These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Pluggable Authentication Modules

Classnotes | UNIX03 | RecentChanges | Preferences

User authentication: PAM

PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share/doc/libpam0g/Debian?-PAM-MiniPolicy?.gz for more information on how PAM services should work in Debian).

Each application with PAM support provides a configuration file in /etc/pam.d/ which can be used to modify its behavior:

  • what backend is used for authentication.
  • what backend is used for sessions.
  • how do password checks behave.

PAM offers you the possibility to go through several authentication steps at once, without the user's knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if he authenticates correct in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to requisite, which returns a login failure if one module fails.

If we recall, Debian supports DES passwords, which are smaller than MD5 (see UNIX02/User Accounts And Groups). The first thing I like to do, is to add MD5 support to PAM applications, since this helps protect against dictionary cracks (passwords can be longer if using MD5). The following two lines should be added to all files in /etc/pam.d/ that grant access to the machine, like login and ssh.

 # Be sure to install libpam-cracklib first or you will not be able to log in
 password   required     pam_cracklib.so retry=3 minlen=12 difok=3
 password   required     pam_unix.so use_authtok nullok md5

So, what does this incantation do? The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum length of 12 characters, a difference of at least 3 characters from the old password, and allows 3 retries. The second line introduces the standard authentication module with MD5 passwords and allows a zero length password. The use_authtok directive is necessary to hand over the password from the previous module. The package depends in a wordlist (such as wenglish, wspanish, wbritish...), make sure that you install the one appropiate to your language (otherwise it might not be useful at all).

To make sure that the user root can only log into the system from local terminals, the following line should be enabled in /etc/pam.d/login:

  auth     requisite  pam_securetty.so

Then you should add the terminals from which the user root can log into the system, in /etc/security/access.conf. Last but not least the following line should be enabled if you want to set up user limits.

  session  required   pam_limits.so

This restricts the system resources that users are allowed. For example, you could restrict the number of concurrent logins (of a given group of users, or system-wide) you may have, the number of processes, the memory size...

Now edit /etc/pam.d/passwd and change the first line. You should add the option "md5" to use MD5 passwords, change the minimum length of password from 4 to 6 (or more) and set a maximum length, if you desire. The resulting line will look something like:

  password   required   pam_unix.so nullok obscure min=6 max=11 md5

If you want to protect su, so that only some people can use it to become root on your system, you need to add a new group "wheel" to your system (that is the cleanest way, since no file has such a group permission yet). Add root and the other users that should be able to su to the root user to this group. Then add the following line to /etc/pam.d/su:

    auth        requisite   pam_wheel.so group=wheel debug

This makes sure that only people from the group "wheel" can use su to become root. Other users will not be able to become root. In fact they will get a denied message if they try to become root.

If you want only certain users to authenticate at a PAM service, this is quite easy to achieve by using files where the users who are allowed to login (or not) are stored. Imagine you only want to allow user 'ref' to log in via ssh. So you put him into /etc/sshusers-allowed and write the following into /etc/pam.d/ssh:

   auth        required    pam_listfile.so item=user sense=allow
              file=/etc/sshusers-allowed onerr=fail

Last, but not least, create /etc/pam.d/other and enter the following lines:

       auth     required       pam_securetty.so
       auth     required       pam_unix_auth.so
       auth     required       pam_warn.so
       auth     required       pam_deny.so
       account  required       pam_unix_acct.so
       account  required       pam_warn.so
       account  required       pam_deny.so
       password required       pam_unix_passwd.so
       password required       pam_warn.so
       password required       pam_deny.so
       session  required       pam_unix_session.so
       session  required       pam_warn.so
       session  required       pam_deny.so

These lines will provide a good default configuration for all applications that support PAM (access is denied by default).



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited September 27, 2003 1:26 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.