SlideShare uma empresa Scribd logo

Pluggable Authentication Module

S
SinarShebl
TecnologiaArte e fotografia
1 de 23
Baixar para ler offline
Pluggable Authentication Module Ahmed Madkour
The Authentication Problem – Traditionally, UNIX authentication is done by comparing the (encrypted) password for users in the password file /etc/shadow. – Each program that requires authentication implements its own authentication mechanisms. – Authentication mechanism becomes more visible when you add various applications that are doing some sort of authentication. – Like: Logging from a graphical user interface using display managers. – Services like : FTP, TELNET, IMAP, SSH. – As a system administrator you will end up spending a lot of time maintaining many user database besides /etc/passwd.
Need for PAM – With PAM, the system administrator can use the same user database for every login process of your system. – It is possible to use more than one underlying authentication mechanisms (back end) controlled by PAM and transparent to the users. – PAM-aware applications will not break if the system administrator changes the underlying authentication configuration. – Using PAM for authentication requires much less programming than developing a complete set of authentication functions.
History of PAM – In 1995, developers from Sun Microsystems implement a generic framework for Solaris. – In Aug 1997, when Solairs 2.6 was released PAM was an integrated component of the operating system. – In Feb 1997, the Linux-PAM project began – Now most GNU/Linux distributions today are using PAM. 4
Theory of Operation – The theory of operations is independent of the operating system and PAM implementation. – In order to configure PAM successfully, you need to have all the components working together correctly. – PAM framework is complex and not forgiving when it comes to errors.
PAM File System Layout / lib libpam.so.0 security pam_unix.so pam_deny.so etc pam.conf pam.d login ssh other security access.conf usr pam_mount.conf include security pam_modules.h pam_appl.h pam_misc.h
PAM File System Layout (Cont.) – The PAM-aware applications are linked against the PAM library, which located in /lib/ directory with the name libpam-X.so.0 – Configuration of PAM can be done in two ways • Put everything in one single file /etc/pam.conf • Or split the configuration by service in the directory /etc/pam.d – Some PAM modules required configurations files beside the PAM configuration to operate.
PAM Framework – PAM relies on dynamically loaded modules. – A module can provide mechanisms to authenticate user information stored in a particular back end. – A PAM service module is a shared library that provides authentication and other security services to applications such as login, or telnet. – The four types of PAM services are: • Authentication service modules. • Account management modules. • Session management modules. • Password management modules.
PAM Framework (Cont.) Application PAM Services Modules Login PAM PAM Lib API /lib/libpam.so Telnet pam_ pam_ pam_ unix.so ldap.so mount.so Pam. pam.d conf Other /etc/ Appl security/ /etc/ LDAP pam_ passwd server mount. conf
Management Groups – Each Service can use PAM in four different stages of the Authentication process. – These stages are called management groups. – A module provides the functionality for one or more management Groups. – You can think about it as a different module for each group.
Management Groups (Cont.) The Auth Group – Provides two functions: • First the user can be validated • Second, credentials are granted by the auth management group
Management Groups (Cont.) The Account Group – The access to a service is controlled by the account management group. – You might only be allowed to use a service • A number of times per week. • In certain periods of the day. • Or, if your account is not yet expired.
Management Groups (Cont.) The Session Group – The environment for a given service is built up by the session management group. – When you stop using a service , the session groups tears down the environment. – When creating the environment the data required for proper operation will be loaded.
Management Groups (Cont.) The Password Group – It is only used when a user wishes to update the password. – With PAM you separate passwords changing applications from the back-end storage.
Stacking – For each management groups you can define a set or a stack of modules, which are used in turn. – The order of calling is determined by the order in the configuration (service) file. – Changing the order in the stack might have great impact on the functionality. auth [success=1 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_permit.so
Control Flags – A module can either return success or failure. – Some answers are more important than others. – The control flags can change the flow and how decisions are made.
Control Flags (Cont.) Requisite – If is the strongest of the flags. – If a module is flagged as requisite, and it fails, PAM will return to the calling applications instantly and report the failure.
Control Flags (Cont.) Required – The return code for a required module is stored. – In the case of failure, execution is not stopped but continues to the next module. – When the stack of modules has been executed, and at least one required module has failed, PAM will return failure to the calling application.
Control Flags (Cont.) Sufficient – A sufficient module can actually be quite strong. – The processing of the stack is stopped if a sufficient module returns OK, if no previous required module has failed. – If there are required modules after the sufficient modules, these modules are not called.
Control Flags (Cont.) Optional – A failure does not alter the execution of the stack as in the case of the requisite flag. – The return code is ignored, and neither failure nor success is taken into account
Developing with PAM PAM Application Application PAM runtime Module pam_start Data structure initialized pam_handle Checking user pam_auth pam_unix Conversation function pam_end Data structure destroyed time
References – The Definitive Guide to PAM for Linux SysAdmins and C Developers. – The Linux-PAM Guides http://www.kernel.org/pub/linux/libs/pam/ – Linux CBT PAM. – PAM manual pages.
Session End Thank You Ahmed Madkour ahm.madkour@gmail.com

