Security

Consider including Linux-PAM in projects that require authentication

Linux-PAM (Pluggable Authentication Modules for Linux) will make your application independent of any specific authentication scheme in your software. Evaluate the quality of PAM modules and discover when PAM might be appropriate for your projects.

Keep your development environment safe with tips from expert John McCormick in Builder.com's weekly Development Security Spotlight e-newsletter. Automatically subscribe to the e-newsletter now!

Linux-PAM (Pluggable Authentication Modules for Linux) is supported by Solaris, FreeBSD 3.2+, Red Hat, Caldera, Debian, Turbo Linux, and more. For any project that requires authentication on platforms supporting Linux-PAM, you should consider including PAM because it will make your application independent of any specific authentication scheme. It can also provide a number of useful features that let administrators customize authorization to fit their needs.

Your program calls PAM, which loads the necessary modules. The module performs the actual services; you simply include support for PAM, which must be in the binary.

By using PAM, you don’t have to concern yourself with the details of new authentication developments or trends. You also don't have to worry about the specific needs of various administrators because different modules can support passwords, smart cards, biometrics, and even newer technology.

Kernal.org provides a number of links to various authentication modules that you can freely plug in when necessary. (Most of the modules are GPL and are in C.) The site also lists a variety of Kerberos modules, as well as links to a password-caching module, voice authentication, and links to other sites such as Openwall, which has a password strength checker that supports passphrases and can generate passwords. The pam_cracklib module is another popular password quality checker.

Although authentication is PAM’s major purpose, it can do much more than authenticate users. In fact, there are four kinds of PAM modules:
  • Auth: Authenticates users and sets credentials.
  • Account: Performs management tasks such as determining if the user should have access at a particular time or from a particular console.
  • Password: Manages changes to the token used to authenticate users (and not just passwords).
  • Session: Mounts directories and performs various tasks at the start or end of sessions.

Administrators manage PAM authentication, but developers must program PAM functions into the source code. This is also an excellent way of passing along the responsibility for authentication security to the administrator responsible for the program in various environments.

If your responsibilities extend beyond the development stage, you might want to evaluate the quality of some of the available PAM modules so you can recommend specific modules to the administrator.

The flexibility that PAM provides is a primary reason to take the time to include it in your software.

Additional PAM resources
  • Freshmeat offers 90 more GPL PAM modules.
  • The Linux Journal features a brief introduction to building Linux-PAM into an application.
  • O’Reilly's LinuxDevCenter provides an article on writing PAM modules. Even if you aren't planning on creating your own PAM modules, this is an interesting introduction. However, since PAM modules stack, you may wish to create some simple ones.
  • A System Administrator’s Guide to Linux-PAM, which says, “You [the administrator] have the freedom to set the scheme for any/all PAM-aware applications on your Linux system. That is, you can authenticate from anything as naive as simple trust (pam_permit) to something as paranoid as a combination of a retinal scan, a voice print, and a one-time password!” For developers, this means you can use a single application at virtually every security level without any changes to the code.
0 comments

Editor's Picks