Since no central standard of PAM behavior exists, there was a later attempt to standardize PAM as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. This standard was not ratified, but the standard draft has served as a reference point for later PAM implementations (for example, OpenPAM).
Since most PAM implementations do not interface with remote clients themselves, PAM, on its own, cannot implement Kerberos, the most common type of SSO used in Unix environments. This led to SSO's incorporation as the "primary authentication" portion of the would-be XSSO standard and the advent of technologies such as SPNEGO and SASL. This lack of functionality is also the reason SSH does its own authentication mechanism negotiation.
In most PAM implementations, pam_krb5 only fetches Ticket Granting Tickets, which involves prompting the user for credentials, and this is only used for the initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos. This is because pam_krb5 cannot itself get service tickets, although there are versions of PAM-KRB5 that are attempting to work around the issue.[2]
pluggable, authentication, module, this, article, needs, additional, citations, verification, please, help, improve, this, article, adding, citations, reliable, sources, unsourced, material, challenged, removed, find, sources, news, newspapers, books, scholar,. This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources Pluggable authentication module news newspapers books scholar JSTOR May 2011 Learn how and when to remove this template message A pluggable authentication module PAM is a mechanism to integrate multiple low level authentication schemes into a high level application programming interface API PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme It was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments RFC 86 0 dated October 1995 It was adopted as the authentication framework of the Common Desktop Environment As a stand alone open source infrastructure PAM first appeared in Red Hat Linux 3 0 4 in August 1996 in the Linux PAM project PAM is currently supported in the AIX operating system DragonFly BSD 1 FreeBSD HP UX Linux macOS NetBSD and Solaris Structure Since no central standard of PAM behavior exists there was a later attempt to standardize PAM as part of the X Open UNIX standardization process resulting in the X Open Single Sign on XSSO standard This standard was not ratified but the standard draft has served as a reference point for later PAM implementations for example OpenPAM Contents 1 Criticisms 2 See also 3 References 4 External linksCriticisms EditSince most PAM implementations do not interface with remote clients themselves PAM on its own cannot implement Kerberos the most common type of SSO used in Unix environments This led to SSO s incorporation as the primary authentication portion of the would be XSSO standard and the advent of technologies such as SPNEGO and SASL This lack of functionality is also the reason SSH does its own authentication mechanism negotiation In most PAM implementations pam krb5 only fetches Ticket Granting Tickets which involves prompting the user for credentials and this is only used for the initial login in an SSO environment To fetch a service ticket for a particular application and not prompt the user to enter credentials again that application must be specifically coded to support Kerberos This is because pam krb5 cannot itself get service tickets although there are versions of PAM KRB5 that are attempting to work around the issue 2 See also EditImplementations Java Authentication and Authorization Service Linux PAM OpenPAM Identity management the general topic Name Service Switch manages user databases System Security Services Daemon SSO implementation based on PAM and NSSReferences Edit PAM manual page of DragonFly BSD PAM KRB5External links EditSpecifications The Original Solaris PAM RFC X Open Single Sign on XSSO 1997 Draft Working PaperGuides PAM and password control at the Wayback Machine archived August 19 2013 Pluggable Authentication Modules for Linux Making the Most of Pluggable Authentication Modules PAM Oracle Solaris Administration Security Services Using PAM This security software article is a stub You can help Wikipedia by expanding it vte Retrieved from https en wikipedia org w index php title Pluggable authentication module amp oldid 1065658518, wikipedia, wiki, book, books, library,
