Identity and Access Management
Linux-PAM Demystified and Beyond
<p>Linux-PAM (Pluggable Authentication Modules) is a crucial but often misunderstood component of modern Linux systems. This talk provides a comprehensive introduction to PAM, explaining how it enables system administrators to configure authentication, account management, session setup, and password policies without recompiling applications.</p>
<p>We begin by exploring the problems PAM was designed to solve—hardcoded authentication logic, inflexibility, and inconsistent security policies across applications. The talk then covers PAM's four management groups: authentication (verifying identity), account management (checking access restrictions), session management (setting up user sessions), and password management (enforcing password policies and token changes).</p>
<p>Attendees will learn how to read and write PAM configuration files, understand the behavior of different control values (required, requisite, sufficient, optional), and leverage advanced control syntax for complex authentication flows. Special attention is given to the "frozen stack" concept—a frequently misunderstood behavior where PAM fixes the module sequence during the first API call.</p>
<p>Through real-world examples and practical configuration insights, attendees will learn how to troubleshoot PAM issues and understand the impact of PAM configuration changes.</p>
<p>Beyond understanding current PAM functionality, the talk explores the future of PAM: potential enhancements to address modern authentication needs, architectural improvements and the challenges that stand in the way of evolution. We'll discuss compatibility constraints, the need for backward compatibility with existing deployments, and the tensions between maintaining a stable API and introducing new features.</p>
<p>This talk is suitable for system administrators, security engineers, and developers who want to understand and effectively configure PAM-based authentication on Linux systems.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/h2214 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 2/1/26 |
<p>Welcome to the devroom, rules and initial setup.</p>
|
| 2/1/26 |
<p>As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner. This talk introduces the Shared ...
|
| 2/1/26 |
<p>We introduce the <a href="https://github.com/nextcloud/scim_client">SCIM client app</a> for <a href="https://nextcloud.com/">Nextcloud</a> that allows Nextcloud users and groups to be automatically synced to external services that support the <a href="https://tools.ietf.org/wg/scim/">SCIM</a> standard. This enables Nextcloud to act as an authoritative store of user identity information, simplifying user management across multiple connected services.</p> <p>This talk will discuss the ...
|
| 2/1/26 |
<p>OAuth 2.0 and OpenID Connect have been around for years to secure web and mobile applications alike with growing popularity.</p> <p>To keep your applications and their data secure, these standards are evolving to align with security best practices.</p> <p>Join this talk to see how the FAPI 2.0 Security Profile and the upcoming OAuth 2.1 standard promotes and enforces best practices, how to adapt your applications, and how Keycloak as an Open Source IAM can help you. Expect a demo and examples ...
|
| 2/1/26 |
<p><a href="https://www.proconnect.gouv.fr">ProConnect</a> is an open-source Federated Identity Provider written mainly in TypeScript and designed to connect professionals with government services. Developed by the French Interministerial Digital Directorate (<a href="https://www.numerique.gouv.fr/numerique-etat/dinum/">DINUM</a>), it builds on the experience of <a href="https://franceconnect.gouv.fr/">FranceConnect</a> while introducing a lightweight, modern architecture.</p> <p>This talk will ...
|
| 2/1/26 |
<p>Each month it seems we are made aware of a break in security. Some report of a data base of identity information that is reported as captured by an entity of some type. Lists of passwords, ID numbers, bank account information, credit card information. And these are only the ones we hear about, since many of these break-ins are not reported, or kept quiet.</p> <p>Often we hope that the data is encrypted, but as we all know quantum computers are coming quickly and quantum computers can take ...
|
| 2/1/26 |
<p>SUSE’s IAM evolution mirrors its corporate journey, beginning with deep dependency on Novell (later MicroFocus) Access Manager, following its transition to independence.As the organization grew, individual departments adopted several tools to solve immediate authentication needs.</p> <p>This led to a proliferation of unmanageable authentication silos across customer portals, partner networks, and internal employee systems.Recognizing the inefficiencies and risks of this fragmented ...
|