Recomendados

Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modulesYahia Kandeel
 
Chapter 09
Chapter 09Chapter 09
Chapter 09cclay3
 
MELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES
 
Ch2
Ch2Ch2
Ch2ChhayaShelake
 
Operation system structure
Operation system structureOperation system structure
Operation system structurebrysan30
 
PowerShell 2.0 remoting
PowerShell 2.0 remotingPowerShell 2.0 remoting
PowerShell 2.0 remotingRavikanth Chaganti
 
services and system calls of operating system
services and system calls of operating system services and system calls of operating system
services and system calls of operating system Saurabh Soni
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityErdo Deshiant Garnaby
 

Recomendados

Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modulesYahia Kandeel
 
Chapter 09
Chapter 09Chapter 09
Chapter 09cclay3
 
MELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES operating_system_structure
MELJUN CORTES operating_system_structureMELJUN CORTES
 
Ch2
Ch2Ch2
Ch2ChhayaShelake
 
Operation system structure
Operation system structureOperation system structure
Operation system structurebrysan30
 
PowerShell 2.0 remoting
PowerShell 2.0 remotingPowerShell 2.0 remoting
PowerShell 2.0 remotingRavikanth Chaganti
 
services and system calls of operating system
services and system calls of operating system services and system calls of operating system
services and system calls of operating system Saurabh Soni
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityErdo Deshiant Garnaby
 
Ch06
Ch06Ch06
Ch06Raja Waseem Akhtar
 
Structure of operating system
Structure of operating systemStructure of operating system
Structure of operating systemRafi Dar
 
App A
App AApp A
App AWayne Jones Jnr
 
Ch10
Ch10Ch10
Ch10Raja Waseem Akhtar
 
2.Operating System Structures
2.Operating System Structures2.Operating System Structures
2.Operating System StructuresSenthil Kanth
 
Operating System Structure (documentation)
Operating System Structure (documentation)Operating System Structure (documentation)
Operating System Structure (documentation)Navid Daneshvaran
 
System call
System callSystem call
System callSumant Diwakar
 
Virtualization Training
Virtualization TrainingVirtualization Training
Virtualization TrainingArcadian Learning
 
Solution to java updation problem
Solution to java updation problemSolution to java updation problem
Solution to java updation problemKrishna Veni
 
Ch04
Ch04Ch04
Ch04Raja Waseem Akhtar
 
OS Functions and Services
OS Functions and ServicesOS Functions and Services
OS Functions and Servicessgpraju
 
Harsh
HarshHarsh
HarshHarsh Kumar
 
Ovms ops manager_admin
Ovms ops manager_adminOvms ops manager_admin
Ovms ops manager_adminsati1981
 
System calls
System callsSystem calls
System callsBernard Senam
 
System Calls
System CallsSystem Calls
System CallsAnil Kumar Pugalia
 
Ch1
Ch1Ch1
Ch1Supakit Seansaart
 
Comprehensive Information on Tomcat
Comprehensive Information on TomcatComprehensive Information on Tomcat
Comprehensive Information on TomcatHTS Hosting
 
