Pluggable authentication modules (PAMs)

In addition to improving the password file’s security by using shadow pass-
words, Linux also improves the actual encryption of the passwords stored in
the /etc/shadow file, using the MD5 message-digest algorithm described in
RFC 1321 (www.ietf.org/rfc/rfc1321.txt or www.cis.ohio-state.edu/
cgi-bin/rfc/rfc1321.html). MD5 reduces a message of any length to a
128-bit message digest (or fingerprint) of a document so that you can digi-
tally sign it by encrypting it with your private key. MD5 works quite well for
password encryption, too.

Another advantage of MD5 over older-style password encryption is that the
older passwords were limited to a maximum of eight characters; new pass-
words (encrypted with MD5) can be much longer. Longer passwords are
harder to guess, even if the /etc/shadow file falls into the wrong hands.
You can tell that MD5 encryption is in effect in the /etc/shadow file. The
encrypted passwords are longer and they all sport the $1$ prefix, as in the
second field of the following sample entry:
root:$1$AAAni/yN$uESHbzUpy9Cgfoo1Bf0tS0:11077:0:99999:7:-1:-1:134540356
An add-in program module called a pluggable authentication module (PAM) per-
forms the actual MD5 encryption. Linux PAMs provide a flexible method for
authenticating users. By setting the PAMs’ configuration files, you can change
your authentication method on the fly, without having to actually modify vital
programs (such as login and passwd) that verify a user’s identity.
Linux uses PAM capabilities extensively. The PAMs reside in many different
modules (about which more momentarily); their configuration files are in the
/etc/pam.d directory of your system. Check out the contents of this direc-
tory on your system by typing the following command:
ls /etc/pam.d
Each configuration file in this directory specifies how users are authenticated
for a specific utility.

---