Pluggable Authentication Modules for Linux

This article describes an implementation of a user-authentication API: the Pluggable-Authentication-Modules API (PAM for short).
The Future

Thanks to the people at Red Hat, many applications are available that have been modified to support the PAM approach to user authentication. In this area, however, more work needs to be done. Indeed, some important applications are still without support. Most notably, the application ssh should be ported. Work is currently underway to provide a flexible X-based conversation function, and it is my feeling that this will lead immediately to a number of more friendly uses for PAM integration, such as popular games.

Most of the current Linux-PAM development is focused on the production of more powerful and varied modules. At last count more than twenty were written and the number is increasing—reflecting the variety of authentication schemes people use within the Linux community. You can be sure that with access to the corresponding hardware, someone out there will write an authentication module for a retinal scanner.

Recent work on the central PAM library,, is directed at testing the security of our implementation. Due to a simple design that is well documented in the OSF-RFC and a friendly dialogue with those maintaining the Sun implementation, this is not proving to be an arduous task. In the six months it has been available, only one or two significant security problems have come to light. Currently, Linux-PAM is in beta-test (although the folks at Red Hat are doing an admirable job of offering production-level support for it). In particular, may even be available by the time you read this article.

Before getting to version 1.00, libpam will also have support for pluggable password-mapping, a method for chaining a number of different passwords together in a secure fashion. This concept (in a non-pluggable form) is discussed in the RFC, however, the X/Open group have since revised it, and we will implement their eventual specification in the coming months.

Further ahead, after releasing version 1.0, we will be modifying the syntax of the PAM configuration file. Current ideas relate to enhancing the control-flag field to be a great deal more flexible. Other changes are likely to be suggested and adopted as the number of administrators using PAM increases.

Finally, is Linux-PAM the only implementation of PAM? Is Linux alone? The answers to these questions are yes and no. At the time of this writing, the Linux implementation of PAM is the only fully functional version of PAM publicly available. This has been the case for at least half a year. However, a partial implementation of PAM is internally present (no /etc/pam.conf file) in Sun's Solaris 2.5. Rumors indicate that Solaris 2.6 will contain a complete, configurable implementation which should be available this year. The Sun implementation for PAM has been contributed to the X/Open group so look for it in other Unix variants in the coming years. If being cross-platform compliant is important to you, you should consult your vendor for more information. Alternatively, all of the source for Linux-PAM is freely available, so if your need is urgent, just read Linux as a synonym for free and try Linux-PAM on your other platforms now.




Andrew Morgan is a postdoctoral researcher in Theoretical High Energy Physics at UCLA. His involvement with Linux-PAM has been in his spare time. The security of Linux-based systems is becoming his primary area of interest, and he is therefore pursuing a change of career. For Linux-related discussion, especially any security flaws in Linux-PAM, you can reach him at



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

PAM for ITDS (LDAP) expiration question

Tony M.'s picture

Mr. Morgan,

I ran across an article you put out in Linux Journal back in Dec/2007 (little over a year ago) concerning the PAM modules for Linux. We run linux on the Mainframe and are using the delivered PAM there (under z/VM).

However, we have a problem with password expirations…..when this happens the end user gets “unknown” or “sorry” for the return message.

I think this is because MF LDAP (ITDS) returns a different set of codes what PAM doesn’t understand. So, is there a way

To capture those codes and give the user MORE details about around the “expired” password. Better yet, prompt for reset of password.

In our case, we want the linux to authenticate users against the MF LDAP (ITDS) detect if the password is expired.

Any info. would be greatly appreciated.