Linux-PAM modules etc. page

Modules/Applications available or in progress...

Here is a list of the modules that people are using/developing for use with Linux-PAM:

The point of having modules is that you can just plug them in(!) In other words, they do not need to be compiled at the same time as the Linux-PAM library to work. Here are some alternative sources for modules that are being provided independently of the main library:

Squid
- Henrik Nordström has added PAM support to squid.
Perl
- Nikolay Pelov has written a Perl module for accessing the PAM library.
AFS (Andrew Filesystem):
- Tobias Schäfer has written a module for doing authentication and password changing based on the AFS commands "klog", "unlog" and "kas".
- Tobias has also written a logging module which you can find in the same place.
pam_if
- Pavel Kankovsky has an interesting module that can nest other modules conditionally. He's also offering an ftpd patch.
pam_xauth
- pam_xauth will be called by su (and other programs that do the same thing, presumably...) and will forward xauth keys between users in a configurable way, manageable (including disabling...) by the user running su and the user whose identity is being assumed. It will even remove keys on a closed session when appropriate (but not when inappropriate).
pam_console
- ??? From Michael K. Johnson.
LDAP

Luke Howard has written a pair of NSS and PAM modules. There are also a bunch of migration tools. (Follow these links for more info on LDAP and University of Michigan LDAP page).
Chris Albone had previously written an LDAP PAM module, but this link seems to be broken [Sorry].
pam_tcpd

Max Liccardo has written PAM TCPD module which implements TCP level access control with PAM.
pam_tacplus
Pawel Krawczyk has written a PAM module allowing basic authentication, authorization and accounting over TACACS+ protocol.
pam_make
Mihai Ibanescu has written a password module that runs 'make' in a specified directory. The need for this stemed from wanting to keep db in synch with the /etc/passwd file.
IMAP

There are PAM patches for Cyrus imap-server here: ftp://sysadm.dntis.ro/pub/devel/cyrus/.
ProFTPD
MacGyver has written a module to give PAM support to ProFTPD. Read more here: http://www.macgyver.org/software/proftpd-pam.html.
Pamrelay

Tom Rothamel has started work on Pamrelay which is a networked authentication-server model. For the source to his server and the complementary PAM module look here.
Netware

David Airlie has written a Netware module that is available from here.
John Taylor and Brian Hammond have written a pam_nw_auth module for authenticating users against a Netware server. This module is available from the Linux-PAM pre-release directory [According to Alexander List, when combined with libncp, it will allow authentication via NDS (Netware 4) servers].
SAMBA

Early alpha attempt from John Lane to make a module to change passwords: http://www.cse.msu.edu/~lanejohn/en/hacks/pam_smb_passwd-0.1.tar.gz using PAM.
David Airlie has produced a module that validates a username / password / domain combination using any SMB (CIFS) Server, which includes an NT Server.
Luke Leighton has used David's module as the basis for a more secure form of validation that can only be performed against a Primary Domain Controller (either an NT or a Samba PDC).
Steve Langasek, has provided modules that will keep UNIX and SMB password changes in sync by amending the UNIX database when you change a SMB password.
NRL OPIE:

Andy Berkheimer has written PAM-OPIE module.
(Backgroud information, NRL OPIE is a one-time password authentication scheme based on S/Key and works on most unix systems. Available in ftp://ftp.ipv6.inner.net/pub/opie and ftp://ftp.inner.net/pub/opie.
People at Stanford including Tom Wu have created something called Secure Remote Password (SRP) and it has support for PAM -- both Linux and Solaris.
Vladimir Gurevich of SafeAccess(tm) technology has released two modules in addition to some documentation: The first is pam_infocard.so which authenticates users using LeeMah Datacom SafeAccess(tm) Challenge/Response (or Response-only) technology against a local user database. The other is covered in the next section.
One of the glorious things about PAM is that you can pick and choose the way you implement something. For example, we have a three module flavors and a server implementation to get PAM support into your RADIUS system:

For a PAM supporting Radius server take a look at: http://www.iphil.net/~map/radius/.
Cryptocard have some GPL'd pam_radius_auth code (works for linux and solaris).
SafeAccess(tm) technology has releaseed a GPL'd pam_lradius.so which authenticates users using RADIUS. The module supports RADIUS Access-Challenge request and thus can be used to provide SafeAccess(tm) authentication against an appropriate RADIUS server (like TraqNet8000 for Windows NT and patched Merit, Livingston & Ascend UNIX RADIUS servers).
The standard Linux-PAM distribution contains a non-authentication (only session logging) pam_radius implementation by Cristian Gafton.
Thorsten Kukuk has produced a pam_keylogin module for NIS+ support.
Luigi Catuogno is working on a Transparent Cryptographic Filesystem PAM module.
Tom Ryan's modules: http://camlaw.rutgers.edu/pam/
Tim Baverstock's modules (and more): http://www.sable.demon.co.uk/pam/
Ingo Lütkebohle's page about getting Apache to use PAM.

