CargoBay

If you haven't run into PAM yet, you are probably running Windows. Most unix like operating systems now days use PAM. That's Solaris, OpenSolaris, all flavours of Linux, Free- and NetBSD. OpenBSD considers that PAM isn't secure enough, but have build their own "version" of PAM called BSDAuth. But that's the life of a paranoid BSD distribution, and because of that we have OpenSSH and OpenSSL. So don't call them loons just yet.

What does PAM stand for? As everything it's short for Pluggable Authentication Module. What it actually is may be a bit harder to explain. Learning PAM is like bashing your head against the wall and when blood starts to squirt onto the wall, you suddenly see how it's all connected. But in an attempt to spare you some head wounds, lets try a simpler way.

PAM is a framework. Into it you plug different authentication modules for different services, and they are separated from each other. So you can have one PAM service for you IMAP server with certain limitations and another for SSH with another set of limitations. Usually these reside in a folder named /etc/pam.d and one file exists for each service, say imap, ftp, ssh, smtp etc. There is also at least one of either system or other which are the default files of no specific service has been set up.

In each of these files there are four sections(auth, session, password and account) and each of these sections identify with a certain part of the authentication process. For these there are a number of modules linked in that set certain parameters and conditions for allowing the authentication to proceed. If one of them fail, you are denied access. Think of it as a long list of if conditions in programming.

As the documentation in the system usually is poor and close to non-existent on Linux systems I would suggest that you read an article created by FreeBSD that is very good. This is the article: Pluggable Authentication Module