I am looking at the way PAM modules are designed as guidelines for my own JAAS LoginModule. One thing that surprised me is that, although the method used to access an hashed password is mostly orthogonal to the hash method itself, I was not able to find any PAM modules that would make good use of this property. Is it because of some security issue that I overlooked, or is it simply something that was not explored yet?

To explain a little bit more what I mean, let’s say that we have we have 3 different methods to access a hashed password (LDAP, SQL, plain files) and 2 hash methods (MD5, SHA1). Currently there is is one or more PAM modules for each access method, each one implementing one or more of these hash methods. Adding a new hash method (say BCrypt) means that all these access method needs to be modified to support the new hash type. A better design would be to have one PAM module for each access method that simply retrieves the hashed password using the user name, then to have a separate set of PAM modules that do the hash verification, with the hashed value shared between modules (like the password is). So if I use a database to store my password, and use MD5 to verify the password, my configuration would look like this:

password  required  pam_sql.so
password  required  pam_md5.so

In this configuration pam_sql retrieves the hashed password from a database (or fails if the username does not exist). Then pam_md5 compares the hashed password with the password to test and fails if they do not match. In a different configuration using Bcrypt, I would just have to replace pam_md5 by pam_bcrypt, without having to wait that the developers of pam_sql update it for the new hash method.