When you call into Linux-PAM for some authentication procedure, there
is always one and only one stack that is run.
The stack definition is looked up in these places; the first
successful attempt determines which file is read:
the file in /etc/pam.d
named after the application "service name" (e.g., sshd
or gdm
), or
the file /etc/pam.d/other
if no service-specific file exists, or
the file /etc/pam.conf
if directory /etc/pam.d
does not exist.
See the documentation for function pam_start for details.
The common-* files are a convention followed by many Linux
distributions but are not mandated by the PAM software itself.
They are usually included by other PAM files by means of @include
statements; for instance the /etc/pam.d/other
file on Debian has the
following content:
# We fall back to the system default in /etc/pam.d/common-*
@include common-auth
@include common-account
@include common-password
@include common-session
The same @include
statements may be used by service-specific file as
well, and -indeed- they are in the default configuration on Debian.
Note that this is a matter of configuration: a sysadmin is free to
change the file in /etc/pam.d
not to include any common-* files at
all!
Therefore: if your PAM module is specific to your application, create
an application-specific service file and call the module from there.
Do not automatically add a module to other services' PAM file nor to
the fall-back others
file, as this may break other applications
installed on the system. Management of the PAM software stack is a
task for the system administrator, not for the application
developers.
Yes there are other distros, mainly those which keep KISS principle. PAM is over-complicated, people use it even they do know how it works. Then little typo/error makes security issue.
Check http://crux.nu/Main/About which is nice KISS clean Linux distro.
Best Answer
Yes, PAM is concerned with authentication and authorization but not identification:
"Pam Mastery", Michael Lucas, chapter 0