Pluggable Authentication module – The PAM

I have been out of the blog-sphere for quite some time. The reason being that I had been quite busy with my work, but got an opportunity to venture into an entirely new domain-The Linux kernel programming and security. Every single day at work had been really challenging. We were developing a two way authentication system using PAM that is Pluggable authentication module. What is PAM all about???

Pluggable authentication module-Introduction

PAM is the module which is responsible for authentication in a unix system. PAM module gets invoked each time you login to a Linux system. The username and password are verified against a set of passwords in /etc/passwd and the user is allowed to login after the credentials are verified. The .so files which are invoked by unix system can be seen in /lib/i386-linux-gnu/security.  As a part of the project, I had made a detailed investigation of various modules of PAM. There are more than 40 module in PAM. The modules are given below:

1. pam_echo : The pam_echo PAM module is for printing text messages to inform user about special things like username, service-name etc.
2. pam_access : The pam_access PAM module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non-networked logins.
3. pam_deny: his module can be used to deny access.
4. pam_env : The pam_env PAM module allows the (un)setting of environment variables. This module can also parse a file with simple KEY=VAL pairs on separate lines (/etc/environment by default).
5. pam_ftp: This module intercepts the user’s name and password. If the name is ftp or anonymous, the user’s password is broken up at the delimiter into a PAM_RUSER and a PAM_RHOST part; these pam-items being set accordingly. The username (PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the module sets the PAM_AUTHTOK item with the entered password and fails.
6. pam_loginuid : Record user’s login uid to the process attribute.
7. pam_mkhomedir —The pam_mkhomedir module will create a users home directory if it does not exist when the session begins. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre-creating a large number of directories. The skeleton directory (usually /etc/skel/) is used to copy default files and also sets a umask for the creation.
8. pam_rootok — Gain only root access
9. pam_securetty is a PAM module that allows root logins only if the user is logging in on a “secure” tty, as defined by the listing in /etc/securetty.
10. pam_stress : This describes the behavior of this module with respect to the /etc/pam.conf file.
11. pam_succeeded_if : is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated.
12. pam_tally — The login counter (tallying) module
13. pam_tally2 — The login counter (tallying) module
14. pam_tty_audit — Enable or disable TTY auditing for specified users
15. pam_umask : It is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created files.
16. pam_warn : PAM module which logs all PAM items if called.
17. pam_filter: This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application. It is only suitable for tty-based and (stdin/stdout) applications.
18. pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file.
19. pam_limits : The pam_limits PAM module sets limits on the system resources that can be obtained in a user session. Users of uid=0 are affected by this limits, too.
20. pam_debug : PAM module to debug the PAM stack
21. pam_exec : PAM module that can be used to run an external command.
22. pam_faildelay: PAM module that can be used to set the delay on failure per-application.
23. pam_localuser : PAM module to help implementing site-wide login policies, where they typically include a subset of the network’s users and a few accounts that are local to a particular workstation.
24. pam_mail : Inform about available mail.
25. pam_motd : PAM module that can be used to display arbitrary motd (message of the day) files after a successful login. By default the /etc/motd file is shown. The message size is limited to 64KB.
26. pam_namespace : PAM module for configuring namespace for a session. If you’re concerned about protecting world-writeable shared directories such as /tmp or /var/tmp from abuse, pam_namespace module can be used. The module creates a separate namespace for users on your system when they login. This separation is enforced by the Linux operating system so that users are protected from several types of security attacks.
27. pam_permit is a PAM module that always permit access. In the case of authentication, the user’s name will be set to nobody if the application didn’t set one. This module is very dangerous. It should be used with extreme caution.
28. pam_pwhistory : PAM module to remember last passwords.
29. pam_time : This PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines.
30. pam_timestamp : Authenticate using cached successful authentication attempts.
31. pam_lastlog: PAM module to display a line of information about the last login of the user.
32. pam_group: The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for.
33. pam_nologin : Prevent non-root users from login.
34. pam_rhosts — The rhosts PAM module.
35. pam_selinux — PAM module to set the default security context In a nutshell, pam_selinux sets up the default security context for the next execed shell. When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context. Also the controlling tty will have it’s security context modified to match the users. Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application.
36. pam_userdb : module is used to verify a username/password pair against values stored in a Berkeley DB database.
37. pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as “cookies”) between users.
38. pam_keyinit : The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring. A PAM module that execute gnome-keyring-daemon and unlock the default keyring.
39. pam_shells : PAM module that only allows access to the system if the users shell is listed in /etc/shell


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s