Background

A Pluggable Authentication Module (PAM) is the AAA (Authentication, Authorization, and Accounting) framework used in most Linux/Unix systems. Ubuntu, RHEL, macOS (Mac OS X), FreeBSD, and NetBSD all use PAM for authentication. Most Linux/Unix systems that do not come with PAM can be made to work with PAM.

Abstractly, PAM provides this basic API:

Inputs:
string username
string password
Output:
bool success

Anything that prompts the user for a password (such as sshd, Web server back-ends, and the Linux login console) can query PAM for a login result. PAM only provides top-level access to a system (whether a user can log in at all), and not fine-grained access control (such as which files a user may access).

Last modified: October 12, 2022

Was this article helpful?