Facilities offered by PAM auth Authenticates the applicant using pam_authenticate(3). Requests an authentication token and compares it against a value stored in the database. Establishes the account credentials using pam_setcred(3). Account credentials include user id, group id and resource limits. account Enforces access restrictions using pam_acct_mgmt(3). pam_acct_mgmt verifies that the requested account is available. session Provides login accounting support and to setup and tear down login sessions. pam_open_session(3) and pam_close_session(3) are the methods available to perform this functionality. password Provides support to change the authentication token, using pam_chauthtok(3). This method might disallow the new authentication token based on password rules. Return codes: ============ PAM_SUCCESS conversation completed successfully PAM_CONV_ERR conversation failed PAM_CONV_AGAIN return to application to complete conversation PAM_CONV_RECONSIDER Application believes that the module (lsass) should check if it still needs to converse Configuration ============= PAM uses the following control flags in the configuration. binding If the module succeeds and no earlier module in the chain has failed, the chain is terminated and the request is granted success. If the module fails, the rest of the chain is executed; however, the request is failed ultimately. required If the module succeeds, the rest of the chain is executed - and if all the other modules succeed, the request is granted. If the module fails, the rest of the chain is executed; however, the request is failed ultimately. requisite If the module succeeds, the rest of the chain is executed - and if all the other modules succeed, the request is granted. If the module fails, the chain is terminated immediately and the request is denied. sufficient If the module succeeds, and no earlier module has failed, the chain is terminated immediately and the request is granted success. if the module fails, it is ignored and the rest of the chain is executed. The binding option should be used instead if it is available. optional The module is executed, but the result is ignored. A PAM Transaction: ================= 1. Server calls pam_start to init the PAM library and specify its service name and the target account, and register a suitable conversation function. 2. Server obtains various information such as applicant name and name of host the client is running on and submits this information to PAM using calls to pam_set_item. 3. Server calls pam_authenticate to authenticate the applicant. 4. Server calls pam_acct_mgmt to verify that the requested account is available and valid. If the password is correct but has expired, the return code is PAM_NEW_AUTHTOK_REQD instead of PAM_SUCCESS. 5. If the previous step returned PAM_NEW_AUTHTOK_REQD, the server now calls pam_chauthtok to change the auth token. 6. If the applicant is properly authenticated, the server calls pam_setcred to establish the credentials for the requested account. 7. Once the correct credentials have been established, the server calls pam_open_session to setup the session. 8. The server performs the service that the client requested. 9. After the service is done, the server calls pam_close_session to tear down the session. 10. The server calls pam_end to notify the PAM library that it is done and any resources accrued can be released. References: ========== http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/pam-essentials.html