Pluggable Authentication Modules(PAM)Programs which grant users access to a system verify each user's identity through a processcalled authentication. Historically, each such program had its own way of performing the task ofauthentication. Under Red Hat Enterprise Linux, many such programs are configured to use acentralized authentication mechanism called Pluggable Authentication Modules or PAM.PAM uses a pluggable, modular architecture, which affords the system administrator a greatdeal of flexibility in setting authentication policies for the system.In most situations, the default PAM configuration file for a PAM-aware application is sufficient.However, sometimes it may become necessary to edit a PAM configuration file. Becausemisconfiguration of PAM can compromise system security, it is important to understand thestructure of these files before making any modifications (refer to Section 3, “PAM ConfigurationFile Format” for more information).1. Advantages of PAMPAM offers the following advantages:• It provides a common authentication scheme that can be used with a wide variety ofapplications.• It allows a large amount of flexibility and control over authentication for both systemadministrators and application developers.• It allows application developers to develop programs without creating their own authenticationscheme.2. PAM Configuration FilesThe directory /etc/pam.d/ contains the PAM configuration files for each PAM-awareapplication. In earlier versions of PAM, the file /etc/pam.conf was used, but this file is nowdeprecated and is only used if the /etc/pam.d/ directory does not exist.2.1. PAM Service FilesEach PAM-aware application or service has a file within the /etc/pam.d/ directory. Each filewithin this directory bears the name of the service for which it controls access.It is up to the PAM-aware program to define its service name and install its own PAMconfiguration file in the /etc/pam.d/ directory. For example, the login program defines itsservice name as login and installs the /etc/pam.d/login PAM configuration file.Chapter 16.297
