Validator: PAM

The pam validator uses the Pluggable Authentication Module to validate the username/password combination.


Users: You can restrict to some local system users


This validator is compatible with the basic scheme.



Requires a valid user and password system pair to access the protected directory. It will be available for all local users, unless a restriction list is provided.


The PAM approach ensures a dynamic configuration for how the authentication is performed. This dynamic configuration must be specified. This means that a /etc/pam.d/cherokee file must define the connection between Cherokee and the pluggable authentication modules that perform the actual authentication tasks.

Cherokee’s installation procedure already takes care of the creation of such file (under /etc or whatever system configuration directory is used in your platform of choice). If you consistently fail to use the PAM validator, make sure that such configuration definitions are set.

Sample: /etc/pam.d/cherokee
# The PAM configuration file for Cherokee

account    required
auth       required nullok
auth       required
session    required

Bare in mind that Cherokee needs to be able to read /etc/shadow in order to perform PAM authentication. If you are not successful setting up this validator, check your logs for clarification about the authentication failures you might be experiencing. The solution to this particular problem is adding the user under which Cherokee is running to the shadow-group and restarting cherokee. This is easily achievable. For instance, assuming Cherokee is running as www-data on a Debian based Linux distribution, this can be done with the following command.

Adding Cherokee user to shadow group on Debian
sudo adduser www-data shadow