Scribd
Upload
106 views

Suse PAM Modules

Pluggable Authentication Modules (PAM) provide a flexible and administrator-configurable mechanism for authenticating users. PAM allows authentication code to be configured through modules rather than embedded in programs. This avoids requiring programs to be rebuilt when authentication mechanisms change. PAM uses a three step process: 1) create authentication modules, 2) make applications PAM-aware, and 3) customize authentication services by configuring PAM files like /etc/pam.d/login. Modules are used for authentication, account, session, and password tasks. Configuration files specify the module name, type, and control flags for each service.

Uploaded by

hazardhap
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
106 views

Suse PAM Modules

Pluggable Authentication Modules (PAM) provide a flexible and administrator-configurable mechanism for authenticating users. PAM allows authentication code to be configured through modules rather than embedded in programs. This avoids requiring programs to be rebuilt when authentication mechanisms change. PAM uses a three step process: 1) create authentication modules, 2) make applications PAM-aware, and 3) customize authentication services by configuring PAM files like /etc/pam.d/login. Modules are used for authentication, account, session, and password tasks. Configuration files specify the module name, type, and control flags for each service.

Uploaded by

hazardhap
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Pluggable Authentication

Modules (PAM)

Old Unix Version

Authentication code was imbedded in


programs
Changing authentication mechanism require
the rebuilding of all those programs.

PAM

Traditional

Authentication code was imbedded in


programs
Changing authentication mechanism require
the rebuilding of all those programs.

PAM

Goal

Provide a flexible and administrator-configurable


mechanism for authenticating users

Utilities call authentication modules at runtime

PAM

3 Steps to use PAM

Create PAM modules

Each module is responsible for one small aspect of


authentication
Shared libraries under /lib/security

Make the application PAM aware


Customize the authentication service

For various applications (services)


All services can use one single file /etc/pam.conf
Each server can have its own file
For example /etc/pam.d/login

The change takes effect instantly

Example: /etc/pam.d/su
#%PAM-1.0
auth
auth
auth

sufficient
required
required

pam_rootok.so
pam_wheel.so
pam_unix.so shadow nullok

account
password
Session

required
required
required

pam_unix.so
pam_unix.so
pam_unix.so

PAM module type

Four types of tasks:

Authentication

Verify a users identify and credentials


Login/password, biometrics, etc.

Account

Perform non-authentication account management


Restrict/permit access to a service based on the time,
resource, etc

Session

Do odd things before/after the user was give service


Mounting directories, logging, etc.

Password

Update passwords
Change password, Allow/deny null passwords, verify password
strength, etc.

PAM Control Flags

Control Flags indicate the behavior of


the PAM-API based upon the result of the
check performed

Required
Requisite
Sufficient
Optional

PAM Control Flags (Cont.)

Required

Must pass. Failure will ultimately lead to PAM-API returning


failure but only after the remaining stacked module have been
invoked.
Who bother to check other modules if it fails at the end
anyway?

Requisite

Acting the same way for a service


Preventing cracker to determine which module caused the failure

Must pass. However, control is directly returned to the application


in case of failure.

Sufficient

Success of such a module is enough to satisfy the


authentication requirements of the stack of modules

But if a prior required module has failed the success of this


one is ignored.

Modules below it that are also listed as sufficient are not invoked

PAM Control Flags (Cont.)

Optional

Include

The success or failure of this module is only


important if it is the only module in the stack
with this service+type.
Include all lines of given type from the
configuration file specified as an argument to
this control

Complicated syntax [values1=actions1


value2=action2 ]

PAM configuration
Line Format:
[Service] type control module-name module-arguments

Service
Application name: sshd, su, xlock,etc

Type
Auth, account, session, password

Control
required, requisite, sufficient, optional, etc

Module
account
session
password

PAM modules

Linux modules

pam_deny
Pam_permit
Pam_warn
Pam_access
pAm_unix
Pam_cracklib
Pam_env
Pam_krb4
Pam_krb5
Pam_nologin
Pam_rootok
Pam_securetty
Pam_wheel
Pam_time

See http://www.kernel.org/pub/linux/libs/pam/modules.html

Example 1

Man pam_unix

This is the standard Unix authentication module. It uses


standard calls from the system's libraries to retrieve and set
account information as well as authentication. Usually this is
obtained from the /etc/passwd and the /etc/shadow file as well
if shadow is enabled.
nodelay

This argument can be used to discourage the authentication


component from requesting a delay should the authentication as a
whole fail. The default action is for the module to request a delayon-failure of the order of two second.

Removing login delay

In /etc/pam.d/system-auth

Now login with wrong password, do you still experience the


delay?

Auth required pam_unix.so nodelay

Example 2

Man pam_tally

This module maintains a count of attempted


accesses, can reset count on success, can
deny access if too many attempts fail.
deny=n

Deny access if tally for this user exceeds n.

Lock out users who tried 3 times in a row:

Auth required pam_tally.so deny=3


Account required pam_tally.so

Example 3

Locking out everyone excepts root

Kick all the user out


Create file /etc/nologin
Add a line in /etc/pam.d/login

auth requisite pam_nologin.so

Example 4 CS lab
auth
auth
auth
auth
auth

required
sufficient
requisite
sufficient
required

account
account
account
account
account

required
pam_unix.so broken_shadow
sufficient
pam_localuser.so
sufficient
pam_succeed_if.so uid < 500 quiet
[default=bad success=ok user_unknown=ignore] pam_krb5.so
required
pam_permit.so

password
requisite
password
sufficient
use_authtok
password
required

pam_env.so
pam_unix.so nullok try_first_pass
pam_succeed_if.so uid >= 500 quiet
pam_krb5.so use_first_pass
pam_deny.so

pam_cracklib.so try_first_pass retry=3


pam_unix.so shadow nis nullok try_first_pass
pam_deny.so

session
optional
pam_keyinit.so revoke
session
required
pam_limits.so
session
[success=1 default=ignore] pam_succeed_if.so service in crond
quietuse_uid
session
required
pam_unix.so
session
optional
pam_krb5.so

PAM Documentation

The Linux-Pam System Administrators


Guide

http://www.kernel.org/pub/linux/libs/pam/Linu
x-PAM-html/Linux-PAM_SAG.html

Man

Man pam
Man pam.conf
man pam_krb5

To get the list of module: man -k pam

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy