In the bad old days authentication simple: the user typed in a password (up to six, seven or eight characters) and this was encrypted into a key using DES; if this matched the corresponding entry in the (world-readable) /etc/passwd the user was granted access.

The keys are world-readable and given these keys most passwords can be cracked in seconds. Thankfully the Unix authentication system has been improved.

With the shadow password system, the keys are held in the root-only-readable /etc/shadow --- information such as home directory and shell is still held in /etc/passwd. This system prevents ordinary users from password-cracking attempts and means that compromised daemons/services cannot supply an intruder with password keys --- provided these daemons are running as non-privileged users such as nobody.

MD5 is an improved encryption algorithm. Compared to DES, longer passwords are allowed (up to 256 characters) and the encryption is more sophisticated. Given the option, use it over DES!

On both Linux and Solaris the authentication process is carried out by PAM --- the Pluggable Authentication Module system. PAM provides a centralised mechanism for authenticating all services (login, halt, linuxconf...). PAM was developed by Sun Microsystems.

The PAM authentication process proceeds like this:

1. The application (e.g., login) makes an initial call to PAM.
2. PAM looks in /etc/pam.conf or the appropriate file in /etc/pam.d for the list of modules needed to service this request.
3. PAM loads each module in turn, in order of listing (though some modules may not be required, depending upon the configuration.
4. Some of the modules may converse with the user, for example, asking for a password.

Example with sketchy explanation

We consider just one example --- the login process. For RedHat 6.2 the corresponding PAM configuration file, /etc/pam.d/login (apparently) looks something like this:

    auth      required  /lib/security/pam_securetty.so
    auth      required  /lib/security/pam_pwdb.so
    auth      required  /lib/security/pam_nologin.so
    account   required  /lib/security/pam_pwdb.so
    password  required  /lib/security/pam_cracklib.so minlen=20\
            retry=3 type=SECRET
    password  required  /lib/security/pam_pwdb.so md5 use_authtok
    session   required  /lib/security/pam_pwdb.so

    auth       required	/lib/security/pam_securetty.so
    auth       required	/lib/security/pam_stack.so service=system-auth
    auth       required	/lib/security/pam_nologin.so
    account    required	/lib/security/pam_stack.so service=system-auth
    password   required	/lib/security/pam_stack.so service=system-auth
    session    required	/lib/security/pam_stack.so service=system-auth
    session    optional	/lib/security/pam_console.so

auth

Modules listed after auth are called for authentication --- e.g., to ask for and validate a password.

account

Modules listed after account provide account verification services: has the user's password expired? Is this user permitted access to the requested service?

password

Modules for updating passwords.

session

This group of tasks cover things that should be done prior to a service being given and after it is withdrawn, for example, extries to syslog.

pam_pwdb

This module provides a central lookup of information associated with users, passwords and groups, e.g., by looking in /etc/passwd and /etc/shadown. It is controlled by /etc/pwdb.conf.

pam_cracklib

It's purpose is to check a (potential) password for crackability: length, use of non-alphanumeric characters...

pam_stack

This module lets you "call", from inside of the stack for a particular service, the stack defined for any another service. The intention is to allow multiple services to "include" a system-wide setup, so that when that setup needs to be changed, it need only be changed in one place. Hence this module takes arguments such as service=system-auth and the configuration file /etc/pam.d/system-auth is therefore "executed".

More

The above gives only a sketch of PAM. For more (much more) see:

• A good intoduction to PAM is given in Chapter 5 of Linux System Security, pub. Prentice Hall, Scott Man and Ellen L. Mitchell, ISBN 0-13-015807-0, though it is somewhat out of date --- at least LSS covers only upto RedHat 6.2; the configuration is different for RedHat 7.1.
• The man pages for your system (man pam, man pam_stack, etc.).