• Definition: PAM (Pluggable Authentication Modules) is a flexible mechanism for authenticating users. It provides a way to develop programs that are independent of authentication schemes.
• Function: Allows system administrators to configure how applications authenticate users by stacking various authentication modules.
• Components:

   * '''PAM Modules''': Shared libraries that perform specific authentication tasks, such as verifying passwords or checking account policies.
   * '''PAM Configuration Files''': Text files located in /etc/pam.d/ that define the authentication policies for various applications.
   * '''PAM Management Groups''': Categories of management tasks, including `auth`, `account`, `password`, and `session`.

• Features:

   * '''Flexibility''': Administrators can configure and stack multiple authentication methods.
   * '''Modularity''': Supports a wide range of authentication methods via modular plugins.
   * '''Centralized Control''': Provides centralized authentication management for different services.
   * '''Security''': Enhances security by allowing the use of advanced authentication mechanisms like biometrics and multi-factor authentication.

• Usage: Commonly used to manage authentication for login processes, services, and applications in Unix-like systems.

• Sample /etc/pam.d/sshd configuration:

   ```plaintext
   auth       required     pam_env.so
   auth       required     pam_unix.so
   account    required     pam_nologin.so
   account    required     pam_unix.so
   password   required     pam_unix.so
   session    required     pam_limits.so
   session    required     pam_unix.so
   session    optional     pam_motd.so
   ```

 * **auth**: Authentication management, ensuring user identity.
 * **account**: Account management, checking if access is allowed.
 * **password**: Password management, handling password changes.
 * **session**: Session management, setting up and tearing down user sessions.

• Common PAM modules:

   * **pam_unix.so**: Uses traditional Unix authentication, such as checking /etc/passwd and /etc/shadow.
   * **pam_env.so**: Sets up user environment variables.
   * **pam_tally2.so**: Tracks login attempts and can lock accounts after too many failed attempts.
   * **pam_motd.so**: Displays the message of the day.

• Adding a new authentication module:

   * To enable Google Authenticator for SSH:
     1. Install the Google Authenticator PAM module.
     2. Edit /etc/pam.d/sshd and add:
        ```plaintext
        auth required pam_google_authenticator.so
        ```
     3. Configure SSH to use PAM by editing /etc/ssh/sshd_config and setting:
        ```plaintext
        UsePAM yes
        ```

• PAM (Pluggable Authentication Modules): A versatile and modular authentication framework used in Unix-like systems, providing flexibility and centralized control over authentication policies through configurable modules and management groups.