Appendix A. Configuring PAM
Modern Linux distributions rely on the Pluggable Authentication Modules system for authentication. Part III of this book describes three network authentication tools, all of which can be used in conjunction with PAM to provide authentication for arbitrary servers and other programs that require authentication. In order to avoid duplicating content, therefore, this appendix describes PAM in detail; Part III provides a much briefer description of how PAM interacts with the relevant servers.
In order to get the most out of PAM, it helps to begin with some background—what PAM is, what it can do, why it’s used, and so on. You must also understand the PAM configuration file format; PAM configuration involves editing one or more of these files. From there, knowing something about individual PAM modules, including both the standard ones and those described elsewhere in this book, will help you create an appropriate configuration. Finally, some examples of working PAM configurations will help you understand PAM and provide models you can adapt for your own use.
In Linux’s early days, every server or other tool
that had to authenticate users did so by reading
/etc/password, the traditional Unix account file. This approach was easy to implement, but it had several problems. One of these was that the file, and hence the encrypted password, had to be readable by all users, making it vulnerable to cracking. Another problem is that changes to authentication ...