Studying a decade of Linux system calls
Studying a decade of Linux system callsStudying a decade of Linux system calls
Studying a decade of Linux system callscorpaulbezemer
 
Unit 1 ppt
Unit 1 pptUnit 1 ppt
Unit 1 pptGRajendra
 
Creating templates
Creating templatesCreating templates
Creating templatesSyAM Software
 
Authentication Modules For Linux - PAM Architecture
Authentication Modules For Linux - PAM ArchitectureAuthentication Modules For Linux - PAM Architecture
Authentication Modules For Linux - PAM ArchitecturePriyank Kapadia
 
How to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication SystemHow to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication SystemMatt Hamilton
 

Mais conteúdo relacionado

Mais procurados

Structure of operating system
Structure of operating systemStructure of operating system
Structure of operating systemRafi Dar
 
2.Operating System Structures
2.Operating System Structures2.Operating System Structures
2.Operating System StructuresSenthil Kanth
 
Operating System Structure (documentation)
Operating System Structure (documentation)Operating System Structure (documentation)
Operating System Structure (documentation)Navid Daneshvaran
 
Solution to java updation problem
Solution to java updation problemSolution to java updation problem
Solution to java updation problemKrishna Veni
 
OS Functions and Services
OS Functions and ServicesOS Functions and Services
OS Functions and Servicessgpraju
 
Ovms ops manager_admin
Ovms ops manager_adminOvms ops manager_admin
Ovms ops manager_adminsati1981
 
Comprehensive Information on Tomcat
Comprehensive Information on TomcatComprehensive Information on Tomcat
Comprehensive Information on TomcatHTS Hosting
 
Studying a decade of Linux system calls
Studying a decade of Linux system callsStudying a decade of Linux system calls
Studying a decade of Linux system callscorpaulbezemer
 

Mais procurados (20)

Ch06
Ch06Ch06
Ch06
 
Structure of operating system
Structure of operating systemStructure of operating system
Structure of operating system
 
App A
App AApp A
App A
 
Ch10
Ch10Ch10
Ch10
 
2.Operating System Structures
2.Operating System Structures2.Operating System Structures
2.Operating System Structures
 
Operating System Structure (documentation)
Operating System Structure (documentation)Operating System Structure (documentation)
Operating System Structure (documentation)
 
System call
System callSystem call
System call
 
Virtualization Training
Virtualization TrainingVirtualization Training
Virtualization Training
 
Solution to java updation problem
Solution to java updation problemSolution to java updation problem
Solution to java updation problem
 
Ch04
Ch04Ch04
Ch04
 
OS Functions and Services
OS Functions and ServicesOS Functions and Services
OS Functions and Services
 
Harsh
HarshHarsh
Harsh
 
Ovms ops manager_admin
Ovms ops manager_adminOvms ops manager_admin
Ovms ops manager_admin
 
System calls
System callsSystem calls
System calls
 
System Calls
System CallsSystem Calls
System Calls
 
Ch1
Ch1Ch1
Ch1
 
Comprehensive Information on Tomcat
Comprehensive Information on TomcatComprehensive Information on Tomcat
Comprehensive Information on Tomcat
 
Studying a decade of Linux system calls
Studying a decade of Linux system callsStudying a decade of Linux system calls
Studying a decade of Linux system calls
 
Unit 1 ppt
Unit 1 pptUnit 1 ppt
Unit 1 ppt
 
Creating templates
Creating templatesCreating templates
Creating templates
 

Destaque

Authentication Modules For Linux - PAM Architecture
Authentication Modules For Linux - PAM ArchitectureAuthentication Modules For Linux - PAM Architecture
Authentication Modules For Linux - PAM ArchitecturePriyank Kapadia
 
How to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication SystemHow to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication SystemMatt Hamilton
 
