Tryag File Manager

//proc/self/root/usr/share/doc/pam-0.99.6.2/html/sag-overview.html

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Overview</title><meta name="generator" content="DocBook XSL Stylesheets V1.69.1"><link rel="start" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-text-conventions.html" title="Chapter 2. Some comments on the text"><link rel="next" href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Overview</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-text-conventions.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-configuration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="sag-overview"></a>Chapter 3. Overview</h2></div></div></div>
 For the uninitiated, we begin by considering an example. We take an
 application that grants some service to users;
 login is one such program.
 Login does two things, it first establishes that
 the requesting user is whom they claim to be and second provides
 them with the requested service: in the case of
 login the service is a command shell
 (bash, tcsh, zsh, etc.) running with the identity of the user.
 
 Traditionally, the former step is achieved by the
 login application prompting the user for a
 password and then verifying that it agrees with that located on
 the system; hence verifying that as far as the system is concerned
 the user is who they claim to be. This is the task that is delegated
 to Linux-PAM.
 
 From the perspective of the application programmer (in this case
 the person that wrote the login application),
 Linux-PAM takes care of this
 authentication task -- verifying the identity of the user.
 
 The flexibility of Linux-PAM is
 that you, the system administrator, have
 the freedom to stipulate which authentication scheme is to be
 used. You have the freedom to set the scheme for any/all
 PAM-aware applications on your Linux system. That is, you can
 authenticate from anything as naive as
 simple trust (pam_permit)
 to something as paranoid as a combination of a retinal scan, a
 voice print and a one-time password!
 
 To illustrate the flexibility you face, consider the following
 situation: a system administrator (parent) wishes to improve the
 mathematical ability of her users (children). She can configure
 their favorite ``Shoot 'em up game'' (PAM-aware of course) to
 authenticate them with a request for the product of a couple of
 random numbers less than 12. It is clear that if the game is any
 good they will soon learn their
 multiplication tables. As they mature, the
 authentication can be upgraded to include (long) division!
 
 Linux-PAM deals with four
 separate types of (management) task. These are:
 authentication management;
 account management;
 session management; and
 password management.
 The association of the preferred management scheme with the behavior
 of an application is made with entries in the relevant
 Linux-PAM configuration file.
 The management functions are performed by modules
 specified in the configuration file. The syntax for this
 file is discussed in the section
 <a href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file">below</a>.
 
 Here is a figure that describes the overall organization of
 Linux-PAM:
 <pre class="programlisting">
 +----------------+
 | application: X |
 +----------------+ / +----------+ +================+
 | authentication-[----&gt;--\--] Linux- |--&lt;--| PAM config file|
 | + [----&lt;--/--] PAM | |================|
 |[conversation()][--+ \ | | | X auth .. a.so |
 +----------------+ | / +-n--n-----+ | X auth .. b.so |
 | | | __| | | _____/
 | service user | A | | |____,-----'
 | | | V A
 +----------------+ +------|-----|---------+ -----+------+
 +---u-----u----+ | | |
 | auth.... |--[ a ]--[ b ]--[ c ]
 +--------------+
 | acct.... |--[ b ]--[ d ]
 +--------------+
 | password |--[ b ]--[ c ]
 +--------------+
 | session |--[ e ]--[ c ]
 +--------------+
 </pre>
 If a program is going to use PAM, then it has to have PAM
 functions explicitly coded into the program. If you have
 access to the source code you can add the appropriate PAM
 functions. If you do not have accessto the source code, and
 the binary does not have the PAM functions included, then
 it is not possible to use PAM.
 </div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-text-conventions.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-configuration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Some comments on the text </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The Linux-PAM configuration file</td></tr></table></div></body></html>