Pluggable Authentication Modules

Dag-Erling Smørgrav

Contributed by  
Revision: d8432b1e37
Legal Notice
Legal Notice

This article describes the underlying principles and mechanisms of the Pluggable Authentication Modules (PAM) library, and explains how to configure PAM, how to integrate PAM into applications, and how to write PAM modules.

[ Split HTML / Single HTML ]

Table of Contents
1. Introduction
2. Terms and Conventions
3. PAM Essentials
4. PAM Configuration
5. FreeBSD PAM Modules
6. PAM Application Programming
7. PAM Module Programming
A. Sample PAM Application
B. Sample PAM Module
C. Sample PAM Conversation Function
Further Reading

1. Introduction

The Pluggable Authentication Modules (PAM) library is a generalized API for authentication-related services which allows a system administrator to add new authentication methods simply by installing new PAM modules, and to modify authentication policies by editing configuration files.

PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun Microsystems, and has not changed much since. In 1997, the Open Group published the X/Open Single Sign-on (XSSO) preliminary specification, which standardized the PAM API and added extensions for single (or rather integrated) sign-on. At the time of this writing, this specification has not yet been adopted as a standard.

Although this article focuses primarily on FreeBSD 5.x, which uses OpenPAM, it should be equally applicable to FreeBSD 4.x, which uses Linux-PAM, and other operating systems such as Linux and Solaris™.

All FreeBSD documents are available for download at

Questions that are not answered by the documentation may be sent to <>.
Send questions about this document to <>.