Modules/Applications available or in progress...
$Date: 2007/10/23 04:05:02 $
Here is a list of the modules that people are using/developing for
use with PAM:
The point of having modules is that you can just plug them in(!)
In other words, they do not need to be compiled at the same time as
the PAM library to work. Here are some alternative sources for
modules that are being provided independently of the main library:
Other places to find out about modules
Specific modules linked from this page
News about new stuff (or revisions to old stuff) get bubbled up to
the top of the page...
- One-time password authentication
- Frank Cusack recommends his company's OTP authentication module pam_otp_auth that
works with a daemon (otpd) to support various hardware and software
tokens.
- Pedro Diaz is working on a one-time password module: pam_sotp.
- Andy Berkheimer has written NRL PAM-OPIE module.
- (Backgroud information, NRL OPIE is a one-time password
authentication scheme based on S/Key and works on most unix systems.
Available from http://www.inner.net/pub/opie.
- USB dongle authentication
- Erik Sonn announced a USB
dongle authentication module.
- Kerberos
- pam_rsa
- Hyperllama is interested in receiving feedback on an
experimental poor-man's smartcard module pam_rsa details
here.
- pam_tdeny
- this module
denies password changing for all users who are NOT in /etc/passwd
- OpenPGP
- pampka
- Andrey Warkentin writes ... basically it's the poor man's
version of "secure token authentication", except this is not very
secure, with the private key actually being read from the "token",
instead of the signature being generated on the token itself. :-)
- pam_abl
- Andy Armstrong recommends a module to automatically
blacklist hosts from which large numbers of failed login attempts
originate.
- pam_storepw
A password
caching module can be used to temporarily cache a user password so
you can gain other services automatically. The link given here
describes a way to use autofs to mount a CIFS file system.
-
- Bluetooth
- POP3
- SQL database based authentication
- Tim Baverstock's modules (and more): http://www.baverstock.org.uk/tim/pam/
- pam_epass
- Misc - a bunch of toolkit modules
- Lock-out module
- Brian Weaver has written a lock-out module.
- Already logged in?
- NewsCache
- NewsCache
containing the PAM Patch from Tuomo Pyhala.
- SecurID
- (Costin Enache had written a SecurID PAM + "server",
but rumor has it he was threatened by RSA's lawyers.. Costin's
sourceforge site and the associated source code have dropped off the
net. Apparently, for the cost of your contact information, RSA now
offer something similar - search for 'PAM' at the RSA site for more
info.)
- A derivative of
Wyman Miles' module that authenticates using RSA securid cards.
- Here is a SecurID module hosted at
projects.jdimedia.nl Igmar Palsenberg indicates that it was
originally designed for CryptoCard RB1 tokens, but it also works with
SecureID.
- There are some hints at SecurID support
associated with OpenSSH. The author mentions PAM, but from the README its not clear how this is implemented.
- Wyman Miles claims to have implemented a module for
this flavor of authentication that is the same module as his S/Key
module.
- pam_require
- pam_dotfile
- Lennart Poettering has written pam_dotfile,
which provides an alternative authentication mechanism for services
based on the existence and contents of a
.pam-service file.
- voiceauth
- crypt2g
- Denis Bodor has written a crypt2g PAM module to
authenticate using a "european phone card reader".
- pam_idsa
- CODA
- Ivan Popov is supporting the Kerberos-Coda
module.
- Robin Gareus has writen a PAM-CODA module that can do all the
initialization stuff that Coda needs at login time.
- pam_user_auth
- Mark D Roth has written a number of modules for PAM,
including a "PAM Module for Per-User Authentication".
- pam_mount
- W. Michael Petullo is supporting an
improved branch of pam_mount. There is a copy cached here.
- Elvis Pfützenreuter created the original pam_mount module for
leveraging a user password to mount password protected
filesystems. Elvis' site appears to have dropped off the net.
- SafeWord
- SafeWord is a product of Secure
Computing. Here is how Secure Computing (Courtesy of Christopher
McSorley) describe the current support they have for PAM. I've
recently heard from Will Melick who was evaluating their Linux
offering, that they also support Linux's PAM now:
"SafeWord Agent for PAM; Pluggable Authentication Modules (PAM) for
Solaris v2.6/v2.7 and HP-UX v11.0. The SafeWord Agent for PAM v1.0.1
is an authentication plug-in that can augment or replace the native
operating system authentication mechanism. SafeWord Agent for PAM
allows users to make use of SafeWord strong authentication in
PAM-compliant applications supplied by Sun and others, such as login,
rlogin, rsh, uucp, telnet, and ftp. To download the PAM agent, or our
Software Developer's Kit (SDK), go to www.securecomputing.com"
- Password strength checking modules
- pam_iptables
- u/wtmp handling
- Pawel Boguslawski has written a module for logging service sessions in
the UTMP and WTMP databases (it uses different approach to the
problem that the "pam_utmp" written by Jan Rekorajski).
