From: Michael Meskes <[EMAIL PROTECTED]> Date: Tue, 20 Aug 1996 18:25:36 +0200 (MET DST) [...] What exactly does it offer that shadow doesn't?
For general information, see http://www.redhat.com/linux-info/pam/ and for Linux-PAM: http://gluon.physics.ucla.edu/~morgan/pam/ But to answer your question in short: PAM (which stands for pluggable authentication modules) is an API that encapsulates (hopefully) all authentication methods. As a consequence, an authentication client using PAM does not need to be reengineered any more to be able to use a new authentication method (e.g kerberos, s/key, id-cards...), but the new authentication method must be coded once as a PAM module to be available to all applications. There are several kinds of modules, that can be transparently chained together by PAM: e.g. for session logging, for granting/denying access to a particular service based on the time of the day, tty, host; or to log every single character the user types for the real paranoid ... you just name it (or implement it and plug it in :-). Another example: passwd can be configured via PAM to use some custom local modules for extra password strength checking . Currently PAM does support unix password files and shadow and some other utility modules (and work is going on on s/key and kerberos), which seems enough functionality to get started. PAM is also a standard (DCE-RFC 86.0). Patrick. -- People who are doing things for fun do things the right way by themselves -- Linus Torvalds