Controller encryption using RSA public-key encryption scheme (Asian Control C...
Controller encryption using RSA public-key encryption scheme (Asian Control C...Controller encryption using RSA public-key encryption scheme (Asian Control C...
Controller encryption using RSA public-key encryption scheme (Asian Control C...Kiminao Kogiso
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryptionrajakhurram
 
Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSAAPNIC
 
Ch12 Encryption
Ch12 EncryptionCh12 Encryption
Ch12 Encryptionphanleson
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmIndra97065
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 

Destaque (9)

Authentication Modules For Linux - PAM Architecture
Authentication Modules For Linux - PAM ArchitectureAuthentication Modules For Linux - PAM Architecture
Authentication Modules For Linux - PAM Architecture
 
How to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication SystemHow to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication System
 
Controller encryption using RSA public-key encryption scheme (Asian Control C...
Controller encryption using RSA public-key encryption scheme (Asian Control C...Controller encryption using RSA public-key encryption scheme (Asian Control C...
Controller encryption using RSA public-key encryption scheme (Asian Control C...
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
 
Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSA
 
Ch12 Encryption
Ch12 EncryptionCh12 Encryption
Ch12 Encryption
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 

Semelhante a Pluggable Authentication Module

Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
Distributed operating system amoeba case study
Distributed operating system amoeba case studyDistributed operating system amoeba case study
Distributed operating system amoeba case studyRamuAryan
 
Tutorial on Parallel Computing and Message Passing Model - C2
Tutorial on Parallel Computing and Message Passing Model - C2Tutorial on Parallel Computing and Message Passing Model - C2
Tutorial on Parallel Computing and Message Passing Model - C2Marcirio Chaves
 
Using puppet
Using puppetUsing puppet
Using puppetAlex Su
 
VMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingVMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingDenis Gundarev
 
Ansible automation tool with modules
Ansible automation tool with modulesAnsible automation tool with modules
Ansible automation tool with modulesmohamedmoharam
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsManuel Vega
 
connmove - Software for SAP and Microsoft
connmove - Software for SAP and Microsoftconnmove - Software for SAP and Microsoft
connmove - Software for SAP and Microsoftconnmove
 
Presentation aix workload partitions (wpa rs)
Presentation aix workload partitions (wpa rs)Presentation aix workload partitions (wpa rs)
Presentation aix workload partitions (wpa rs)xKinAnx
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your OwnLambert Beekhuis
 
How to Configure the CA Workload Automation System Agent agentparm.txt File
How to Configure the CA Workload Automation System Agent agentparm.txt FileHow to Configure the CA Workload Automation System Agent agentparm.txt File
How to Configure the CA Workload Automation System Agent agentparm.txt FileCA Technologies
 
Piattaforma Web Linux completa dai sorgenti
Piattaforma Web Linux completa dai sorgentiPiattaforma Web Linux completa dai sorgenti
Piattaforma Web Linux completa dai sorgentiGiulio Destri
 
Information on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMInformation on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMHTS Hosting
 

Semelhante a Pluggable Authentication Module (20)

Pamsession
PamsessionPamsession
Pamsession
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
Distributed operating system amoeba case study
Distributed operating system amoeba case studyDistributed operating system amoeba case study
Distributed operating system amoeba case study
 
Tutorial on Parallel Computing and Message Passing Model - C2
Tutorial on Parallel Computing and Message Passing Model - C2Tutorial on Parallel Computing and Message Passing Model - C2
Tutorial on Parallel Computing and Message Passing Model - C2
 
Using puppet
Using puppetUsing puppet
Using puppet
 
VMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingVMware App Volumes Troubleshooting
VMware App Volumes Troubleshooting
 
AtoM's Command Line Tasks - An Introduction
AtoM's Command Line Tasks - An IntroductionAtoM's Command Line Tasks - An Introduction
AtoM's Command Line Tasks - An Introduction
 
Ansible automation tool with modules
Ansible automation tool with modulesAnsible automation tool with modules
Ansible automation tool with modules
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bits
 
SAP LVM Customer Instances
SAP LVM Customer InstancesSAP LVM Customer Instances
SAP LVM Customer Instances
 
