Slides From Pam Training Presentation
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Slides From Pam Training Presentation as PDF for free.
More details
- Words: 616
- Pages: 17
Cooking with PAM (Pluggable Authentication Modules)
Thad Van Ry Linux System Engineer LDS Church http://www.linuxnetadmin.com irc = ThaddeusQ
Caution!! ●
Complete Lockout Possible
●
Have a separate Root session Open
●
Backup PAM config files before changing
●
Recommend keep a Live CD close by
Authentication without PAM login rlogin /etc/passwd telnet rsh
History of PAM
PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun Microsystems
Authentication with PAM Configuration File: /etc/pam.d/sshd
sshd Request
Result Success or Fail
PAM Library
pam_env.so
pam_unix2.so
PAM modules
auth auth account
password
pam_vas3.so
required required sufficient . . . required
pam_env.so pam_unix2.so pam_vas3.so
pam_pwcheck.so
pam_pwcheck.so
PAM Requirements ●
●
PAM must be installed (Included in most modern Unix / Linux OSes) Application must be “PAM aware” (can check using ldd) $ ldd /bin/login <snip> libpam.so.0 => /lib64/libpam.so.0 <snip>
Configuration Files ●
●
●
On Linux located in /etc/pam.d/ On AIX in /etc/pam.conf - each line begins with application name. Format: module_type
control_flag
module_path [arguments]
●
For example:
●
auth required /lib/security/pam_pwdb.so shadow nullok
Module type Four groups of checks - stacks auth – provide the actual authentication, perhaps asking for and checking a password account – makes sure the authentication is allowed (the account has not expired, time of day restrictions, etc.)
session – used after a user has been authenticated to allow them to use their account (mount home directory, logging activities, etc.) password – used to set passwords
Control Flags Four types of control flags required – Must return success. If it fails, continue checking the stack, however, the overall result will be a failure.
sufficient – If this module ends successfully, other modules in stack don't really matter and the overall result is success.
requisite – Works like required, but, in case of failure it returns immediately.
optional – This flag allows PAM to continue checking other modules even if this one has failed. include – used to include other files
Module path ●
●
Can give full path in configuration file: /lib/security/pam_unix.so In Linux, if only module name is given, PAM looks in /lib/security for module.
Arguments ●
●
●
Parameters that are passed to the authentication module Usually specific to each module. Some useful generic arguments that apply to all modules: –
debug – Send debugging information to system logs.
–
use_first_pass – Do not prompt user for a password a second time. Use the password entered the first time to determine eligibility.
–
try_first_pass – Similar to use_first_pass, however if the existing password causes a failure to be returned, the user is then asked for a second password.
/etc/pam.d/login #%PAM-1.0 auth
required
pam_securetty.so
auth
required
pam_env.so
auth
required
pam_unix2.so
auth
required
pam_nologin.so
account
required
pam_unix2.so
password required
pam_pwcheck.so
nullok
password required
pam_unix2.so
nullok
session
required
pam_limits.so
session
required
pam_unix2.so
session
required
pam_lastlog.so nowtmp
session
optional
pam_mail.so standard
/etc/pam.d/other
used if PAM aware application doesn't have own configuration file in /etc/pam.d #%PAM-1.0 auth
required
pam_deny.so
account
required
pam_deny.so
password required
pam_deny.so
session
pam_deny.so
required
How can PAM help me? ●
●
Password strength checks can be added to / etc/pam.d/passwd using pam_pwcheck.so or pam_cracklib.so If there is an issue you're having that deals with authentication, see if a module has been created.
How can PAM hurt me? ●
●
Messed up PAM files can lock out access for everyone including root!! Order is important in PAM configuration files.
HELP!!??? ●
Most modules have a man page. Try looking there first. (i.e. $ man pam_pwcheck to get information about pam_pwcheck.so)
●
Use debug argument.
●
Google is your friend.
●
PAM article in January 2009 issue of LJ –
●
http://www.linuxjournal.com/article/10278
Linux user group mailing lists
Questions, Comments, Crude Remarks?
