source-git / pam

Clone
Source Code
GIT

Files

  1.   7e982e56f66b90061d5bf584115f1a5d137a728a
  2.   doc
  3.   man
  4.   pam.8.xml
Blob Blame History Raw 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">

<refentry id='pam8'>

  <refmeta>
    <refentrytitle>pam</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv id='pam8-name'>
    <refname>PAM</refname>
    <refname>pam</refname>
    <refpurpose>Pluggable Authentication Modules for Linux</refpurpose>
  </refnamediv>

  <refsect1 id='pam8-description'>
    <title>DESCRIPTION</title>
    <para>
      This manual is intended to offer a quick introduction to
      <emphasis remap='B'>Linux-PAM</emphasis>. For more information
      the reader is directed to the
      <emphasis remap='B'>Linux-PAM system administrators' guide</emphasis>.
    </para>

    <para>
      <emphasis remap='B'>Linux-PAM</emphasis> is a system of libraries
      that handle the authentication tasks of applications (services) on
      the system. The library provides a stable general interface
      (Application Programming Interface - API) that privilege granting
      programs (such as <citerefentry>
      <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry> and <citerefentry>
      <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>) defer to to perform standard authentication tasks.
    </para>

    <para>
      The principal feature of the PAM approach is that the nature of the
      authentication is dynamically configurable.  In other words, the
      system administrator is free to choose how individual
      service-providing applications will authenticate users. This dynamic
      configuration is set by the contents of the single
      <emphasis remap='B'>Linux-PAM</emphasis> configuration file
      <filename>/etc/pam.conf</filename>. Alternatively, the configuration
      can be set by individual configuration files located in the
      <filename>/etc/pam.d/</filename> directory. The presence of this
      directory will cause <emphasis remap='B'>Linux-PAM</emphasis> to
      <emphasis remap='I'>ignore</emphasis> <filename>/etc/pam.conf</filename>.
    </para>

    <para>
      Vendor-supplied PAM configuration files might be installed in
      the system directory <filename>/usr/lib/pam.d/</filename> instead
      of the machine configuration directory <filename>/etc/pam.d/</filename>.
      If no machine configuration file is found, the vendor-supplied file
      is used. All files in <filename>/etc/pam.d/</filename> override
      files with the same name in <filename>/usr/lib/pam.d/</filename>.
    </para>

<para>From the point of view of the system administrator, for whom this
manual is provided, it is not of primary importance to understand the
internal behavior of the
<emphasis remap='B'>Linux-PAM</emphasis>
library.  The important point to recognize is that the configuration
file(s)
<emphasis remap='I'>define</emphasis>
the connection between applications
<emphasis remap='B'></emphasis>(<emphasis remap='B'>services</emphasis>)
and the pluggable authentication modules
<emphasis remap='B'></emphasis>(<emphasis remap='B'>PAM</emphasis>s)
that perform the actual authentication tasks.</para>


<para><emphasis remap='B'>Linux-PAM</emphasis>
separates the tasks of
<emphasis remap='I'>authentication</emphasis>
into four independent management groups:
<emphasis remap='B'>account</emphasis> management;
<emphasis remap='B'>auth</emphasis>entication management;
<emphasis remap='B'>password</emphasis> management;
and
<emphasis remap='B'>session</emphasis> management.
(We highlight the abbreviations used for these groups in the
configuration file.)</para>


<para>Simply put, these groups take care of different aspects of a typical
user's request for a restricted service:</para>


<para><emphasis remap='B'>account</emphasis> -
provide account verification types of service: has the user's password
expired?; is this user permitted access to the requested service?</para>

<!-- .br -->
<para><emphasis remap='B'>auth</emphasis>entication -
authenticate a user and set up user credentials. Typically this is via
some challenge-response request that the user must satisfy: if you are
who you claim to be please enter your password. Not all authentications
are of this type, there exist hardware based authentication schemes
(such as the use of smart-cards and biometric devices), with suitable
modules, these may be substituted seamlessly for more standard
approaches to authentication - such is the flexibility of
<emphasis remap='B'>Linux-PAM</emphasis>.</para>

<!-- .br -->
<para><emphasis remap='B'>password</emphasis> -
this group's responsibility is the task of updating authentication
mechanisms. Typically, such services are strongly coupled to those of
the
<emphasis remap='B'>auth</emphasis>
group. Some authentication mechanisms lend themselves well to being
updated with such a function. Standard UN*X password-based access is
the obvious example: please enter a replacement password.</para>

<!-- .br -->
<para><emphasis remap='B'>session</emphasis> -
this group of tasks cover things that should be done prior to a
service being given and after it is withdrawn. Such tasks include the
maintenance of audit trails and the mounting of the user's home
directory. The
<emphasis remap='B'>session</emphasis>
management group is important as it provides both an opening and
closing hook for modules to affect the services available to a user.</para>

</refsect1>

  <refsect1 id='pam8-files'>
    <title>FILES</title>
    <variablelist>
      <varlistentry>
        <term><filename>/etc/pam.conf</filename></term>
        <listitem>
          <para>the configuration file</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><filename>/etc/pam.d</filename></term>
        <listitem>
          <para>
            the <emphasis remap='B'>Linux-PAM</emphasis> configuration
            directory. Generally, if this directory is present, the
            <filename>/etc/pam.conf</filename> file is ignored.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><filename>/usr/lib/pam.d</filename></term>
        <listitem>
          <para>
            the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration
            directory. Files in <filename>/etc/pam.d</filename> override
            files with the same name in this directory.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 id='pam8-errors'>
    <title>ERRORS</title>
    <para>
      Typically errors generated by the
      <emphasis remap='B'>Linux-PAM</emphasis> system of libraries, will
      be written to <citerefentry>
      <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>.
    </para>
  </refsect1>

  <refsect1 id='pam8-conforming_to'>
    <title>CONFORMING TO</title>
    <para>
      DCE-RFC 86.0, October 1995.
      Contains additional features, but remains backwardly compatible
      with this RFC.
    </para>
  </refsect1>

  <refsect1 id='pam8-see_also'>
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
        <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>
    </para>
  </refsect1>
</refentry>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation