2
Chapter 2. Overview
Most service-giving applications are restricted. In other words, their service is not available to all and
every prospective client. Instead, the applying client must jump through a number of hoops to convince
the serving application that they are authorized to obtain service.
The process of authenticating a client is what PAM is designed to manage. In addition to authentication,
PAM provides account management, credential management, session management and authentication-
token (password changing) management services. It is important to realize when writing a PAM based
application that these services are provided in a manner that is transparent to the application. That is to say,
when the application is written, no assumptions can be made about how the client will be authenticated.
The process of authentication is performed by the PAM library via a call to pam_authenticate().
The return value of this function will indicate whether a named client (the user) has been authenticated.
If the PAM library needs to prompt the user for any information, such as their name or a password then it
will do so. If the PAM library is configured to authenticate the user using some silent protocol, it will do
this too. (This latter case might be via some hardware interface for example.)
It is important to note that the application must leave all decisions about when to prompt the user at the
discretion of the PAM library.
The PAM library, however, must work equally well for different styles of application. Some applications,
like the familiar login and passwd are terminal based applications, exchanges of information with the client
in these cases is as plain text messages. Graphically based applications, however, have a more sophisticated
interface. They generally interact with the user via specially constructed dialogue boxes. Additionally,
network based services require that text messages exchanged with the client are specially formatted for
automated processing: one such example is ftpd which prefixes each exchanged message with a numeric
identifier.
The presentation of simple requests to a client is thus something very dependent on the protocol that the
serving application will use. In spite of the fact that PAM demands that it drives the whole authentication
process, it is not possible to leave such protocol subtleties up to the PAM library. To overcome this potential
problem, the application provides the PAM library with a conversation function. This function is called
from within the PAM library and enables the PAM to directly interact with the client. The sorts of things
that this conversation function must be able to do are prompt the user with text and/or obtain textual input
from the user for processing by the PAM library. The details of this function are provided in a later section.
For example, the conversation function may be called by the PAM library with a request to prompt the
user for a password. Its job is to reformat the prompt request into a form that the client will understand.
In the case of ftpd, this might involve prefixing the string with the number 331 and sending the request
over the network to a connected client. The conversation function will then obtain any reply and, after
extracting the typed password, will return this string of text to the PAM library. Similar concerns need to
be addressed in the case of an X-based graphical server.
There are a number of issues that need to be addressed when one is porting an existing application to
become PAM compliant. A section below has been devoted to this: Porting legacy applications.
Besides authentication, PAM provides other forms of management. Session management is provided with
calls to pam_open_session() and pam_close_session(). What these functions actually do is
up to the local administrator. But typically, they could be used to log entry and exit from the system or for
mounting and unmounting the user's home directory. If an application provides continuous service for a
period of time, it should probably call these functions, first open after the user is authenticated and then
close when the service is terminated.
