# Pluggable Authentication Module

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Pluggable_Authentication_Module
> Markdown URL: https://mediated.wiki/source/Pluggable_Authentication_Module.md
> Source: https://en.wikipedia.org/wiki/Pluggable_Authentication_Module
> Source revision: 1274615444
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Short description|Flexible mechanism for authenticating users}}
{{refimprove|date=May 2011}}
thumb|right|Structure
A '''pluggable authentication module''' ('''PAM''') is a mechanism to integrate multiple low-level [authentication](/source/authentication) schemes into a high-level [application programming interface](/source/application_programming_interface) (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by [Sun Microsystems](/source/Sun_Microsystems) in an [Open Software Foundation](/source/Open_Software_Foundation) [Request for Comments](/source/Request_for_Comments) (RFC) 86.0 dated October 1995.<ref>[https://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz The Original Solaris PAM RFC]</ref> It was adopted as the authentication framework of the [Common Desktop Environment](/source/Common_Desktop_Environment). As a stand-alone [open-source](/source/open-source) infrastructure, PAM first appeared in [Red Hat Linux](/source/Red_Hat_Linux) 3.0.4 in August 1996 in the [Linux PAM](/source/Linux_PAM) project. PAM is currently supported in the [AIX operating system](/source/AIX_operating_system), [DragonFly BSD](/source/DragonFly_BSD),<ref>[http://leaf.dragonflybsd.org/cgi/web-man?command=pam&section=ANY PAM manual page of DragonFly BSD]</ref> [FreeBSD](/source/FreeBSD), [HP-UX](/source/HP-UX), [Linux](/source/Linux), [macOS](/source/macOS), [NetBSD](/source/NetBSD) and [Solaris](/source/Solaris_(operating_system)).

Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the [X/Open](/source/X%2FOpen) UNIX standardization process, resulting in the '''X/Open Single Sign-on''' ('''XSSO''') standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, [OpenPAM](/source/OpenPAM)).

==Criticisms==
Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement [Kerberos](/source/Kerberos_(protocol)), the most common type of [SSO](/source/Single_sign-on) used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as [SPNEGO](/source/SPNEGO) and [SASL](/source/Simple_Authentication_and_Security_Layer). This lack of functionality is also the reason [SSH](/source/Secure_Shell) does its own authentication mechanism negotiation.

In most PAM implementations, pam_krb5 only fetches [Ticket Granting Ticket](/source/Ticket_Granting_Ticket)s, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.<ref>[http://www.eyrie.org/~eagle/software/pam-krb5/ PAM-KRB5]</ref>

==See also==
* Implementations:
**[Java Authentication and Authorization Service](/source/Java_Authentication_and_Authorization_Service)
**[Linux PAM](/source/Linux_PAM)
**[OpenPAM](/source/OpenPAM)
*[Identity management](/source/Identity_management) &ndash; the general topic
*[Name Service Switch](/source/Name_Service_Switch) &ndash; manages user databases
*[System Security Services Daemon](/source/System_Security_Services_Daemon) &ndash; SSO implementation based on PAM and NSS

==References== 
<references />

==External links==
Specifications:
*[https://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz The Original Solaris PAM RFC]
*[https://pubs.opengroup.org/onlinepubs/8329799/toc.pdf X/Open Single Sign-on (XSSO) 1997 Draft Working Paper]

Guides:
*{{webarchive |url=https://web.archive.org/web/20130819174111/http://www.linux.ie/articles/pam.php |date=August 19, 2013 |title=PAM and password control }}
*[http://www.linuxjournal.com/article/2120 Pluggable Authentication Modules for Linux]
*[http://www.informit.com/articles/article.aspx?p=20968 Making the Most of Pluggable Authentication Modules (PAM)]
*[http://docs.oracle.com/cd/E23824_01/html/821-1456/pam-1.html Oracle Solaris Administration: Security Services: Using PAM]

{{Authentication APIs}}

Category:Open Group standards
Category:Unix authentication-related software
Category:Computer access control frameworks
Category:Computer security standards
Category:Application programming interfaces

{{security-software-stub}}

---
Adapted from the Wikipedia article [Pluggable Authentication Module](https://en.wikipedia.org/wiki/Pluggable_Authentication_Module) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Pluggable_Authentication_Module?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