Thad Van Ry Linux System Engineer LDS Church http://www.linuxnetadmin.com irc = ThaddeusQ
Caution!! ●
Complete Lockout Possible
●
Have a separate Root session Open
●
Backup PAM config files before changing
●
Recommend keep a Live CD close by
Authentication without PAM login rlogin /etc/passwd telnet rsh
History of PAM
PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun Microsystems
Authentication with PAM Configuration File: /etc/pam.d/sshd
sshd Request
Result Success or Fail
PAM Library
pam_env.so
pam_unix2.so
PAM modules
auth auth account
password
pam_vas3.so
required required sufficient . . . required
pam_env.so pam_unix2.so pam_vas3.so
pam_pwcheck.so
pam_pwcheck.so
PAM Requirements ●
●
PAM must be installed (Included in most modern Unix / Linux OSes) Application must be “PAM aware” (can check using ldd) $ ldd /bin/login <snip> libpam.so.0 => /lib64/libpam.so.0 <snip>
Configuration Files ●
●
●
On Linux located in /etc/pam.d/ On AIX in /etc/pam.conf - each line begins with application name. Format: module_type
control_flag
module_path [arguments]
●
For example:
●
auth required /lib/security/pam_pwdb.so shadow nullok
Module type Four groups of checks - stacks auth – provide the actual authentication, perhaps asking for and checking a password account – makes sure the authentication is allowed (the account has not expired, time of day restrictions, etc.)
session – used after a user has been authenticated to allow them to use their account (mount home directory, logging activities, etc.) password – used to set passwords
Control Flags Four types of control flags required – Must return success. If it fails, continue checking the stack, however, the overall result will be a failure.
sufficient – If this module ends successfully, other modules in stack don't really matter and the overall result is success.
requisite – Works like required, but, in case of failure it returns immediately.
optional – This flag allows PAM to continue checking other modules even if this one has failed. include – used to include other files
Module path ●
●
Can give full path in configuration file: /lib/security/pam_unix.so In Linux, if only module name is given, PAM looks in /lib/security for module.
Arguments ●
●
●
Parameters that are passed to the authentication module Usually specific to each module. Some useful generic arguments that apply to all modules: –
debug – Send debugging information to system logs.
–
use_first_pass – Do not prompt user for a password a second time. Use the password entered the first time to determine eligibility.
–
try_first_pass – Similar to use_first_pass, however if the existing password causes a failure to be returned, the user is then asked for a second password.
/etc/pam.d/login #%PAM-1.0 auth
required
pam_securetty.so
auth
required
pam_env.so
auth
required
pam_unix2.so
auth
required
pam_nologin.so
account
required
pam_unix2.so
password required
pam_pwcheck.so
nullok
password required
pam_unix2.so
nullok
session
required
pam_limits.so
session
required
pam_unix2.so
session
required
pam_lastlog.so nowtmp
session
optional
pam_mail.so standard
/etc/pam.d/other
used if PAM aware application doesn't have own configuration file in /etc/pam.d #%PAM-1.0 auth
required
pam_deny.so
account
required
pam_deny.so
password required
pam_deny.so
session
pam_deny.so
required
How can PAM help me? ●
●
Password strength checks can be added to / etc/pam.d/passwd using pam_pwcheck.so or pam_cracklib.so If there is an issue you're having that deals with authentication, see if a module has been created.
How can PAM hurt me? ●
●
Messed up PAM files can lock out access for everyone including root!! Order is important in PAM configuration files.
HELP!!??? ●
Most modules have a man page. Try looking there first. (i.e. $ man pam_pwcheck to get information about pam_pwcheck.so)
●
Use debug argument.
●
Google is your friend.
●
PAM article in January 2009 issue of LJ –
●
http://www.linuxjournal.com/article/10278
Linux user group mailing lists
Questions, Comments, Crude Remarks?
Related Documents
Slides From Pam Training Presentation
April 2020 4
Presentation Slides
November 2019 36
Training Presentation
June 2020 6
Presentation Training
May 2020 9
Training Presentation
November 2019 13