The core component of the PAM framework are the authentication library API (the front end) and the authentication mechanism-specific modules (the back end), connected through the Service Provider Interface. Applications write to the PAM API, while the authentication-system providers write to PAM API and supply the back end module that are independent of the applications.
When an application makes a call to the PAM API, it loads the appropriate authentication module as determined by the configuration file, `pam.conf’. The request is forwarded to the underlying authentication module (for example, UNIX password, Kerberos, smart cards) to perform the specified operation. The PAM layer then returns the response from the authentication module to the application.
Not all applications or services may need all of the above components, and not each authentication module may need to provide support for all of the interfaces.
PAM API usually include four areas of functionality:
- Authentication :::::: This set includes the `pam_authenticate()’ function to authenticate the user, and the `pam_setcred()’ interface to set, refresh or destroy the user
credentials. - account :::::: This set includes the `pam_acct_mgmt()’ function to check whether the authenticated user should be given access to his/her account. This function can implement account expiration and access hour restrictions.
- session :::::: This set includes the `pam_open_session()’ and `pam_close_session()’ functions for session management and accounting. For example, the system may want to store the total time for the session
- password :::::: This set includes a function, `pam_chauthtok()’, to change the password.
Heart of The Ocean 