Home > Articles > Programming > Android

  • Print
  • + Share This


In this section, we will describe the way in which PAM operates, generally how to configure PAM, and the keywords and options associated with the PAM configuration files. Figure 5.1 presents an overview diagram of the Linux-PAM interaction with Linux applications. This diagram depicts the major components of a PAM implementation—applications, such as login, ftp, su, etc.; the Linux-PAM engine (the PAM libraries, found in /lib), which is responsible for loading the necessary PAM modules based on the configuration files. The general flow of execution follows:

Fig. 5.1 Linux-PAM Overview

  1. The application—for example login—makes an initial call to Linux-PAM.

  2. Linux-PAM locates the appropriate configuration file in /etc/pam.d (or, alternatively, /etc/pam.conf) to obtain the list of modules necessary for servicing this request.

  3. Linux-PAM then loads each module in the order given in the configuration file for processing. Depending upon configuration parameters, not all modules listed in the configuration file will necessarily be invoked.

  4. Some, or all, of the modules may need to have a conversation with the user through the calling application. This conversation normally includes prompting the user for some sort of information, like a password or challenge, and receiving a response. If the user's response satisfies the particular PAM module, or if the PAM module is satisfied in some other way, control is passed back to Linux-PAM for processing of the next module (steps 3 and 4 being repeated for each module in the configuration file associated with the application in question). Ultimately, the processing completes with either success or failure. In the case of failure, it is generally true that the error message displayed to the user will not be indicative of the cause of failure. This generic error messaging approach is a security feature since it limits information that could be used in compromise efforts. Fortunately, most PAM modules offer varying levels of logging, allowing system administrators to track down problems and identify security violations.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.