Skip to main content

PAM and PAM-PKCS11 features

GNU/Linux uses PAM (Pluggable Authentication Modules) to authenticate using a variety of methods.
PAM is installed on every workstation. PAM documentation can be read in details: The Linux-PAM System Administrators' Guide.

PAM_PKCS11 is an OpenSC project designed for authentication using smartcards and X.509 certificates. You can visit OpenSC Pam-PKCS11 page for information: http://www.opensc-project.org/pam_pkcs11/

Pam-PKCS11 offers the following features:

  • Verification of X.509 certificates against locally stored certificates.
  • Verification of X.509 certificates against Certification Authorities.
  • Certificate Revocation List (CRL).
  • Verification of X.509 certificates against Certification Authorities.
  • Automatic and custom Mapping rules from X.509 certificates to users.
  • Tools to handle screen saver when the card is removed/inserted.
  • Tools to inspect the content of certificates.

In a production environment, PAM-PKCS11 should be preferred over PAM-P11 as it offers more features, including certificate verification and revocation. For users who need to manage simple access, read our tutorial GNU/Linux smart card logon using PAM-P11.