SAP LVM Custom Instances
SAP LVM Custom InstancesSAP LVM Custom Instances
SAP LVM Custom Instances
 
connmove - Software for SAP and Microsoft
connmove - Software for SAP and Microsoftconnmove - Software for SAP and Microsoft
connmove - Software for SAP and Microsoft
 
Presentation aix workload partitions (wpa rs)
Presentation aix workload partitions (wpa rs)Presentation aix workload partitions (wpa rs)
Presentation aix workload partitions (wpa rs)
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your Own
 
Oracle applications 11i dba faq
Oracle applications 11i dba faqOracle applications 11i dba faq
Oracle applications 11i dba faq
 
How to Configure the CA Workload Automation System Agent agentparm.txt File
How to Configure the CA Workload Automation System Agent agentparm.txt FileHow to Configure the CA Workload Automation System Agent agentparm.txt File
How to Configure the CA Workload Automation System Agent agentparm.txt File
 
Piattaforma Web Linux completa dai sorgenti
Piattaforma Web Linux completa dai sorgentiPiattaforma Web Linux completa dai sorgenti
Piattaforma Web Linux completa dai sorgenti
 
Information on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMInformation on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHM
 
Automation using ibm rft
Automation using ibm rftAutomation using ibm rft
Automation using ibm rft
 

Mais de SinarShebl

Introduction To Erlang Final
Introduction To Erlang FinalIntroduction To Erlang Final
Introduction To Erlang FinalSinarShebl
 
Java Script Utilities
Java Script UtilitiesJava Script Utilities
Java Script UtilitiesSinarShebl
 
All Bow To Open Solaris Crossbow H4ck3rz Due
All Bow To Open Solaris Crossbow H4ck3rz DueAll Bow To Open Solaris Crossbow H4ck3rz Due
All Bow To Open Solaris Crossbow H4ck3rz DueSinarShebl
 
Fedora 11 Features and Installation
Fedora 11 Features and InstallationFedora 11 Features and Installation
Fedora 11 Features and InstallationSinarShebl
 

Mais de SinarShebl (8)

Infosec
InfosecInfosec
Infosec
 
Introduction To Erlang Final
Introduction To Erlang FinalIntroduction To Erlang Final
Introduction To Erlang Final
 
Cloud
CloudCloud
Cloud
 
Scmp P & F
Scmp P & FScmp P & F
Scmp P & F
 
Java Script Utilities
Java Script UtilitiesJava Script Utilities
Java Script Utilities
 
All Bow To Open Solaris Crossbow H4ck3rz Due
All Bow To Open Solaris Crossbow H4ck3rz DueAll Bow To Open Solaris Crossbow H4ck3rz Due
All Bow To Open Solaris Crossbow H4ck3rz Due
 
Fedora 11 Features and Installation
Fedora 11 Features and InstallationFedora 11 Features and Installation
Fedora 11 Features and Installation
 
Google Docs
Google DocsGoogle Docs
Google Docs
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Pluggable Authentication Module

