Local authentication in Linux is managed by the Pluggable Authentication Modules, or PAM. This handles the core authentication process: validating usernames, passwords, and enforcing policies.
After authentication (i.e. logging in), authorisation is managed by Polkit, or Policy Kit. This decides what actions regular users can perform, whether a regular user can do admin or system-level actions without switching to root, etc.
PAM
PAM is a flexible framework to manage user authentication, including logging in, running sudo, or changing passwords using passwd. Note, however, that PAM does not perform authentication on its own; rather, it relies on a stack of modules that are configured in /etc/pam.d/:
➤ cd /etc/pam.d/
➤ ls
chfn newusers su
chpasswd other su-l
chsh passwd sudo
groupmems remote system-auth
i3lock rlogin system-local-login
lightdm rsh system-login
lightdm-autologin runuser system-remote-login
lightdm-greeter runuser-l system-services
login sshd vlockEach of these files describes the authentication methods for a service. They operate under one of four interfaces:
| Module | Description |
|---|---|
auth | Verifies user identity (e.g. password checks) |
account | Enforces access policies, such as login times or expiration |
password | Handles password updates |
session | Manage tasks at the start/end of a session, such as mounting dirs or writing to a log |
| Within any of those files, the module also has a set of flags to decide how the service interacts with the system: |
- required → Must pass, processing continues even if it fails
- requisite → Must pass, failure causes immediate termination of the process
- sufficient → Success means auth may succeed early if no required module failed
- optional → Only evaluated if it is the sole module in the group
➤ cat /etc/pam.d/lightdm
───────┬───────────────────────────────────────────────────────────
│ File: lightdm
───────┼───────────────────────────────────────────────────────────
1 │ #%PAM-1.0
2 │ auth include system-login
3 │ -auth optional pam_gnome_keyring.so
4 │ -auth optional pam_kwallet5.so
5 │ account include system-login
6 │ password include system-login
7 │ session include system-login
8 │ -session optional pam_gnome_keyring.so auto_start
9 │ -session optional pam_kwallet5.so auto_startPolkit
Polkit is a system service that handles authorisation: it decides whether a user can perform actions requiring elevated privileges without becoming root. The configuration files for it are in /etc/polkit-1/rules.d/.
Kerberos
Kerberos is an authentication protocol that uses “tickets” via a Key Distribution Centre to help prevent password theft. It is commonly integrated with PAM; it is commonly used with Active Directory.
LDAP
Lightweight Directory Access Protocol is used to manage directory acces. It is often used as a backend identity store, where usernames, group definitions, and user attributes are kept.
realm
The realm command is used to simplify the process of joining systems to domains and sets up authentication with minimal manual configuration. It configures SSSD, Kerberos, and LDAP.