9.1 About Pluggable Authentication Module (PAM)

PAM provides system-entry applications with authentication and related security services for managing accounts, sessions, and passwords. Applications such as login, rlogin, and telnet are typical consumers of PAM services. The framework provides a uniform way for authentication-related activities to take place. This approach enables application developers to use PAM services without having to know the semantics of the policy. Algorithms are centrally supplied and can be modified independently of individual applications.

The PAM library is the central element in the PAM architecture. It exports an API (see the pam(3) manual page) that applications can call for authentication, account management, credential establishment, session management, and password changes. The libpam library imports configuration files, either separate files under /etc/pam.d or the /etc/pam.conf configuration file, that specify the PAM module requirements for each available service.

Oracle Linux provides a PAM infrastructure that is similar to that on other platforms. Although the functionality might be similar, there could be subtle differences between the implementations. For example, PAM configuration is usually set by editing individual configuration files located in the /etc/pam.d directory. The presence of this directory causes PAM to ignore the legacy PAM configuration file /etc/pam.conf.

PAM on Oracle Linux does not support the control value binding that you might find on other operating systems. When binding is specified, if the service module returns success and no preceding required modules return failures, PAM immediately returns success without calling any subsequent modules. If a module returns failure, PAM treat the failure as a required module failure, and continues to process the PAM stack.