  • 2. The Authentication Problem – Traditionally, UNIX authentication is done by comparing the (encrypted) password for users in the password file /etc/shadow. – Each program that requires authentication implements its own authentication mechanisms. – Authentication mechanism becomes more visible when you add various applications that are doing some sort of authentication. – Like: Logging from a graphical user interface using display managers. – Services like : FTP, TELNET, IMAP, SSH. – As a system administrator you will end up spending a lot of time maintaining many user database besides /etc/passwd.
  • 3. Need for PAM – With PAM, the system administrator can use the same user database for every login process of your system. – It is possible to use more than one underlying authentication mechanisms (back end) controlled by PAM and transparent to the users. – PAM-aware applications will not break if the system administrator changes the underlying authentication configuration. – Using PAM for authentication requires much less programming than developing a complete set of authentication functions.
  • 4. History of PAM – In 1995, developers from Sun Microsystems implement a generic framework for Solaris. – In Aug 1997, when Solairs 2.6 was released PAM was an integrated component of the operating system. – In Feb 1997, the Linux-PAM project began – Now most GNU/Linux distributions today are using PAM. 4
  • 5. Theory of Operation – The theory of operations is independent of the operating system and PAM implementation. – In order to configure PAM successfully, you need to have all the components working together correctly. – PAM framework is complex and not forgiving when it comes to errors.
  • 6. PAM File System Layout / lib libpam.so.0 security pam_unix.so pam_deny.so etc pam.conf pam.d login ssh other security access.conf usr pam_mount.conf include security pam_modules.h pam_appl.h pam_misc.h
  • 7. PAM File System Layout (Cont.) – The PAM-aware applications are linked against the PAM library, which located in /lib/ directory with the name libpam-X.so.0 – Configuration of PAM can be done in two ways • Put everything in one single file /etc/pam.conf • Or split the configuration by service in the directory /etc/pam.d – Some PAM modules required configurations files beside the PAM configuration to operate.
  • 8. PAM Framework – PAM relies on dynamically loaded modules. – A module can provide mechanisms to authenticate user information stored in a particular back end. – A PAM service module is a shared library that provides authentication and other security services to applications such as login, or telnet. – The four types of PAM services are: • Authentication service modules. • Account management modules. • Session management modules. • Password management modules.
  • 9. PAM Framework (Cont.) Application PAM Services Modules Login PAM PAM Lib API /lib/libpam.so Telnet pam_ pam_ pam_ unix.so ldap.so mount.so Pam. pam.d conf Other /etc/ Appl security/ /etc/ LDAP pam_ passwd server mount. conf
  • 10. Management Groups – Each Service can use PAM in four different stages of the Authentication process. – These stages are called management groups. – A module provides the functionality for one or more management Groups. – You can think about it as a different module for each group.
  • 11. Management Groups (Cont.) The Auth Group – Provides two functions: • First the user can be validated • Second, credentials are granted by the auth management group
  • 12. Management Groups (Cont.) The Account Group – The access to a service is controlled by the account management group. – You might only be allowed to use a service • A number of times per week. • In certain periods of the day. • Or, if your account is not yet expired.
  • 13. Management Groups (Cont.) The Session Group – The environment for a given service is built up by the session management group. – When you stop using a service , the session groups tears down the environment. – When creating the environment the data required for proper operation will be loaded.
  • 14. Management Groups (Cont.) The Password Group – It is only used when a user wishes to update the password. – With PAM you separate passwords changing applications from the back-end storage.
  • 15. Stacking – For each management groups you can define a set or a stack of modules, which are used in turn. – The order of calling is determined by the order in the configuration (service) file. – Changing the order in the stack might have great impact on the functionality. auth [success=1 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_permit.so
  • 16. Control Flags – A module can either return success or failure. – Some answers are more important than others. – The control flags can change the flow and how decisions are made.
  • 17. Control Flags (Cont.) Requisite – If is the strongest of the flags. – If a module is flagged as requisite, and it fails, PAM will return to the calling applications instantly and report the failure.
  • 18. Control Flags (Cont.) Required – The return code for a required module is stored. – In the case of failure, execution is not stopped but continues to the next module. – When the stack of modules has been executed, and at least one required module has failed, PAM will return failure to the calling application.
  • 19. Control Flags (Cont.) Sufficient – A sufficient module can actually be quite strong. – The processing of the stack is stopped if a sufficient module returns OK, if no previous required module has failed. – If there are required modules after the sufficient modules, these modules are not called.
  • 20. Control Flags (Cont.) Optional – A failure does not alter the execution of the stack as in the case of the requisite flag. – The return code is ignored, and neither failure nor success is taken into account
  • 21. Developing with PAM PAM Application Application PAM runtime Module pam_start Data structure initialized pam_handle Checking user pam_auth pam_unix Conversation function pam_end Data structure destroyed time
  • 22. References – The Definitive Guide to PAM for Linux SysAdmins and C Developers. – The Linux-PAM Guides http://www.kernel.org/pub/linux/libs/pam/ – Linux CBT PAM. – PAM manual pages.
  • 23. Session End Thank You Ahmed Madkour ahm.madkour@gmail.com