Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Linux PAM

News

Commercial Linuxes Recommended Books

Recommended Links

Red Hat security

Suse Security

Hardening

PAM

wheel group Authentication and Accounts Security Selected PAM Modules SecurID

Humor

Etc

PAM (the Pluggable Authentication Module) is a unified authentication scheme introduced by Sun in Solaris 2.3 and later uncritically reimplemented in most open source versions of Unix (e.g. Linux and FreeBSD).

It allows the system administrator to customize the authentication services that should be used for various applications.  It is rather primitive mechanism that uses yet another (very simple) PAM language to connect several security checks (each check or group of checks is performed by a separate authentication module) before deciding if you can authenticate the user or not.  Rephrasing famous  Greenspun's Tenth Rule

"Any sufficiently complicated C or Fortran program contains an ad−hoc, informally−specified bug−ridden slow implementation of half of Common. Lisp"

Without loss of generality instead of Lisp you can actually substitute "scripting language".

We can state that PAM is a classic case of Greenspun's Tenth Rule  It contains an ad−hoc, informally−specified, bug−ridden and slow implementation of half of any common scripting language such as AWK, TCL, Perl or Python.

It is a testament of "David Korn law": many programmers working on Unix does not really understand Unix: they are unable to see bigger picture and try to work around the limitations of C reinvent the bicycle by implementing features which are already implemented is more expressive languages.

PAM permits per service configuration of authentication. Initially it was a single large pam.conf file. Now in Linux each service can have its own PAM configuration file in  /etc/pam.d. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf. (SuSE ships by default with the /etc/pam.d directory and files).

The syntax of files contained in the /etc/pam.d directory, are identical to format in pam.conf except for the absence of  service field: the service is the name of the file in the /etc/pam.d/ directory. The /etc/pam.d/other file is used to check authentication for any service where a specific pam file has not been set up.

The format of the /etc/pam.d/ files contains four fields:

  1. type valid entries are: account; auth; password; and session.
  2. control what to do if authentication fails/succeed. Common variants are
  3. module-path /path/to/the/program (defaults to /lib/security)
  4. module-args args

Historical note: in /etc/pam.conf the first field initially was service -- the name of the daemon or program, for example ssh, login or su

Additional PAM /etc/security files

Some of the modules have additional configuration files in /etc/security.

The /etc/security/access.conf can be used to greatly restrict who can login from where. You can limit console logins to only specific UIDs, or combinations of specific UIDs and ttys. However, in addition to configuring this file, you must set up the PAM login rules to read this file. The pam_access.so library is the program that enforces the rules. Edit /etc/pam.d/login and add this line to activate the /etc/security/access.conf file in PAM:

# add login restrictions (access.conf)
account required pam_access.so

It goes after the other account required line that handles normal logins (this is called stacking).

Then, edit the /etc/security/access.conf file to set up access controls. Here is an example entry so that no users except the user libadmin can login on tty1. Add this line:

-:ALL EXCEPT libadmin:tty1
Note: root can still access the machine through su or sshd.

The /etc/security/limits.conf can be used to restrict system resource usage by UID. The pam_limits.so library is the program that enforces the limits. It must be set up in the /etc/pam.d/login file as a session rule, usually at the end of the file:

session required pam_limits.so
The /etc/login.defs file, which is part of the shadow suite, is also honored by PAM if you include the pam_pwcheck.so library in your PAM configuration. It must be set up in the /etc/pam.d/login file as a password rule:

password required pam_pwcheck.so nullok
With /etc/login.defs, you can control the minimum password length, expiration time, and many other things.

In modern Linux distributions, most programs are PAM enabled. For a program to use PAM, it must have the PAM functions included in it for authentication and authorization. To check to see if a program is pam enabled, do an ldd on it and look for PAM libraries linked to it:

libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x4002b000)
libpam.so.0 => /lib/libpam.so.0 (0x4002e000)

SuSE ships by default with the pam.d directory and files.  /etc/pam.conf has a list of rules. The format of each rule is a space separated collection of tokens, the first three being case-insensitive:
service type control module-path module-arguments
      

The syntax of files contained in the /etc/pam.d/ directory, are identical except for the absence of any service field. In this case, the service is the name of the file in the /etc/pam.d/ directory. This filename must be in lower case.

In suse most programs are PAM enabled. To check to see if a program is pam enabled, do an ldd on it and look for PAM libraries linked to it:
        libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x4002b000)
        libpam.so.0 => /lib/libpam.so.0 (0x4002e000)    

The /etc/pam.d/other file is used to check authentication for any service where a specific pam file has not been set up. In SuSE  the default settings in this file send warning messages to syslog and check the standard system files for UID/passwords (pam_unix.so).

