LINUX PAM
What is authentication ?
Program which grant user access to system verify each users identity though a process called authentication. Each program have its own way of authentication. Under linux many programs are configured to use a centralized authentication mechanism
called pluggable authentication modules.
Advantage of using PAM
1.It provide common authentication scheme that can used with wide verity of application.
2.It provide large amount of flexibility for both system administrators and developers.
3.It allows application developers to develop program with out creating their own authentication scheme.
LOCATION OF CONFIGURATION FILE
Location of configuration files is in /etc/pam.d/. In older versions pam configuration is in /etc/pam.conf.
Each pam aware application must have an entry in /etc/pam.d/.
EG: Login program must have an entry in /etc/pam.d/ directory.
PAM CONFIGURATION FILE FORMAT
PAM configuration file contain a group of
directive as follows.
(module interface)( control flag)(module name)(module arguments)
MODULE INTERFACE
These are all four type of pam module interface which correlates four type authentications process.
AUTH
This module is responsible for asking a password and verify the validity of a password. It can also set confidence for group membership of kerberos tickets.
ACCOUNT
This module interface verify the access is allowed.
eg: It check whether the account is expired or it is allowed to login in particular time of day.
PASSWORD
This module interface set and verify password.
SESSION
This module interface configures and manages user sessions. Modules using with this interface can also perform additional task that are needed to allow access ie mounting users home directory and making users mail box available.
NOTE: An individual module can be used with any or all the modules.
that is pam_unix.so can be uesd with all of the four interfaces.
Module interface directive can be stacked. When module inter face are used in pam configuration file the use of each module is available like a stack,that is first in last out. When multiple modules are ued for one purpose the order in which module interface are used are very important.
CONTROL FLAG
All pam modules generates a success or failure when it is called. Control flag tells pam what to do with the result. Since modules
are stacked in particular order control flag decides how important is the success or failure of a particular module in overall rule of authenticating a service to the user.
There are four predefined control flag
1.required
2.requisite
3.sufficient
4.optional
Required
The module result must be successful to authentication to continue. If a required module results fails the user is notified until results on all module referencing that interface are completed.
Requisite
This module result must be successful to continue. However the requisite module fails the user is notified with message reflecting the first failed required or requisite module.
sufficient
The module result must be ignored it fails. However a sufficient flagged module result is successful no required flagged result are failed then no other result are required an user is authenticated to the service.
optional
This module result is ignored. A module result is only become
necessary for successful authentication when there is no other module referencing the that interface.
Module name
In older pam configuration file module must be specified in absolute path naming. eg: /lib/security/pam_stack.so. In the newer system only module name must be specified in pam configuration file.
Modules location
Location of pam modules is in /lib/security/.
Module argument
We can pass arguments to used pam modules in pam configuration module. That is pam_userdb.so module uses secrets with in Berkeleydb file to authenticate the user. Berkeleydb file is an open source database system which is embedded in many application. The above mentioned module take db arguments. db=path to files.
Pam error messages
All the pam module report error messages in /var/log/messages.
AVILABLE MODULES
1.pam_access.so
The pam_access.so module is a acces control module. It can be used with the module interface account. It requires the configuration file /etc/security/access.conf. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.
FIELDS IN /etc/security/access.conf
Each login access control line in /etc/security/access.conf has
three fields separated by a symbol : .
permission:user/group:origins ( in case of non networked login)
permission field may be a symbol + or - . + symbol indicate that the access is granted. - symbol indicate that access is denied.
second field is the user/group field which may be one or more login names group name or ALL. It should be noted that group entries should be written in ( ).
Third field is a list of one or more tty names hostname domainnames(begin with “.”). or internet network number(end with “ . “) .
The wild card ALL or LOCAL may also used.
Sample /etc/security/access.conf File
1. # access.conf file
2. -:ALL:.evil.com .spam.org
3. -:ALL EXCEPT root: tty1
4. +:ALL EXCEPT root:172.17.
5. +:wheel paul:leghorn
6.-:ALL:ALL
Now simply add the line
account required /lib/security/pam_securitty.so
Example of adding pam_access to the /etc/pam.d/login File
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so minlen=20
retry=3 type=SECRET
password required /lib/security/pam_pwdb.so md5 use_authtok
session required /lib/security/pam_pwdb.so
Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.
PAM_CRACKLIB.SO
PAM_CRACKLIB.SO
In order to improve the security of standard reusable password tell us the users to require to change the password regularly,enforce minimum length and good rules for new passwords,and even keep the history of user passwords so that users don't repeat their passwords.
Enabling pam_cracklib.so
pam_cracklib.so module is enabled in pam configuration file ie in Debian systems /etc/pam.d/common-password,in RedHat linux system it is in /etc/pam.d/system-auth. Tipical configuration file look like this
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so md5 use_authtok
The first line enables the pam_cracklib module and set several parameters.
retry=3 means user get three chances to pick a good password before the password program exit. minlen=6 set minimum characters in password.
diffok=3 set the minimum number of characters that must be different from the previous password. If you increase the value of minimum length you must also increase the value of difok.
No comments:
Post a Comment