PAM

tags

ulimits , Linux

Intro

• PAM is basically an auth system.
• When some process tries a username/password combo, pam can decide to allow/reject access.
• Typically /etc/passwd and /etc/shadow is used by default to check the password attempt.
• But this can be configured to use other systems like LDAP or anything else you make a module for and configure it with PAM.
• It is largely used in Directory Services
• PAM also provides other functions, beyond authentication
  • Access control (authorization)
  • Session setup
  • Password changes

PAM and LDAP

• NSCD to handle user, group, dns, caching.
• Kerberos w LDAP server
  • pam_ldap for user look-ups
  • pam_krb5 for authn and authz.
• PAM and NSS can talk to LDAP directly using pam_ldap and nss_ldap , but SSSD has benifits.

SSSD

• System Security Services Daemon
• Instead of directly configuring LDAP, one can use SSSD.
• It has NSS and PAM modules. The modules communicate with the corresponding SSSD responders. SSSD responders talk to the SSSD Monitor. Look up the user in LDAP, uses Kerberos KDC for authN etc.
• Advantage is that it handles everything in a centralised place.
• It provides offline support via its cache. Caching might conflict with nscd

Why PAM is a mess now?

• It seems like it tries to support a lot of things out of the box that may not be relevant these days, like mail and limits.
• Cleartext?? It is plaintext???

Different implementations

• Original PAM
• Linux PAM
• OpenPAM (Used by BSD)

How is authentication handled? (Steps)

• user attempts to log in to some service
• The service authenticating that user will start an authentication session using PAM, with the pam_start function
• pam_start takes arguments (user, service) . The service will pick rules from /etc/pam.d/[service_name] for authentication.
• /etc/pam.d/[service_name] describes a shared object which will be opened with dlopen
  • The PAM library calls functions in the library to process data/collect new data for user.
  • Those shared libraries are in /lib64/security
  • Each shared object should have a man page on your system, describing the arguments and file access.
• Once a user is authenticated, service will need to load information about user (eg. groups). See getpwnam(3)  , getgrouplist(3) 
  • These functions consult nsswitch .
  • Just like PAM, it mentions shared objects that are loaded with dlopen.
  • Those shared objects are at /lib64/libnss_<name>.so.2
• Links
  • pam.conf(5) - Linux manual page 
  • pam_start(3) - Linux manual page 
  • dlopen(3) - Linux manual page 
  • The Linux-PAM Module Writers' Guide 
  • nsswitch.conf(5) - Linux manual page