|
o0o Tuxtendo o0o Author: Joep Gommers Handle: RainCoat- Email: joepgommers@hetnet.nl Subject: Understanding the secure linux base Chapter: The Pluggable Authentication Modules (PAM) Released under: Tuxtendo Security Email: joep@tuxtendo.nl - - - - - - - - - This set of tutorials is based on standards set by the GNU (GNU is not UNIX) and Sair Linux Certification team. Visit www.linuxcertifications.com for more information on linux certification and Sair Linux. This set of papers are made for people that want to know more about a secure base of a linux system. Some basic understanding of linux will come handy ! Hope you learn a great deal and use the information in in a proper way ! Have fun, luv Joep Gommers (joepgommers@hetnet.nl). THE PLUGGABLE AUTHENTICATION MODULES ------------------------------------ In the past, authentication in a linux system was handled in a manner specified by each program or package. For example, verifying the identity of a user at the time of login was done by checking the given password against the encrypted password in /etc/shadow (or /etc/passwd). But as more packages began to use authentication more and more password files could be found all over a system, making it a insecure system. Not only that but it simply was not handy to change 23 different password files eatch time a user modified his or her password. To beat this problem, a set of libraries was developed to allow the authentication settings of a program to be modified as the service is running, without the need to recompile each individual program. This system my dear friends is called: PAM, also refered to as the pluggable authentication modules. -+[ What's PAM? ]+- PAM allows you to seperate the real functions of the program and the authentication method. PAM let's you chouse from a variaty of different methods, from a single pass-though without authentication (pam_permit) to ritinal scand or voice print. -+[ THe Configuration ]+- U can configurate this wonderfull set of libraries in /etc/pam.conf OR (wich is a better way) you can make use of the directory hierarchy first in /etc/pam.d. The /etc/pam.conf WAY /etc/pam.conf allows you to configurate all the PAM aware services in one file. The syntax of a line in the configuratino file looks like this: service_name module_type control_flag module_path arguments A axamle of the pam.conf file: [joep@tuxtendo /etc]$ cat pam.conf | head -n 3 login auth required /usr/lib/security/pam_unix.so.1 rlogin auth sufficient /usr/src/lib/security/pam_rhosts_auth.so.1 rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 The /etc/pam.d WAY This way has become the preferred manner of configurating PAM, since it allow a more modular aprrouch to working with PAM. in /etc/pam.d are several files, a axample could be: [joep@tuxtendo /etc/pam.d]$ ls adsl-config internet-config netcfg rp3-config up2date-nox apacheconf isdn-config other rsh vlock bindconf kbdrate passwd samba xcdroast chfn kde pop smtp xdm chsh kppp poweroff sshd xlock firewall-config kscreensaver ppp su xscreensaver ftp linuxconf printconf-gui sudo xserver gdm linuxconf-auth reboot sysctlconfig-gtk gnorpm-auth linuxconf-pair rexec system-auth halt login rhn_register up2date imap mcserv rlogin up2date-config The syntax of a file listed above is: module-type control-flag module-path arguments A axample of a file could be: [joep@tuxtendo /etc/pam.d]$ cat ftp #%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth The OTHER file In de /etc/pam.d directory there is a file called 'other' and is used to to set the default responses to the PAM requests. It provides a stopgap for unconfigurated PAM-aware services, and is an integral part of system security when using PAM. A axample of the other file could be something like: [joep@tuxtendo /etc/pam.d]$ cat other #%PAM-1.0 auth required /lib/security/pam_deny.so account required /lib/security/pam_deny.so password required /lib/security/pam_deny.so session required /lib/security/pam_deny.so -+[ Troubleshooting ]+- But even PAM has it's errors. If someone or something would delete your pam configuration. You're system would be inaccessible ! The only way to restore sutch an act is to boot up linux in single user mode(*). And make a new 'other' file with the following content. auth required /lib/security/pam_auth.so account required /lib/security/pam_acct.so password required /lib/security/pam_passwd.so session required /lib/security/pam_session.so This will allow services to answer normally, ofcourse you must fine time the services to work complete perfect. (*) Single user mode can be be started with lilo: 'linux single' OR '<image> single' -+[ THe PAM modules ]+- The most common modules in PAM are: pam_login Provides login access control pam_chroot acts as a wrapper to an apparent filesystem (the / directory actually is /some/other/path) to disallow a user XS to special area's pam_cracklib Provides a stregth checking for proposed passwords pam_deny Always denies XS to the specified service pam_ftp Provides anonymous XS to the FTP service pam_krb4 Uses Kerberos verification for authentication pam_listfile Provides a way to deny or allow services pam_mail CHecks a user's spool for mail pam_permit Always allow XS pam_securitytty Allows for standart securetty protection pam_unix the standart UNIX autentication module, the passwd and shadow way :) pam_warn Logs information about authentication steps These module can be specified in the pam.conf or the pam.d/* files. -+[ PAM_SECURITTY ]+- The /etc/securitytty file is used to specify the device names of tty lines on wich the root account is allowed to login. A axample could be: [joep@tuxtendo /etc]$ cat securitytty tty1 tty2 tty3 vc/1 vc/2 vc/3 vc/4 -+[ PAM_LISTFILE ]+- THis module allows access, denial or acceptance based on the contects of a spcified file. The most common use for pam_listfile on running linux systems is to provide the funtionalily of the /etc/ftpusers file with FTP services. The file specifies acounnts, one per line, that are not allowd to FTP. Typically, this is provided by an entry in the PAM configuration file. Axample: ftp auth required pam_listfile.so \ onerr=succeed item=user sense=deny file=/etc/ftpusers THe pam_listfile also, ofcourse, provides the apposite: login auth required pam_listfile.so \ onerr=fail irem=user sense=allow file=/etc/ftpusers -+[ PAM_MAIL ]+- After user authentication but before it has begun it is sometimes desired to to run a check for new mail. This can be done with the pam_mail module. # Output "You have new mail" if there is new mail in the spool login auth optional pam_mail.so Some services already provide the funtionality, therefor, specifying this module may not be required. -ALMOST EOF- Well, pfff .. on to the next chapter -EOF-