Password authentication for web and mobile apps (e-book)

Pluggable Authentication Modules (PAM)

pam_passwdqc (homepage, wiki, screenshots, downloads, GitHub, CVSweb, Open Hub)
Linux (Linux-PAM), FreeBSD 5.0+ (OpenPAM), DragonFly BSD, Solaris, HP-UX 11

pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1). In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated passwords. All features are optional and can be (re-)configured without rebuilding.

More information on pam_passwdqc and download links are available on its dedicated page.

pam_mktemp (downloads, GitHub, CVSweb, Open Hub)
Linux (Linux-PAM), FreeBSD 5.0+ (OpenPAM), DragonFly BSD, Solaris, others?

pam_mktemp is a PAM module that may be used with a PAM-aware login service to provide per-user private directories under /tmp as part of PAM session or account management. When an interactive (shell) session is started, a directory is created and the environment variables TMPDIR and TMP are set to the name of the directory.


pam_tcb (homepage, downloads, GitHub, CVSweb, Open Hub)
Linux (Linux-PAM or OpenPAM) + glibc with crypt_blowfish

pam_tcb is part of the Openwall GNU/*/Linux (Owl) tcb suite implementing the alternative password shadowing scheme. It also makes use of the password hashing framework introduced with crypt_blowfish. It should be used in place of modules such as pam_unix and pam_pwdb.

More information on the tcb suite and download links are available on its dedicated page.

pam_userpass (downloads, GitHub, CVSweb, Open Hub)
Linux (Linux-PAM)

PAM has traditionally assumed that services doing authentication have the ability to interact with the user. Unfortunately, this isn't true for services that implement non-interactive and/or fixed protocols, such as FTP and POP3. This is typically worked around by making the flawed assumption that PAM_PROMPT_ECHO_ON requests the username and PAM_PROMPT_ECHO_OFF requests the password.

With pam_userpass, this assumption is no longer required. pam_userpass uses PAM binary prompts (only available in Linux-PAM) to ask the application for the username and password specifically.

pam_userpass doesn't perform any actual authentication. An actual authentication module should be stacked after pam_userpass and told to use the authentication token (password) provided by pam_userpass.


These files are also available from the Openwall file archive.

Follow this link for information on verifying the signatures.

All of these modules are fully integrated into Owl and distributions by ALT Linux team. Some also exist in various other distributions. For pam_passwdqc, we maintain a list of those on its homepage.

Quick Comment: