provides a way to develop programs that are independent of the authentication scheme. These programs need authentication modules to be attached to them at run-time in order to work. Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local system administrator.

This section briefly describes PAM, protected databases and their functions, trusted programs and their high level design implementation, and interaction of the identification and authentication subsystem with audit. For more detailed information, see Linux System Security, 2nd Edition, by Scott Mann, Ellen Mitchell and Michell Krell; and, the Linux Security HOWTO at http://www.tldp.org/HOWTO/Security- HOWTO/index.html by Kevin Fenzi and Dave Wreski.

5.11.1Pluggable Authentication Module

PAM is responsible for the identification and authentication subsystem. PAM provides a centralized mechanism for authenticating all services. PAM allows for limits on access to applications and alternate, configurable authentication methods. For more detailed information about PAM, see the PAM project Web site at http://www.kernel.org/pub/linux/libs/pam.

5.11.1.1Overview

PAM consists of a set of shared library modules, which provide appropriate authentication and audit services to an application. Applications are updated to offload their authentication and audit code to PAM, which allows the system to enforce a consistent identification and authentication policy, as well as generate appropriate audit records. The following trusted programs are enhanced to use PAM:

login

passwd

su

useradd, usermod, userdel

groupadd, groupmod, groupdelsshd

vsftpd

chage

chfn

chsh

A PAM-aware application generally goes through the following steps:

1.The application makes a call to PAM to initialize certain data structures.

2.The PAM module locates the configuration file for that application from

/etc/pam.d/application_name and obtains a list of PAM modules necessary for servicing that application. If it cannot find an application-specific configuration file, then it uses

/etc/pam.d/common-*.

3.Depending on the order specified in the configuration file, PAM loads the appropriate modules. Refer to Section 5.16 for the mechanics of loading a shared library.

4.The pam_loginuid.so object associates the login uid with the login session.

5.The authentication module code performs the authentication, which, depending on the type of authentication, may require input from the user.

172

Page 183 Page 185
Page 184
Image 184
IBM 10 SP1 EAL4 manual Pluggable Authentication Module, Overview
Page 183 Page 185
Top Page Image Contents