Pluggable AuthenticationModule
Ahmed Madkour
The Authentication Problem
– Traditionally, UNIX authentication is done by comparing the (encrypted) password for users in the password file /etc/shadow.
– Each program that requires authentication implements its own authentication mechanisms.
– Authentication mechanism becomes more visible when you add various applications that are doing some sort of authentication.
– Like: Logging from a graphical user interface using display managers.– Services like : FTP, TELNET, IMAP, SSH.– As a system administrator you will end up spending a lot of time maintaining many
user database besides /etc/passwd.
Need for PAM
– With PAM, the system administrator can use the same user database for every login process of your system.
– It is possible to use more than one underlying authentication mechanisms (back end) controlled by PAM and transparent to the users.
– PAM-aware applications will not break if the system administrator changes the underlying authentication configuration.
– Using PAM for authentication requires much less programming than developing a complete set of authentication functions.
4
History of PAM
– In 1995, developers from Sun Microsystems implement a generic framework for Solaris.
– In Aug 1997, when Solairs 2.6 was released PAM was an integrated component of the operating system.
– In Feb 1997, the Linux-PAM project began– Now most GNU/Linux distributions today are using PAM.
Theory of Operation
– The theory of operations is independent of the operating system and PAM implementation.
– In order to configure PAM successfully, you need to have all the components working together correctly.
– PAM framework is complex and not forgiving when it comes to errors.
PAM File System Layout
/lib
libpam.so.0
pam_unix.so
pam_deny.so
security
login
ssh
other
pam.d
pam.confetc
security
access.conf
pam_mount.confusr
include
securitypam_modules.hpam_appl.hpam_misc.h
PAM File System Layout (Cont.)
– The PAM-aware applications are linked against the PAM library, which located in /lib/ directory with the name libpam-X.so.0
– Configuration of PAM can be done in two ways• Put everything in one single file /etc/pam.conf• Or split the configuration by service in the directory /etc/pam.d
– Some PAM modules required configurations files beside the PAM configuration to operate.
PAM Framework
– PAM relies on dynamically loaded modules.– A module can provide mechanisms to authenticate user information stored in a
particular back end.– A PAM service module is a shared library that provides authentication and
other security services to applications such as login, or telnet.– The four types of PAM services are:
• Authentication service modules.• Account management modules.• Session management modules.• Password management modules.
Application
Login
Telnet
PAMAPI
PAM Lib/lib/libpam.so
pam.d Pam.conf
PAM Services Modules
pam_unix.so
pam_ldap.so
pam_mount.so
/etc/passwd
LDAPserver
/etc/security/
pam_mount.
conf
OtherAppl
PAM Framework (Cont.)
– Each Service can use PAM in four different stages of the Authentication process.
– These stages are called management groups.– A module provides the functionality for one or more management Groups.– You can think about it as a different module for each group.
Management Groups
– Provides two functions:• First the user can be validated• Second, credentials are granted by the auth management group
The Auth Group
Management Groups (Cont.)
– The access to a service is controlled by the account management group.– You might only be allowed to use a service
• A number of times per week.• In certain periods of the day.• Or, if your account is not yet expired.
The Account Group
Management Groups (Cont.)
– The environment for a given service is built up by the session management group.– When you stop using a service , the session groups tears down the environment.– When creating the environment the data required for proper operation will be
loaded.
The Session Group
Management Groups (Cont.)
– It is only used when a user wishes to update the password.– With PAM you separate passwords changing applications from the back-end
storage.
The Password Group
Management Groups (Cont.)
Stacking
– For each management groups you can define a set or a stack of modules, which are used in turn.
– The order of calling is determined by the order in the configuration (service) file.
– Changing the order in the stack might have great impact on the functionality.
auth [success=1 default=ignore] pam_unix.so nullok_secureauth [success=1 default=ignore] pam_unix.so nullok_secureauth required pam_permit.so
– A module can either return success or failure.– Some answers are more important than others.– The control flags can change the flow and how decisions are made.
Control Flags
– If is the strongest of the flags.– If a module is flagged as requisite, and it fails, PAM will return to the calling
applications instantly and report the failure.
Requisite
Control Flags (Cont.)
– The return code for a required module is stored.– In the case of failure, execution is not stopped but continues to the next module.– When the stack of modules has been executed, and at least one required module
has failed, PAM will return failure to the calling application.
Required
Control Flags (Cont.)
– A sufficient module can actually be quite strong.– The processing of the stack is stopped if a sufficient module returns OK, if
no previous required module has failed.– If there are required modules after the sufficient modules, these modules
are not called.
Sufficient
Control Flags (Cont.)
– A failure does not alter the execution of the stack as in the case of the requisite flag.
– The return code is ignored, and neither failure nor success is taken into account
Optional
Control Flags (Cont.)
Developing with PAM
Data structure initialized
Checking user
pam_unix
Conversation function
Application
time
PAM Application
PAM runtime Module
pam_auth
pam_handle
pam_start
Data structure destroyed
pam_end
References
– The Definitive Guide to PAM for Linux SysAdmins and C Developers.– The Linux-PAM Guides http://www.kernel.org/pub/linux/libs/pam/– Linux CBT PAM.– PAM manual pages.