- Jan Rękorajski has written a module for handling u/wtmp
entries. Find it here.
- SAMBA
- chroot
- Ed Schmollinger has writtne a pam_chroot
module.
- Matthew Kirkwood has written a chroot module.
- pam_ssh
- Radius - One of the glorious things about PAM is that you
can pick and choose the way you implement something. For example, we
have a multiple module flavors and a server implementations to get PAM
support into your RADIUS system:
- Two RADIUS modules that work with linux and solaris derived from
a GPL'd development initially funded by Cryptocard:
- For a PAM supporting Radius server take a look at: http://www.radius.cistron.nl.
- SafeAccess(tm) technology has
releaseed a GPL'd pam_lradius.so which authenticates users using
RADIUS. The module supports RADIUS Access-Challenge request and thus
can be used to provide SafeAccess(tm) authentication against an
appropriate RADIUS server (like TraqNet8000 for Windows NT and patched
Merit, Livingston & Ascend UNIX RADIUS servers). pam at
engr.leemah.com (Vladimir Gurevich) of SafeAccess(tm) technology has
released two modules in
addition to some documentation. The
other module is pam_infocard.so which authenticates users using LeeMah
Datacom SafeAccess(tm) Challenge/Response (or Response-only)
technology against a local user database.
- The standard Linux-PAM distribution contains a
non-authentication (only session logging) pam_radius
implementation by Cristian Gafton.
- iButtons
- IMAP
- pam_netgroups
- LDAP
- Cryptocard module
- Igmar Palsenberg has made available a pam_cryptocard
module. (This looks like its been renamed to pam_smxs.)
- Netscape web server ns-api
- This is
some sort of pam pluggin for a netscape server.
- pam_tcpd
- TACACS+
- Netware
- Andreas Moroder points you to some ncpfs stuff, which
includes a PAM module.
- David Airlie has written a Netware module that is available from
here.
- John Taylor and Brian Hammond have written a pam_nw_auth module
for authenticating users against a Netware server. This module is
available from the Linux-PAM pre-release
directory [According to Alexander List, when combined with libncp, it will
allow authentication via NDS (Netware 4) servers].
- PHP
- misc solaris stuff
- search this page for 'solaris' for other links of interest.
- Piet Ruyssinck has done
some work trying to PAMify various applications - with Solaris in
mind. You can find info on POP, xdm, sshd, and imapd here.
- pam_console
- From Michael K. Johnson: pam_console is a module that can change
permissions on devices and files based on the PAM_TTY item at login
and logout time. It was roughly inspired by the Solaris
/etc/logindevperms file, but the syntax was expanded for
maintainability, and no guarantees of backwards compatibility are
given.
- mod_auth_pam
- PAM_su
- Rhosts
- Wyman Miles has implemented auth_hosts which is a module that offers a subset of the
rhosts scheme
- pam_rhosts rhost verification as per rlogin etc. (in the
main tar ball)
- S/KEY
- Enterprise Suitespot
- Max has written a pam module for basic
authentication for Netscape Enterprise Suitespot server 3.5.1.
- pam_pwdfile
-
Charl Botha has written an auth service PAM
module that can be pointed at any username:crypted_password file
so that separate sets of passwords can be had for different services
on the same machine.
- pam_pwgen
- Jan Rękorajski has written pam_pwgen which is a password generator module that gives user a
choice between pronouncable passwords, strings of characters or his
own. "If you ever saw /bin/passwd on OSF1 you know what it
is :)"
- Python
- NewsCache
- pam_unix (alternatives)
- Thorsten Kukuk has a pam_unix2 available here. This
one is VERY glibc specific.
- Jan Rękorajski has rewritten the pam_unix module to do all that
pam_pwdb can do: pam_unix-new
- sudo
- Apparently, 'sudo'
has PAM support.
- Squid
- Perl
- AFS (Andrew Filesystem):
- Tobias Schäfer has written a module for doing authentication
and password changing based on the AFS commands "klog", "unlog"
and "kas".
