---

SysAdmin: PAM – Pluggable Authentication Modules

“PAM (Pluggable Authentication Modules) provides the backbone of
most authentication in modern Linux systems (and can be implemented
in others, such as Solaris), yet it is typically ignored and
woefully under-utilized. Anytime you log into a modern Linux
system, whether via telnet, ssh, pop, ftp, and so on, you are using
PAM to process the authentication request. Anytime you need to
authenticate to change your password (passwd), or login shell
(chsh), you are talking to PAM.

“In the “olden” days of Linux (and UNIX, and most computing
systems come to think of it) the usernames and passwords were
stored in a text file. This file, of course, had to be readable to
everyone, which resulted in many security breaches. The first
improvement to this system was the introduction of encrypted
passwords. Unfortunately, the early algorithms that used crypt for
password encryption were good 10 years ago, but as modern computers
got faster, it became feasible for an attacker to copy the password
files and attempt to brute-force guess all the passwords on a fast
system. The attacker could then use the passwords to gain access to
the target system. This type of attack bypassed any mechanisms to
prevent brute-force guessing the password (e.g., after three bad
logins, you have to wait a minute to try again). This problem was
partially fixed by the move to “shadow” passwords.”

“With shadow passwords, instead of keeping the user data and
encrypted password in the same file, the password was kept in a
separate file that only the system could access. Unfortunately, any
program that needed to authenticate users had to be recompiled with
shadow password support, and this process could take quite a while
because every network daemon, and numerous local utilities, had to
be updated. If you later decided to use smart cards to authenticate
users, you would have to recompile everything. Additionally, the
system was rather inflexible – if you wanted only certain users to
access a service (such as ftp), it would need some internal
mechanism to support this, and many network daemons do not have
these mechanisms.”

Complete
Story