TUCoPS :: Linux :: Discontinued :: pam.txt

Understanding the Secure Linux Base 

  o0o Tuxtendo o0o
  
  Author: Joep Gommers
  Handle: RainCoat-
  Email: joepgommers@hetnet.nl

  Subject: Understanding the secure linux base 
  Chapter: The Pluggable Authentication Modules (PAM)
 
  Released under: Tuxtendo Security
  Email: joep@tuxtendo.nl

  - - - - - - - - -

  
  This set of tutorials is based on standards set by the
  GNU (GNU is not UNIX) and Sair Linux Certification team. 
  Visit www.linuxcertifications.com for more  information on
  linux certification and Sair Linux.


  This set of papers are made for people that want to know more
  about a secure base of a linux system. Some basic understanding of
  linux will come handy !


Hope you learn a great deal and use the information in
  in a proper way ! Have fun, luv Joep Gommers (joepgommers@hetnet.nl).



THE PLUGGABLE AUTHENTICATION MODULES
------------------------------------

In the past, authentication in a linux system was handled in a manner 
specified by each program or package. For example, verifying the identity of a 
user at the time of login was done by checking the given password against the 
encrypted password in /etc/shadow (or /etc/passwd). But as more packages began 
to use authentication more and more password files could be found all over a 
system, making it a insecure system. Not only that but it simply was not handy 
to change 23 different password files eatch time a user modified his or her 
password. 

To beat this problem, a set of libraries was developed to allow the 
authentication settings of a program to be modified as the service is running, 
without the need to recompile each individual program.

This system my dear friends is called: PAM, also refered to as the pluggable 
authentication modules.


-+[ What's PAM? ]+-

PAM allows you to seperate the real functions of the program and the 
authentication method. PAM let's you chouse from a variaty of different methods, 
from a single pass-though without authentication (pam_permit) to ritinal scand 
or voice print.


-+[ THe Configuration ]+-

U can configurate this wonderfull set of libraries in /etc/pam.conf OR 
(wich is a better way) you can make use of the directory hierarchy first in 
/etc/pam.d.


The /etc/pam.conf WAY

/etc/pam.conf allows you to configurate all the PAM aware services in one file. 
The syntax of a line in the configuratino file looks like this:

service_name module_type control_flag module_path arguments

A axamle of the pam.conf file:

[joep@tuxtendo /etc]$ cat pam.conf | head -n 3
login auth required /usr/lib/security/pam_unix.so.1
rlogin auth sufficient /usr/src/lib/security/pam_rhosts_auth.so.1
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1


The /etc/pam.d WAY

This way has become the preferred manner of configurating PAM, since it allow a 
more modular aprrouch to working with PAM.

in /etc/pam.d are several files, a axample could be:

[joep@tuxtendo /etc/pam.d]$ ls 
adsl-config internet-config  netcfg rp3-config    up2date-nox
apacheconf isdn-config   other rsh    vlock
bindconf kbdrate   passwd samba    xcdroast
chfn kde   pop smtp    xdm
chsh kppp   poweroff sshd    xlock
firewall-config  kscreensaver   ppp su    xscreensaver
ftp linuxconf   printconf-gui  sudo    xserver
gdm linuxconf-auth   reboot sysctlconfig-gtk
gnorpm-auth linuxconf-pair   rexec system-auth
halt login   rhn_register up2date
imap mcserv   rlogin up2date-config

The syntax of a file listed above is:

module-type control-flag module-path arguments

A axample of a file could be:
[joep@tuxtendo /etc/pam.d]$ cat ftp
#%PAM-1.0
auth       required /lib/security/pam_listfile.so item=user sense=deny 
file=/etc/ftpusers onerr=succeed
auth       required /lib/security/pam_stack.so service=system-auth
auth       required /lib/security/pam_shells.so
account    required /lib/security/pam_stack.so service=system-auth
session    required /lib/security/pam_stack.so service=system-auth


The OTHER file

In de /etc/pam.d directory there is a file called 'other' and is used to to set 
the default responses to the PAM requests. It provides a stopgap for 
unconfigurated PAM-aware services, and is an integral part of system security 
when using PAM. A axample of the other file could be something like:

[joep@tuxtendo /etc/pam.d]$ cat other
#%PAM-1.0
auth     required       /lib/security/pam_deny.so
account  required       /lib/security/pam_deny.so
password required       /lib/security/pam_deny.so
session  required       /lib/security/pam_deny.so


-+[ Troubleshooting ]+-

But even PAM has it's errors. If someone or something would delete your 
pam configuration. You're system would be inaccessible ! The only way to restore 
sutch an act is to boot up linux in single user mode(*). And make a new 'other' 
file with the following content.

auth required /lib/security/pam_auth.so
account required /lib/security/pam_acct.so
password required /lib/security/pam_passwd.so
session required /lib/security/pam_session.so

This will allow services to answer normally, ofcourse you must fine time the 
services to work complete perfect.

(*) Single user mode can be be started with lilo:
'linux single' OR '<image> single'



-+[ THe PAM modules ]+-

The most common modules in PAM are:

pam_login Provides login access control
pam_chroot acts as a wrapper to an apparent filesystem (the / 
directory actually is /some/other/path) to disallow a 
user XS to special area's
pam_cracklib Provides a stregth checking for proposed passwords
pam_deny Always denies XS to the specified service
pam_ftp Provides anonymous XS to the FTP service
pam_krb4 Uses Kerberos verification for authentication
pam_listfile Provides a way to deny or allow services
pam_mail CHecks a user's spool for mail
pam_permit Always allow XS
pam_securitytty Allows for standart securetty protection
pam_unix the standart UNIX autentication module, the passwd and 
shadow way :)
pam_warn Logs information about authentication steps

These module can be specified in the pam.conf or the pam.d/* files.

-+[ PAM_SECURITTY ]+-

The /etc/securitytty file is used to specify the device names of tty 
lines on wich the root account is allowed to login. A axample could be:

[joep@tuxtendo /etc]$ cat securitytty
tty1
tty2
tty3
vc/1
vc/2
vc/3
vc/4

-+[ PAM_LISTFILE ]+-

THis module allows access, denial or acceptance based on the contects of 
a spcified file. The most common use for pam_listfile on running linux systems 
is to provide the funtionalily of the /etc/ftpusers file with FTP services. The 
file specifies acounnts, one per line, that are not allowd to FTP. Typically, 
this is provided by an entry in the PAM configuration file. Axample:

ftp auth required pam_listfile.so \ onerr=succeed item=user sense=deny 
file=/etc/ftpusers

THe pam_listfile also, ofcourse, provides the apposite:

login auth required pam_listfile.so \ onerr=fail irem=user sense=allow 
file=/etc/ftpusers

-+[ PAM_MAIL ]+-

After user authentication but before it has begun it is sometimes 
desired to to run a check for new mail. This can be done with the pam_mail 
module.

# Output "You have new mail" if there is new mail in the spool
login auth optional pam_mail.so

Some services already provide the funtionality, therefor, specifying this 
module may not be required.

-ALMOST EOF-
Well, pfff .. on to the next chapter
-EOF-

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH