Pluggable Authentication Modules is a method for authenticating users.

Pluggable Authentication Modules is a method for authenticating users. Using PAM, programmers can provide a more easy and verstile means of performing authentication functions. The ability to change from basic password authentication to the use of smart cards or even biometrics can be changed without having to recompile programs or require serious modifications.

Additionally, PAM can be used to modify the terms of access by users as well as system resources.

Just a few of the things you can do with PAM:

  • Use a different encryption method for passwords such as MD5, making them harder to brute force decode;
  • Set resource limits on all your users so they can't perform denial of service attacks (number of processes, amount of memory, etc)
  • Enable shadow passwords on the fly
  • Allow specific users to login only at specific times from specific places

Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user's home directories by adding these lines to /etc/pam.d/login: 

    
         #
         # Disable rsh/rlogin/rexec for users         #
         login auth required pam_rhosts_auth.so no_rhosts

Set filesystem limits instead of allowing unlimited as is the default. You can control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf. For example, limits for group 'users' might look like this: 

    
         @users     hard  core    0
         @users     hard  nproc   50
         @users     hard  rss     5000

This says to limit the creation of core files to zero bytes, restrict the number of processes to 50, and restrict memory usage per user to 5 Meg.

References

The main Linux-PAM has a great deal of (sometimes out-of-date) information on configuring and using PAM.

The Linux-PAM System Administrators' Guide is a "draft" document that describes the usage of the default PAM modules.

This Red Hat whitepaper on Enhanced Console Access describes how you can configure PAM to authorize ordinary users to access system devices such as the floppy.

The Red Hat User Guide contains a section on User Authentication with PAM that explains the basics of PAM as well as some more advanced techniques.

Keep in mind that there is the potential to create a situation whereby even root doesn't have access to the system, creating all kinds of configuration headaches. Use caution.