A pluggable authentication module (PAM) is a mechanism that originated on the Linux platform. Apple has ported PAM to Mac OS X because Mac OS X uses several open source applications that rely on PAM for authentication. PAM uses libraries and modules that describe which credentials are allowed and valid for a particular service.
Of special importance are the Apple-specific authentication methods that Apple has added to its implementation of PAM, which allow PAM to authenticate accounts stored in Open Directory. PAM service definitions are stored as a configuration file or files in /etc/pam.d. These configuration files define the connection between applications (services) and the pluggable authentication modules that perform the actual authentication tasks.
When a PAM-aware privilege-granting application starts, it activates its attachment to the PAM application programming interface (API). This activation performs numerous tasks most importantly, reading the configuration files in the /etc/pam.d/ directory. These configuration files list which PAMs will do the authentication tasks required by this service, and how the PAM API should behave if individual PAMs fail.
PAM Management Groups
PAM separates the tasks of authentication into four independent management groups: account, authentication, password, and session. These management groups carry out different aspects of a typical user’s request for a restricted service:
– account provides account verification types of service: Has the user’s password expired? Is this user permitted access to the requested service? – authentication establishes that the user is who they claim to be. Typically, this is via some challenge-response request that the user must satisfy, such as, “If you are who you claim to be, please enter your password.” In place of standard approaches to authentication, you can give PAM greater flexibility by substituting one of the many ways to prove identity, such as the use of smart cards and biometric devices, for passwords. – password updates authentication mechanisms, such as standard UNIX passwordpassed access. – session covers tasks that should be done prior to a service being granted and after it is withdrawn. Examples include maintaining audit trails and unmounting the user home directory. These tasks provide both an opening and closing hook for modules to affect the services available to a user.
One service of particular significance that relies on PAM is SSH. The configuration file that PAM uses is/etc/pam.d/sshd. The contents of a sample configuration file are as follows:
# sshd: auth account password session
auth required pam_nologin.so
auth optional pam_afpmount.so
auth sufficient pam_securityserver.so
auth sufficient pam_unix.so
auth required pam_deny.so
account required pam_securityserver.so
password required pam_deny.so
session required pam_launchd.so
session optional pam_afpmount.so