation.<br />
<br />
In most PAM implementations, pam_krb5 only fetches [[Ticket Granting Ticket]]s, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.<ref>[http://www.eyrie.org/~eagle/software/pam-krb5/ PAM-KRB5]</ref><br />
<br />
==See also==<br />
* Implementations:<br />
**[[Java Authentication and Authorization Service]]<br />
**[[Linux PAM]]<br />
**[[OpenPAM]]<br />
*[[Identity management]] &ndash; the general topic<br />
*[[Name Service Switch]] &ndash; manages user databases<br />
*[[System Security Services Daemon]] &ndash; SSO implementation based on PAM and NSS<br />
<br />
==References== <br />
<references /><br />
<br />
==External links==<br />
Specifications:<br />
*[https://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz The Original Solaris PAM RFC]<br />
*[https://pubs.opengroup.org/onlinepubs/8329799/toc.pdf X/Open Single Sign-on (XSSO) 1997 Draft Working Paper]<br />
<br />
Guides:<br />
*{{webarchive |url=https://web.archive.org/web/20130819174111/http://www.linux.ie/articles/pam.php |date=August 19, 2013 |title=PAM and password control }}<br />
*[http://www.linuxjournal.com/article/2120 Pluggable Authentication Modules for Linux]<br />
*[http://www.informit.com/articles/article.aspx?p=20968 Making the Most of Pluggable Authentication Modules (PAM)]<br />
*[http://docs.oracle.com/cd/E23824_01/html/821-1456/pam-1.html Oracle Solaris Administration: Security Services: Using PAM]<br />
<br />
{{Authentication APIs}}<br />
<br />
[[Category:Open Group standards]]<br />
[[Category:Unix authentication-related software]]<br />
[[Category:Computer access control frameworks]]<br />
[[Category:Computer security standards]]<br />
[[Category:Application programming interfaces]]<br />
<br />
<br />
{{security-software-stub}}</div>imported>The RedBurn