path: root/doc/man/PAM.8
diff options
authorSteve Langasek <>2019-01-03 16:26:05 -0800
committerSteve Langasek <>2019-01-03 17:26:38 -0800
commit9c52e721044e7501c3d4567b36d222dc7326224a (patch)
tree9011790770130c60a712a6f125ad50d60e07cc74 /doc/man/PAM.8
parent9727ff2a3fa0e94a42b34a579027bacf4146d571 (diff)
parent186ff16e8d12ff15d518000c17f115ccab5275a4 (diff)
New upstream version 1.0.1
Diffstat (limited to 'doc/man/PAM.8')
1 files changed, 107 insertions, 0 deletions
diff --git a/doc/man/PAM.8 b/doc/man/PAM.8
new file mode 100644
index 00000000..1872d09a
--- /dev/null
+++ b/doc/man/PAM.8
@@ -0,0 +1,107 @@
+.\" Title: pam
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <>
+.\" Date: 04/16/2008
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.TH "PAM" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual"
+.\" disable hyphenation
+.\" disable justification (adjust text to left margin only) l
+PAM, pam - Pluggable Authentication Modules for Linux
+This manual is intended to offer a quick introduction to
+\fBLinux\-PAM\fR\. For more information the reader is directed to the
+\fBLinux\-PAM system administrators\' guide\fR\.
+is a system of libraries that handle the authentication tasks of applications (services) on the system\. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as
+\fBsu\fR(1)) defer to to perform standard authentication tasks\.
+The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable\. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users\. This dynamic configuration is set by the contents of the single
+configuration file
+\fI/etc/pam\.conf\fR\. Alternatively, the configuration can be set by individual configuration files located in the
+directory\. The presence of this directory will cause
+From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the
+library\. The important point to recognize is that the configuration file(s)
+the connection between applications
+(\fBservices\fR) and the pluggable authentication modules
+(\fBPAM\fRs) that perform the actual authentication tasks\.
+separates the tasks of
+into four independent management groups:
+\fBauth\fRentication management;
+management; and
+management\. (We highlight the abbreviations used for these groups in the configuration file\.)
+Simply put, these groups take care of different aspects of a typical user\'s request for a restricted service:
+\- provide account verification types of service: has the user\'s password expired?; is this user permitted access to the requested service?
+\fBauth\fRentication \- authenticate a user and set up user credentials\. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password\. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of
+\- this group\'s responsibility is the task of updating authentication mechanisms\. Typically, such services are strongly coupled to those of the
+group\. Some authentication mechanisms lend themselves well to being updated with such a function\. Standard UN*X password\-based access is the obvious example: please enter a replacement password\.
+\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn\. Such tasks include the maintenance of audit trails and the mounting of the user\'s home directory\. The
+management group is important as it provides both an opening and closing hook for modules to affect the services available to a user\.
+.RS 4
+the configuration file
+.RS 4
+configuration directory\. Generally, if this directory is present, the
+file is ignored\.
+Typically errors generated by the
+system of libraries, will be written to
+DCE\-RFC 86\.0, October 1995\. Contains additional features, but remains backwardly compatible with this RFC\.