Linux Security is greatly enhanced if authentication to the system is well under control. PAM plays a great role in this process. PAM expands to Pluggable Authentication Modules. I promise to explain PAM in as easy manner as I can. Just be ready to read forwards and you are done. Since the blog is tightly focussed on security of unix based system, so I assume the general basic knowledge of unix based operating systems.
What is PAM
PAM are a set of shared libraries using which the administrators can choose how to authenticate the users. PAM has been designed in such a way that the modules can be used with many types of applications. So PAM modules are separate and applications are separate. Whenever an application wants to authenticate the user, it contacts PAM, which in turn completes the authentication process for the application. So, you can say that the application outsources its job of authentication to PAM. Great for linux secuity.
The example applications are ssh, pop, imap and several others.
What Does PAM Apply To
The PAM libraries apply to mainly console based applications. Any applications which can be accessed via console, are able to access PAM in most of the cases.
PAM Aware Applications
PAM is just a system having a set of shared libraries which can do the job of authentication for an application like ssh. So, if any application wants to authenticate the users via PAM, it can use PAM modules(functions) to ask for user authentication. In that way application authentication can be done without any change in the application. The applications which use PAM shared libraries for authenticaing the user, are also called PAM Aware Applications.
What Are The Possible Uses of PAM
PAM libraries can be used in various scenarios. The listing is povided here for ready reference:
- Enforcing password length for the user account. The file /etc/pam.d/system-auth is used for this purpose.
- To disable the access to the console programs for all general users. The examples are halt, reboot etc. If you disable these programs from console, general users can not use the programs from the console. /etc/security/console.apps/{service_names} can be used to block access to certain programs from console.
- Disabling access to the console itself. /etc/pam.d/pam_console.so is used for this purpose.
- We can control who can login to the system. /etc/security/access.conf is used for this purpose.
- Limiting user permissions under the console. /etc/pam.d/pam_console.so is used for this purpose.
- You can set limits on the resources which the users can use while accessing the system through console. /etc/security/limits.conf is used for this purpose.
- You can fully control when and which applications can be accessed through the console. You can set the times when a user can connect to a particular application via console. /etc/security/time.conf is used for this purpose.
- You can block the su command to certain or all users. So whosoever is blocked, can not use su command to become another user. /etc/pam.d/su is used for this purpose.
The list goes on and on. I’ll be expanding the discussion to PAM in later articles for linux security. Keep visiting and reading. You may like to bookmark this site for preventing yourself from loosing any important articles of your interest in security domain. Otherwise please signup for the newsletter and you’ll get articles via mail too.