- Tobias has also written a logging module which you can find in the
same place.
- pam_if
- Pavel Kankovsky has an
interesting module that can nest other modules conditionally. He's
also offering an ftpd patch.
- pam_xauth
- pam_xauth will be called by su (and other programs that do the
same thing, presumably...) and will forward xauth keys between users
in a configurable way, manageable (including disabling...) by the user
running su and the user whose identity is being assumed. It will even
remove keys on a closed session when appropriate (but not when
inappropriate).
- ProFTPD
This FTP server has PAM support built in ProFTPD.
- Pamrelay
- Tom Rothamel has started work on Pamrelay which is a
networked authentication-server model. For the source to his server
and the complementary PAM module look here.
- People at Stanford including Tom Wu have created something
called Secure Remote Password
(SRP) and it has support for PAM -- both Linux and Solaris.
- Thorsten Kukuk has produced a pam_keylogin module for NIS+ support.
- Luigi Catuogno is working on a Transparent Cryptographic
Filesystem PAM
module.
- Tom Ryan's modules:
http://camlaw.rutgers.edu/pam/
- Ingo Lütkebohle's page about getting Apache to use PAM.
The following modules are (mostly) to be found in the Linux-PAM source tree:
- pam_deny:
deny all forms of access;
Andrew Morgan
- pam_filter:
module to allow easy access to the stdin/out of a running process. It
can be used to log users input etc..
Current pluggable filters include:
- upperLOWER:
demonstration filter that transposes upper and lower case characters.
You are encouraged to write your own.. (Email me if you need help.);
Andrew Morgan
- pam_ftp:
A module that checks if the user is `ftp' or `anonymous'.
On finding this to be the case, it prompts for a email address for a
password, and proceeds to set the PAM_RUSER item with this value.
Andrew Morgan
- pam_group:
extension to the /etc/group concept. This module grants group
privileges based on who the user is when/where they are requesting a
service from and what they are trying to do;
Andrew Morgan
- pam_limits:
a module to set the resource limits for a service. Two implementations of
this have been merged to produce this module.
Cristian Gafton <gafton at redhat.com> and
Elliot Lee <sopwith at redhat.com>
- pam_listfile: authenticate users based on the
contents of a specified file.
Elliot Lee <sopwith at redhat.com>
- pam_nologin:
This module always lets root in; it lets other users in only if the file
/etc/nologin doesn't exist. In any case, if /etc/nologin exists, its
contents are displayed to the user.
Michael K. Johnson <johnsonm at redhat.com>
- pam_passwd+: password strength checking;
Al Longyear <longyear at netcom.com>
- pam_permit: always allow access;
Andrew Morgan
- pam_pwdb: plug in replacement for pam_unix_*
that uses the Password Database library.
Andrew Morgan
- pam_radius: RADIUS authentication, using the Password Database
library. [Redhat offer fixes and changes to libpwdb, for info on
these, take a look here: libpwdb. Debian
also have a package for this.]
Cristian Gafton <gafton at redhat.com>
- pam_rootok: module to authenticate the user if their
(real) uid is root (intendend for use with the sufficient
control flag);
Andrew Morgan
- pam_securetty: /etc/securretty access controls;
Elliot Lee <sopwith at redhat.com>
- pam_shells: authenticate users if their shell is
listed in the /etc/shells file.
Erik Troan <ewt at redhat.com>
- pam_stress: stress test your application with this module;
Andrew Morgan
- pam_tally: this module keeps track of the number of times
an attempt is made to access an account. It can deny access after a
specified number of failures. Root's account can be treated
specially. RPMS for newer versions of this module than the one
contained in the source tree are here:
ftp://rudy.mif.pg.gda.pl/pub/People/milek.
Tim Baverstock <warwick at demon.co.uk>
- pam_time:
authorize users based on when and where they log in (like securetty,
but) in a way that is dependent on the service they are requesting;
Andrew Morgan
- pam_unix_*: standard unix authentication (with some shadow support);
This module is being supported by Red Hat.
Michael K. Johnson <johnsonm at redhat.com>
- pam_warn:
provides a diagnostic tool for dumping information to syslog(2)
about the service-application.
Andrew Morgan
- pam_wheel: for enforcing the wheel group privileges;
Cristian Gafton <gafton at redhat.com>
Send comments etc. to
The Linux-PAM mailing list.
Or to morgan of kernel.org.