Linux-PAM (Pluggable Authentication Modules) is a crucial but often misunderstood component of modern Linux systems. This talk provides a comprehensive introduction to PAM, explaining how it enables system administrators to configure authentication, account management, session setup, and password policies without recompiling applications.

We begin by exploring the problems PAM was designed to solve—hardcoded authentication logic, inflexibility, and inconsistent security policies across applications. The talk then covers PAM's four management groups: authentication (verifying identity), account management (checking access restrictions), session management (setting up user sessions), and password management (enforcing password policies and token changes).

Attendees will learn how to read and write PAM configuration files, understand the behavior of different control values (required, requisite, sufficient, optional), and leverage advanced control syntax for complex authentication flows. Special attention is given to the "frozen stack" concept—a frequently misunderstood behavior where PAM fixes the module sequence during the first API call.

Through real-world examples and practical configuration insights, attendees will learn how to troubleshoot PAM issues and understand the impact of PAM configuration changes.

Beyond understanding current PAM functionality, the talk explores the future of PAM: potential enhancements to address modern authentication needs, architectural improvements and the challenges that stand in the way of evolution. We'll discuss compatibility constraints, the need for backward compatibility with existing deployments, and the tensions between maintaining a stable API and introducing new features.

This talk is suitable for system administrators, security engineers, and developers who want to understand and effectively configure PAM-based authentication on Linux systems.