The following modules are (mostly) to be found in the Linux-PAM source tree:

pam_cracklib: strength checking for new passwords. Requires the cracklib library to compile: libcrack. Intended for stacking before other password modules.
Cristian Gafton <gafton@redhat.com>

pam_deny: deny all forms of access;
Andrew Morgan <morgan@linux.kernel.org>

pam_desgold: Enigma Logic DESGold card -- smart card;
Alexander O. Yuriev <alex@yuriev.com>

pam_filter: module to allow easy access to the stdin/out of a running process. It can be used to log users input etc.. Current pluggable filters include:

upperLOWER: demonstration filter that transposes upper and lower case characters.
You are encouraged to write your own.. (Email me if you need help.);
Andrew Morgan <morgan@linux.kernel.org>

pam_ftp: A module that checks if the user is `ftp' or `anonymous'. On finding this to be the case, it prompts for a email address for a password, and proceeds to set the PAM_RUSER item with this value.
Andrew Morgan <morgan@linux.kernel.org>

pam_group: extension to the /etc/group concept. This module grants group privileges based on who the user is when/where they are requesting a service from and what they are trying to do;
Andrew Morgan <morgan@linux.kernel.org>

pam_kerberos: Kerberos authentication scheme;
Theodore Y. Ts'o <tytso@mit.edu>
An implementation has been written for Kerberos 4 authentication
Derrick J Brashear <shadow+@andrew.cmu.edu>
Kerberos 5 authentication
Naomaru Itoi <itoi@eecs.umich.edu>

pam_limits: a module to set the resource limits for a service. Two implementations of this have been merged to produce this module.
Cristian Gafton <gafton@redhat.com> and
Elliot Lee <sopwith@redhat.com>

pam_listfile: authenticate users based on the contents of a specified file.
Elliot Lee <sopwith@redhat.com>

pam_nologin: This module always lets root in; it lets other users in only if the file /etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's contents are displayed to the user.
Michael K. Johnson <johnsonm@redhat.com>

pam_passwd+: password strength checking;
Al Longyear <longyear@netcom.com>

pam_permit: always allow access;
Andrew Morgan <morgan@linux.kernel.org>

pam_pwdb: plug in replacement for pam_unix_* that uses the Password Database library.
Andrew Morgan <morgan@linux.kernel.org>

pam_radius: RADIUS authentication, using the Password Database library. [Redhat offer fixes and changes to libpwdb, for info on these, take a look here: libpwdb. Debian also have a package for this.]
Cristian Gafton <gafton@redhat.com>

pam_rhosts: rhost verification as per rlogin etc..;
Al Longyear <longyear@netcom.com>

pam_rootok: module to authenticate the user if their (real) uid is root (intendend for use with the sufficient control flag);
Andrew Morgan <morgan@linux.kernel.org>

pam_securetty: /etc/securretty access controls;
Elliot Lee <sopwith@redhat.com>

pam_shells: authenticate users if their shell is listed in the /etc/shells file.
Erik Troan <ewt@redhat.com>

pam_skey: S/Key authentication;

Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>

ftp://linux.nrao.edu/pub/people/juphoff/PAM/

pam_skey2: is being worked on by Sean Reifschneider <jafo@tummy.com>

pam_stress: stress test your application with this module;
Andrew Morgan <morgan@linux.kernel.org>

pam_tally: this module keeps track of the number of times an attempt is made to access an account. It can deny access after a specified number of failures. Root's account can be treated specially. RPMS for newer versions of this module than the one contained in the source tree are here: ftp://rudy.mif.pg.gda.pl/pub/People/milek.
Tim Baverstock <warwick@demon.co.uk>

pam_time: authorize users based on when and where they log in (like securetty, but) in a way that is dependent on the service they are requesting;
Andrew Morgan <morgan@linux.kernel.org>

pam_unix_*: standard unix authentication (with some shadow support); This module is being supported by Red Hat.
Michael K. Johnson <johnsonm@redhat.com>

pam_warn: provides a diagnostic tool for dumping information to syslog(2) about the service-application.
Andrew G. Morgan <morgan@linux.kernel.org>

pam_wheel: for enforcing the wheel group privileges;
Cristian Gafton <gafton@redhat.com>

Back to Linux-PAM also see the The Red Hat PAM page.
Send comments etc. to The Linux-PAM mailing list. Or to me.