Editing Pluggable Authentication Module

{{Short description|Flexible mechanism for authenticating users}}
{{refimprove|date=May 2011}}
[[File:PAM Diagramm.svg|thumb|right|Structure]]
A '''pluggable authentication module''' ('''PAM''') is a mechanism to integrate multiple low-level [[authentication]] schemes into a high-level [[application programming interface]] (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by [[Sun Microsystems]] in an [[Open Software Foundation]] [[Request for Comments]] (RFC) 86.0 dated October 1995.<ref>[https://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz The Original Solaris PAM RFC]</ref> It was adopted as the authentication framework of the [[Common Desktop Environment]]. As a stand-alone [[open-source]] infrastructure, PAM first appeared in [[Red Hat Linux]] 3.0.4 in August 1996 in the [[Linux PAM]] project. PAM is currently supported in the [[AIX operating system]], [[DragonFly BSD]],<ref>[http://leaf.dragonflybsd.org/cgi/web-man?command=pam&section=ANY PAM manual page of DragonFly BSD]</ref> [[FreeBSD]], [[HP-UX]], [[Linux]], [[macOS]], [[NetBSD]] and [[Solaris (operating system)|Solaris]].

Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the [[X/Open]] UNIX standardization process, resulting in the '''X/Open Single Sign-on''' ('''XSSO''') standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, [[OpenPAM]]).

==Criticisms==
Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement [[Kerberos (protocol)|Kerberos]], the most common type of [[Single sign-on|SSO]] used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as [[SPNEGO]] and [[Simple Authentication and Security Layer|SASL]]. This lack of functionality is also the reason [[Secure Shell|SSH]] does its own authentication mechanism negotiation.

In most PAM implementations, pam_krb5 only fetches [[Ticket Granting Ticket]]s, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.<ref>[http://www.eyrie.org/~eagle/software/pam-krb5/ PAM-KRB5]</ref>

==See also==
* Implementations:
**[[Java Authentication and Authorization Service]]
**[[Linux PAM]]
**[[OpenPAM]]
*[[Identity management]] &ndash; the general topic
*[[Name Service Switch]] &ndash; manages user databases
*[[System Security Services Daemon]] &ndash; SSO implementation based on PAM and NSS

==References== 
<references />

==External links==
Specifications:
*[https://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz The Original Solaris PAM RFC]
*[https://pubs.opengroup.org/onlinepubs/8329799/toc.pdf X/Open Single Sign-on (XSSO) 1997 Draft Working Paper]

Guides:
*{{webarchive |url=https://web.archive.org/web/20130819174111/http://www.linux.ie/articles/pam.php |date=August 19, 2013 |title=PAM and password control }}
*[http://www.linuxjournal.com/article/2120 Pluggable Authentication Modules for Linux]
*[http://www.informit.com/articles/article.aspx?p=20968 Making the Most of Pluggable Authentication Modules (PAM)]
*[http://docs.oracle.com/cd/E23824_01/html/821-1456/pam-1.html Oracle Solaris Administration: Security Services: Using PAM]

{{Authentication APIs}}

[[Category:Open Group standards]]
[[Category:Unix authentication-related software]]
[[Category:Computer access control frameworks]]
[[Category:Computer security standards]]
[[Category:Application programming interfaces]]


{{security-software-stub}}