PAM -- Pluggable Authentication Modules

Kurt Seifried

PAM (Pluggable Authentication Modules) provides the backbone of most authentication in modern Linux systems (and can be implemented in others, such as Solaris), yet it is typically ignored and woefully under-utilized. Anytime you log into a modern Linux system, whether via telnet, ssh, pop, ftp, and so on, you are using PAM to process the authentication request. Anytime you need to authenticate to change your password (passwd), or login shell (chsh), you are talking to PAM.

In the "olden" days of Linux (and UNIX, and most computing systems come to think of it) the usernames and passwords were stored in a text file. This file, of course, had to be readable to everyone, which resulted in many security breaches. The first improvement to this system was the introduction of encrypted passwords. Unfortunately, the early algorithms that used crypt for password encryption were good 10 years ago, but as modern computers got faster, it became feasible for an attacker to copy the password files and attempt to brute-force guess all the passwords on a fast system. The attacker could then use the passwords to gain access to the target system. This type of attack bypassed any mechanisms to prevent brute-force guessing the password (e.g., after three bad logins, you have to wait a minute to try again). This problem was partially fixed by the move to "shadow" passwords.

With shadow passwords, instead of keeping the user data and encrypted password in the same file, the password was kept in a separate file that only the system could access. Unfortunately, any program that needed to authenticate users had to be recompiled with shadow password support, and this process could take quite a while because every network daemon, and numerous local utilities, had to be updated.