Taken from
http://www.ccm.ece.vt.edu/~lscharf/samd/?topic=Linux&title=PAM
:
PAM
Keywords: Pluggable Authentication Module
Date Created: 2002-04-01
Author: Luke Scharf luke@vt.edu
Here is what I wish I'd known about PAM before I started working with it:
* Some good documentation on PAM is available here:
http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/ch-pam.html
* The PAM home page (and some vague documentation) is available
here:
http://www.kernel.org/pub/linux/libs/pam/
* PAM is pluggable on both sides - applications plug into the
front
and authentication schemes plug into the back.
* The way that applications plug into PAM is defined by the files
in
/etc/pam.d. An application will identify itself to PAM by an
arbitrary
string. This string is usually the application's name, but it
doesn't
have to be. PAM will look in /etc/pam.d/identification_string to
see
what authentication mechanisms to use for that program. If
/etc/pam.d/identification_string does not exist, PAM will use
the
authentication mechanism found in /etc/pam.d/other.
* PAM has been (rightfully) written with the utmost of
paranoia.
This makes it (rightfully) secure, but (infuriatingly)
difficult
to troubleshoot. I've read documentation and posted on
listservs,
but I haven't found a way to see /why/ a particular
authentication
attempt failed. The authors had to debug it somehow, but the
production-quality packaged versions don't seem to emit any
diagnostic information. If anyone can point me to a pam-watch
program that will work on a production machine, I'll very
happily
eat some crow.