Pluggable authentication module

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme. PAM was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone open-source infrastructure, PAM first appeared in Red Hat Linux 3.0.4 in August 1996. PAM is currently supported in the AIX operating system, DragonFly BSD,^[1] FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris.

Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, OpenPAM).

Criticisms

Since most PAM implementations do not interface with remote clients themselves, PAM on its own cannot implement Kerberos, the most common type of SSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as SPNEGO and SASL. This lack of functionality is also the reason SSH does its own authentication mechanism negotiation.

In most PAM implementations, pam_krb5 only fetches Ticket Granting Tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.^[2]

References

External links

The original PAM RFC
PAM and password control at the Wayback Machine (archived August 19, 2013)
Pluggable Authentication Modules for Linux
Making the Most of Pluggable Authentication Modules (PAM)
Oracle Solaris Administration: Security Services: Using PAM

Authentication

Authentication APIs	BSD Authentication (BSD Auth) eAuthentication Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) OAuth OpenID OpenID Connect (OIDC) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)

Authentication protocol	ACF2 AKA CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) Kerberos LAN Manager NT LAN Manager (NTLM) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam

This article is issued from Wikipedia - version of the 11/14/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.

Pluggable authentication module

Criticisms

See also

References

External links