Re: Shadow vss PAM
From: Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>
Date: Tue, 20 Aug 1996 18:25:36 +0200 (MET DST)
[...]
What exactly does it offer that shadow doesn't?
For general information, see http://www.redhat.com/linux-info/pam/
and for Linux-PAM: http://gluon.physics.ucla.edu/~morgan/pam/
But to answer your question in short: PAM (which stands for pluggable
authentication modules) is an API that encapsulates (hopefully) all
authentication methods. As a consequence, an authentication client
using PAM does not need to be reengineered any more to be able to use
a new authentication method (e.g kerberos, s/key, id-cards...), but
the new authentication method must be coded once as a PAM module to be
available to all applications.
There are several kinds of modules, that can be transparently chained
together by PAM: e.g. for session logging, for granting/denying access
to a particular service based on the time of the day, tty, host; or to
log every single character the user types for the real paranoid
... you just name it (or implement it and plug it in :-). Another
example: passwd can be configured via PAM to use some custom local
modules for extra password strength checking .
Currently PAM does support unix password files and shadow and some
other utility modules (and work is going on on s/key and kerberos),
which seems enough functionality to get started.
PAM is also a standard (DCE-RFC 86.0).
Patrick.
--
People who are doing things for fun do things the right way by
themselves -- Linus Torvalds
Reply to: