oreilly.comSafari Books Online.Conferences.


Writing PAM-Capable Applications, Part One

by Jennifer Vesperman

PAM stands for Pluggable Authentication Modules, a system for separating authentication mechanisms from an application.

If an application is PAM-enabled, the system administrator is responsible for determining the authentication methods used, and PAM is responsible for performing the authentication. This lets the application developer concentrate on writing the main application, and it ensures that the application isn't made out-of-date solely because of an outdated authentication schema.

See the articles Introduction to PAM and PAM Modules for a longer introduction to PAM and how to use it.

This is the first part of a two-part series on writing PAM-capable applications. This part provides the background knowledge and some of the supporting functions necessary for a developer to effectively use the PAM library. The second part will introduce the PAM library functions.

Applications and modules

PAM is an interface, rather than an actual service. It provides the glue to hook applications with modules, and it provides a mechanism for configuration. It does not do any of the authentication itself, nor (from the module developer's point of view) does it do any of the application's work.

Because of this, an application developer should consider calling every module type, and think carefully about what aspects of PAM she wishes to leave out. Similarly, a module developer must provide an interface for everything an application may request, even if the functions she provides consist of nothing but return PAM_SUCCESS.

Module types

PAM is structured into four module types, each handling one aspect of authentication and account management. An application is not required to call all four module types, but I recommend that you do.

The four module types are:

User authentication, limited to "Is the user who she says she is?"

User account management, handling issues such as whether the account is valid, whether the user is prevented from logging in after hours, whether the machine is set to no-login, and whether the user's password has expired.

Handles opening and closing an authenticated session. Some forms of authentication need to be called when a session opens and closes.

Changes the authentication token, whatever that may be.

Packages and files

These articles describe a C++ application, because most large-scale application development is in that language, and its differences from the C language, while distinct, are not extreme. You can develop a Linux-PAM-capable application in any language, provided you can call the necessary C functions.

To start with, you'll need the development files: in a Debian system, apt-get install libpam0g-dev. This installs the relevant source files in the right places for g++ to find them.

You will need to #include <security/pam_appl.h>, and if you use the misc functions, #include <security/pam_misc.h>.

When compiling, you'll need to link against the libpam files. My makefile includes g++ -oapp_name -lpam -lpam_misc sourcefile.

The conversation structure

The authentication module often needs to communicate with the user. However, the author of the authentication module has no way of telling whether your application is a GUI, an SMTP session, or a command line console.

The application calls a PAM function for each type of service it requires. This function checks the PAM configuration for the application and then calls each module in turn. If the module needs to communicate with the user, to get a password or some other information, the module calls an application-provided function called the conversation function.

The application must provide a structure, which consists of the pointer to the conversation function and a pointer to any data the application wants to use within the conversation function. The module adds that data pointer as a parameter to the function when it calls the function.

I recommend that you use misc_conv(), a conversation module provided in pam_misc.h for text-based programs. To do this, #include <security/pam_misc> and provide:

static struct pam_conv conv = {

Pages: 1, 2, 3

Next Pagearrow

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: