You are previewing Pluggable Authentication Modules:The Definitive Guide to PAM for Linux SysAdmins and C Developers.
O'Reilly logo
Pluggable Authentication Modules:The Definitive Guide to PAM for Linux SysAdmins and C Developers

Book Description

A comprehensive and practical guide to PAM for Linux: how modules work and how to implement them

  • Understand and configure PAM

  • Develop PAM-aware applications and your own PAMs using the API and C

  • How to authenticate users in Active Directory, mount encrypted home directories, load SSH keys automatically, and restrict web and rsh services

In Detail

PAM-aware applications reduce the complexity of authentication. With PAM you can use the same user database for every login process. PAM also supports different authentication processes as required. Moreover, PAM is a well-defined API, and PAM-aware applications will not break if you change the underlying authentication configuration.

The PAM framework is widely used by most Linux distributions for authentication purposes. Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX.

PAM is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. PAM can be implemented with various applications without having to recompile the applications to specifically support PAM.

First this book explains how Pluggable Authentication Modules (PAM) simplify and standardize authentication in Linux. It shows in detail how PAM works and how it is configured. Then 11 common modules used across UNIX/Linux distributions are examined and explained, including all their parameters. Installation of third-party modules is discussed, and the development of new modules and PAM-aware applications is outlined

Table of Contents

  1. Copyright
  2. Credits
  3. About the Author
  4. About the Reviewers
  5. Preface
    1. What This Book Covers
    2. What You Need for This Book
    3. Conventions
    4. Reader Feedback
    5. Customer Support
      1. Downloading the Example Code for the Book
      2. Errata
      3. Questions
  6. 1. Introduction to PAM
    1. History of PAM
    2. PAM Solves the Authentication Problem
    3. Need for PAM
    4. Installing Linux-PAM
      1. Downloading
      2. Compiling
      3. Extra Modules
    5. PAM Implementations
    6. Summary
  7. 2. Theory of Operation
    1. PAM File System Layout
    2. The PAM Framework
    3. Online Documentation
    4. Services
    5. Management Groups
      1. The Auth Group
      2. The Account Group
      3. The Session Group
      4. The Password Group
    6. Stacking
    7. Control Flags
      1. Requisite
      2. Required
      3. Sufficient
      4. Optional
      5. Order matters
    8. Consolidating Your PAM Configuration
    9. Securing Your Environment
      1. An Example
    10. Summary
  8. 3. Testing and Debugging
    1. Where to Test?
    2. Leaving a Back Door Open
    3. Test Cases
    4. Getting Backstage
      1. Enabling Logging
      2. Reading the Log
    5. The pamtester Utility
    6. Automating PAM Tests
    7. Bad Example
    8. Summary
  9. 4. Common Modules
    1. Parameters
      1. debug
      2. use_first_pass
      3. try_first_pass
      4. expose_account
    2. Modules Related to User Environments
      1. pam_mkhomedir
      2. pam_mount
    3. Modules Used to Restrict Access
      1. pam_succeed_if
      2. pam_nologin
      3. pam_wheel
      4. pam_access
      5. pam_deny
    4. Modules Related to Back-End Storage
      1. pam_unix
      2. pam_winbind
      3. pam_ldap
      4. pam_mysql
    5. Summary
  10. 5. Recipes
    1. Encrypted Home Directories
    2. Working with Secure Shell
    3. Apache htaccess Made Smart
    4. Directory Services
      1. Winbind
        1. Overview
        2. Winbind Configuration
        3. Kerberos
        4. Joining the Directory
        5. Finally PAM
      2. LDAP
        1. Installation
        2. The LDAP Client
        3. The Name Service Switch
        4. PAM Configuration
    5. Limiting r-Services
    6. Limiting Resources
    7. Summary
  11. 6. Developing with PAM
    1. PAM-aware Applications
      1. Opening and Closing a PAM Session
      2. Authenticating the User
      3. Account Health Check
      4. Manipulating the PAM Handling Data Structure
      5. Conversation Functions
      6. Working with Error Messages
    2. Developing your Own PAM Modules
      1. The Management Groups
      2. Return Codes
      3. Supporting Functions
      4. Compiling
    3. Summary
  12. A. Source code
    1. Vault — Secure Database
    2. The ssh_tunnels Module