Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users.
In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. Indeed, one may entirely upgrade the local authentication system without touching the applications themselves.
Historically an application that has required a given user to be
authenticated, has had to be compiled to use a specific authentication
mechanism. For example, in the case of traditional UN*X systems, the
identity of the user is verified by the user entering a correct
password. This password, after being prefixed by a two character
``salt'', is encrypted (with crypt(3)). The user is then authenticated
if this encrypted password is identical to the second field of the
user's entry in the system password database (the
/etc/passwd file). On such systems, most if
not all forms of privileges are granted based on this single
authentication scheme. Privilege comes in the form of a personal
user-identifier (UID) and membership of various groups. Services and
applications are available based on the personal and group identity
of the user. Traditionally, group membership has been assigned based
on entries in the
It is the purpose of the Linux-PAM
project to separate the development of privilege granting software
from the development of secure and appropriate authentication schemes.
This is accomplished by providing a library of functions that an
application may use to request that a user be authenticated. This
PAM library is configured locally with a system file,
/etc/pam.conf (or a series of configuration
files located in
/etc/pam.d/) to authenticate a
user request via the locally available authentication modules. The
modules themselves will usually be located in the directory
/lib64/security and take the form of dynamically
loadable object files (see dlopen(3)).