[SOLVED] Understanding Linux PAM

Succulent of your garden · 2025-08-01 22:52:20

so after reading this https://wiki.archlinux.org/title/PAM and searching through internet I have some questions:

1) Does polkit works with pam by default ? What's the reason of having polkit if pam exists ?

2) Can I use pam in another contexts besides system administration ? I mean I don't see any usage of using pam as middleware to authenticate something from a service, but maybe I'm wrong. Does pam can be used for developing web applications for example ? or is just for internal network authentication usage ?

3) Any recommendations where I can learn pam better apart of the man pages ?

Last edited by Succulent of your garden (2025-08-03 22:59:01)

seth · 2025-08-02 12:58:22

PAM is a plugin based authorization system, you can configure modules that will allow you to authenticate in various ways (password, fingerprint, key token, bluetooth …) or run certain actions (eg. unlock a keyring) once such authentication has happened
polkit is more like sudo(ers) and allows you to control leverage for certain actions ("who needs to authenticate as whom to get authorization to run what")
The two things do not overlap at all.

Not sure what your plans w/ (2) would be?

Succulent of your garden · 2025-08-03 01:01:52

so polkit is more like please give me wifi access I need it. While sudo is like just give me root access until the process ends. I'm seeing that right ? I mean, polkit makes sense to me for accessing sensors or need to access the hardware quickly from the user space, so in someway needs to validate some API/ABI call to do certain action needed.

for point 2, for example If you need to make some authentication with PAM, why you can't use PAM instead of creating some API to handle the user request ? Since PAM have modules for many things, why is uncommon [at least for me] to see software that doesn't use PAM in the middleware ? For example: If I need to validate the user credentials to fetch some data in a database: why not just use PAM as a middleware ? It's just because is something only available in linux and sorry folks is not javascript ? It's because of portability issues or there is something that I'm not seeing well ?

The PAM thing seems very interesting but hard to grasp, but not sure if it's used very often. At least all the people that I know they don't know PAM, so not sure if it's widely used in IT.

seth · 2025-08-03 06:45:08

polkit is more finegrained but tests then actions, it's not file or hardware specific (you'd use ACLs or CAPs for that) - effectively you can run parts of a process as root, but there's also pkexec.
They're rather similar and you could implement polkit using suder configlets.

sudo and poklit will then actually use pam to facilitate the authentication.
they do the "who and what" and pam does the "(who but mostly just) how"

Succulent of your garden · 2025-08-03 21:54:09

But does this mean that every authentication kind of process pass through PAM ? I mean in long story short: sudo and polkit are programs asking for certain features of the system, but PAM does the final job of making the authenticity and validation of the request ? i'm seeing it right ?

seth · 2025-08-03 22:24:17

Pretty much, yes (except that PAM can then also execute random actions in response to the authentication, eg. forwarding a supplied password)

Succulent of your garden · 2025-08-03 22:58:44

Thank you Seth for your answers. Very much appreciated

Arch Linux

#1 2025-08-01 22:52:20

[SOLVED] Understanding Linux PAM

#2 2025-08-02 12:58:22

Re: [SOLVED] Understanding Linux PAM

#3 2025-08-03 01:01:52

Re: [SOLVED] Understanding Linux PAM

#4 2025-08-03 06:45:08

Re: [SOLVED] Understanding Linux PAM

#5 2025-08-03 21:54:09

Re: [SOLVED] Understanding Linux PAM

#6 2025-08-03 22:24:17

Re: [SOLVED] Understanding Linux PAM

#7 2025-08-03 22:58:44

Re: [SOLVED] Understanding Linux PAM

Board footer