Pluggable Authentication Module
 | This article needs additional citations for verification. (May 2011) |
A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) 86.0 dated October 1995.[1] It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone open-source infrastructure, PAM first appeared in Red Hat Linux 3.0.4 in August 1996 in the Linux PAM project. PAM is currently supported in the AIX operating system, DragonFly BSD,[2] FreeBSD, HP-UX, Linux, macOS, NetBSD and Solaris.
Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, OpenPAM).
Criticisms
Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement Kerberos, the most common type of SSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as SPNEGO and SASL. This lack of functionality is also the reason SSH does its own authentication mechanism negotiation.
In most PAM implementations, pam_krb5 only fetches Ticket Granting Tickets, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.[3]
See also
- Implementations:
- Identity management – the general topic
- Name Service Switch – manages user databases
- System Security Services Daemon – SSO implementation based on PAM and NSS
References
External links
Specifications:
Guides:
- PAM and password control at the Wayback Machine (archived August 19, 2013)
- Pluggable Authentication Modules for Linux
- Making the Most of Pluggable Authentication Modules (PAM)
- Oracle Solaris Administration: Security Services: Using PAM
| Authentication APIs |
|
|---|---|
| Authentication protocols |
|
 | This security software article is a stub. You can help Wikipedia by adding missing information. |
Content Disclaimer
Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.
- The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
- There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
- It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
- Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
- Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.