1. Manuals
  2. Brands
  3. Computer Equipment
  4. Server
  5. IBM
  6. Computer Equipment
  7. Server

IBM 10 SP1 EAL4 5.11.1 Pluggable Authentication Module

1 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 246
Download on canonical page 246 pages, 2.94 Mb
provides a way to develop programs that are independent of the authentication scheme. These programs need
authentication modules to be attached to them at run-time in order to work. Which authentication module is
to be attached is dependent upon the local system setup and is at the discretion of the local system
administrator.
This section briefly describes PAM, protected databases and their functions, trusted programs and their high
level design implementation, and interaction of the identification and authentication subsystem with audit.
For more detailed information, see Linux System Security, 2nd Edition, by Scott Mann, Ellen Mitchell and
Michell Krell; and, the Linux Security HOWTO at http://www.tldp.org/HOWTO/Security-
HOWTO/index.html by Kevin Fenzi and Dave Wreski.
5.11.1 Pluggable Authentication Module
PAM is responsible for the identification and authentication subsystem. PAM provides a centralized
mechanism for authenticating all services. PAM allows for limits on access to applications and alternate,
configurable authentication methods. For more detailed information about PAM, see the PAM project Web
site at http://www.kernel.org/pub/linux/libs/pam.

5.11.1.1 Overview

PAM consists of a set of shared library modules, which provide appropriate authentication and audit services
to an application. Applications are updated to offload their authentication and audit code to PAM, which
allows the system to enforce a consistent identification and authentication policy, as well as generate
appropriate audit records. The following trusted programs are enhanced to use PAM:
login
passwd
su
useradd, usermod, userdel
groupadd, groupmod, groupdelsshd
vsftpd
chage
chfn
chsh
A PAM-aware application generally goes through the following steps:
1. The application makes a call to PAM to initialize certain data structures.
2. The PAM module locates the configuration file for that application from
/etc/pam.d/application_name and obtains a list of PAM modules necessary for servicing
that application. If it cannot find an application-specific configuration file, then it uses
/etc/pam.d/common-*.
3. Depending on the order specified in the configuration file, PAM loads the appropriate modules.
Refer to Section 5.16 for the mechanics of loading a shared library.
4. The pam_loginuid.so object associates the login uid with the login session.
5. The authentication module code performs the authentication, which, depending on the type of
authentication, may require input from the user.
172
MENU

Models

Contents