Manual browser: pam(8)

Section:
Page:
PAM(8) System Manager's Manual PAM(8)

NAME

pamPluggable Authentication Modules framework

DESCRIPTION

The Pluggable Authentication Modules (PAM) framework is a system of libraries that perform authentication tasks for services and applications. Applications that use the PAM API may have their authentication behavior configured by the system administrator though the use of the service's PAM configuration file.

PAM modules provide four classes of functionality:

account
Account verification services such as password expiration and access control.
auth
Authentication services. This usually takes the form of a challenge-response conversation. However, PAM can also support, with appropriate hardware support, biometric devices, smart-cards, and so forth.
password
Password (or, more generally, authentication token) change and update services.
session
Session management services. These are tasks that are performed before access to a service is granted and after access to a service is withdrawn. These may include updating activity logs or setting up and tearing down credential forwarding agents.

A primary feature of PAM is the notion of “stacking” different modules together to form a processing chain for the task. This allows fairly precise control over how a particular authentication task is performed, and under what conditions. PAM module configurations may also inherit stacks from other module configurations, providing some degree of centralized administration.

HISTORY

The Pluggable Authentication Module framework was originally developed by SunSoft, described in DCE/OSF-RFC 86.0, and first deployed in Solaris 2.6. It was later incorporated into the X/Open Single Sign-On Service (XSSO) Pluggable Authentication Modules specifiation.

The Pluggable Authentication Module framework first appeared in NetBSD 3.0.

February 28, 2005 NetBSD 7.0