- The PAM API
- The PAM SPI
- Writing a PAM Service Module
- Testing the PAM Module
- Conclusion
Testing the PAM Module
In order to test the pam_compare.so.1 module, update the /etc/pam.conf(4) file as detailed on page 6, and run the passwd command. With the maxequal variable set to 4, this is what you see in the code box:
$ passwd passwd: Changing password for testuser Enter existing login password: s3cr3t! New Password: s3cur3! passwd: Your old and new password can't share more than 4 characters. Please try again New Password: a^_g34.Q Re-enter new Password: a^_g34.Q passwd: password successfully changed for testuser
PAM provides its services to all applications that perform Password Management, and all these applications benefit from the new module. If you created the local account testuser, you can force a password change when testuser logs in the next time, with the following command:
$ passwd -f testuser
Here is the example of testuser logging in, (please note that the boldface type is user input):
$ rlogin -l testuser localhost Passwd: a^_g34.Q Choose a new password. New Password: 55Q.ga_^ rlogin: Your old and new password can't share more than 4 characters. Try again Choose a new password. New Password:
As illustrated, the rlogins password management service benefits immediately from the newly installed module.
By plugging multiple, low-level authentication mechanisms into applications at runtime, PAM integrates them with a single high-level API. These authentication mechanisms, are encapsulated as dynamically loadable, shared software modules. These software modules may be installed independent of applications.
In environments where there is an LDAP directory server, either the pam_unix function or the pam_ldap function can be used to authenticate users. Because of its increased flexibility and support of stronger authentication methods, the use of the pam_ldap function is recommended. For organizations using the Solaris 9 OE, which offers LDAP for naming and directory services, the pam_ldap function offers an ideal way to extend the authentication capabilities.
Note
In the Solaris 9 OE, the pam_unix function does not exist in the same form that it does in the Solaris 8 OE. In order to accommodate proper stacking of the pam_unix function it has been broken up into single service modules. When used together these single service modules provide the same functionality as the existing pam_unix function. For example, some of the service modules are: pam_unix_auth(5), pam_authtok_*(5), and pam_passwd_auth(5).