PAM – pluggable authentication modules

Razni moduli koji služe za autentifikaciju raznih programa.
U folderu /etc/pam.d/ se nalaze konfiguracioni fajlovi vezani za svaku aplikaciju koja korisnti PAM, i nose isto ime kao i sama aplikacija. Npr pam_unix.so rukovodi osnovnom Linux autentifikacijom kroz /etc/passwd, /etc/group and /etc/shadow fajlove.
Postoji 4 tipa PAM modul interfejsa :
auth — This module interface authenticates use. For example, it requests and verifies the validity of a password. Modules with this interface can also set credentials, such as group memberships or Kerberos tickets.
account — This module interface verifies that access is allowed. For example, it checks if a user account has expired or if a user is allowed to log in at a particular time of day.
password — This module interface is used for changing user passwords.
session — This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user’s home directory and making the user’s mailbox available.
Postoji nekoliko jednostavnih flegova/zastavica :
required — The module result must be successful for authentication to continue. If the test fails at this point, the user is not notified until the results of all module tests that reference that interface are complete.
requisite — The module result must be successful for authentication to continue. However, if a test fails at this point, the user is notified immediately with a message reflecting the first failed required or requisite module test.
sufficient — The module result is ignored if it fails. However, if the result of a module flagged sufficient is successful and no previous modules flagged required have failed, then no other results are required and the user is authenticated to the service.
optional — The module result is ignored. A module flagged as optional only becomes necessary for successful authentication when no other modules reference the interface.
include — Unlike the other controls, this does not relate to how the module result is handled. This flag pulls in all lines in the configuration file which match the given parameter and appends them as an argument to the module.

Pet default sistemskih konfiguracionih fajlova su :
/etc/pam.d/common-auth
/etc/pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive

Dobar link : PAM