Often used Pam modules

This is an incomplete overview of the major PAM modules that are already written and stable.The Linux-PAM System Administrators' Guide  contains more compete list.

pam_env.so [authentication]
Sets environment variables for PAM using the settings in /etc/security/pam_env.conf.
pam_ftp.so -- [authentication]
Allows (forces) anonymous logins for ftp. User must enter ftp or anonymous for the UID and an e-mail address for the password.
pam_group [authentication]
This module provides group-settings based on the user's name and the terminal they are requesting a given service from. This allows group settings separate from the /etc/group to be used only in PAM processing. This module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. The group memberships are listed in text form in the /etc/security/group.conf file. The pam_group module functions in parallel with the /etc/group file. If the user is granted any groups based on the behavior of this module, they are granted in addition to those entries /etc/group (or equivalent).
pam_homecheck -- [authentication; session]
Checks the home directory of the user for world writable or dot files not owned by the user. Check, if the home directory is world-writeable. If the home directory is world-writeable, or one of the important dot files is world-writeable or not owned by the user or root, a warning is printed. The abort argument will deny permission to log in in such a case.
pam_limits -- [session]
Uses the /etc/security/pam_limits.conf file to enforce resource limitations on users. Through the contents of the configuration file, /etc/security/limits.conf, resource limits are placed on users' sessions. Users of uid=0 are not affected by this restriction.
pam_listfile -- [authentication]
Allows or denys access to a service based on a text file. items that are checked are[tty|user|rhost|ruser|group|shell]  The text file should contains one line per item listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is returned, causing the authorization request to fail.

Here is an example of user the ftpusers file to deny access from pure-ftpd PAM on suse :

#
# deny ftp-access to users listed in the /etc/ftpusers file
#
auth required pam_listfile.so onerr=succeed item=user sense=deny file=/etc/ftpusers
pam_mail -- [authentication (credential);session (open)]
This module provides the “you have new mail” service to the user. It can be plugged into any application that has credential hooks. It gives a single message indicating the newness of any mail it finds in the user's mail folder. This module also sets the Linux-PAM environment variable, MAIL, to the user's mail directory.
pam_motd -- [session]
Displays the motd file.
pam_nologin -- [authentication]
Provides standard Unix nologin authentication. If the file /etc/nologin exists, only root is allowed to log in; other users are turned away with an error message. All users (root or otherwise) are shown the contents of /etc/nologin. If the file /etc/nologin does not exist, this module succeeds silently.
pam_permit -- [account; authentication; password; session]
This module is very dangerous. It should be used with extreme caution. Its action is always to permit access. It does nothing else.
pam_pwcheck -- [password]
This is a module for checking passwords. It reads /etc/login.defs and makes the checks the standard Linux shadow suite also does. If configured, it also uses the cracklib library to check the password.
pam_securetty -- [authentication]
Provides standard Unix securetty checking, which causes authentication for root to fail unless PAM_TTY is set to a string listed in the /etc/securetty file. For all other users, it succeeds. Here is the standard /etc/securetty file on SuSE. Root can only login on these terminals:
#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
tty2
tty3
tty4
tty5
tty6
# for devfs:
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
    
pam_time -- [account]
Reads the /etc/security/time.conf file to restrict when a user can use a service. For example, you can deny logins during weekends or after normal business hours.
pam_unix -- [account; authentication; password; session]
If configured in /etc/nsswitch.conf, this module will make NIS or NIS+ queries. This is the standard Unix authentication module. It uses standard calls from the glibc NSS libraries to retrieve and set account information as well as authentication. Usually this is obtained from the the local files /etc/passwd and /etc/shadow, from an NIS map or from the NIS+ passwd.org_dir table.
pam_wheel -- [authentication]
Only permit root access to members of the wheel (gid=0) group. This is similar to theFreeBSD style wheel access, so that you can't su to root unless you are in the wheel group. It is NOT used by default in SuSE 7.3, but is a nice addition.

Top updates

Bulletin Latest Past week Past month
Google Search


NEWS CONTENTS

Old News ;-)

SSH Root Access Login Control

After read “OpenSSH Root user account restriction - revisited” article, I did a test on my testing server.

The pam_access PAM module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non-networked logins. By default rules for access management are taken from config file /etc/security/access.conf if you don’t specify another file.

Example: Grant root access for IP Address: 192.168.1.10 ONLY

1. vi /etc/pam.d/sshd and append
account    required     pam_access.so 
2. vi /etc/security/access.conf and add as shown below
#Denied ALL
- : root : ALL  
# ONLY allow IP 192.168.1.10
+ : root : 192.168.1.10.

Save both file and it’s worked! I can ssh root@planetmy.com from 192.168.1.10 but not other machine.

Note: as soon as you save changes to /etc/security/access.conf, they are applied by PAM configuration. So be careful when writing rules and please backup before do any changes on your file.

Check here for more understand about pam_access.

Darwish Unix Thoughts ... June 2007

Unix Administration (II): Security (B)

Here's the second step of securing our college server as mentioned in the first article (II - A). I try to construct a suitable security policy using the lovely and completely flexible PAM configuration files. I assume that the reader have previous experiences with PAM, if not, please look at this very well-written and official PAM guide.

--> First step is to modify the common-{auth, account, password, session} files since they are included in all specific programs PAM files.

01- Don't accept NULL passwords in any program by removing the nullok option:
In /etc/pamd.d/common-auth file:
auth required pam_unix.so

02- Disallow root logins from anywhere (pam.d/su will be modified not to include common-auth):
emptying the /etc/securetty:
$ : > /etc/securetty
In /etc/pam.d/common-auth:
auth requisite pam_securetty.so
Note: Emptying the securetty file without adding the above line will have no effect.

03- Let only users set on /etc/security/access.conf be able to login (assuming they already passed the above stacked rules).
In /etc/security/access.conf:
# Accept `root' and `ahmed' logins only (till the system go mainstream)
+:root:ALL
+:ahmed:ALL
-:ALL:ALL
In /etc/pam.d/common-account:
account required pam_access.so

04- Enable large passwords (> 8) by using MD5. Also let user chosen passwords be tested by cracklib which checks user desired passwords against dictionaries and other common password patterns.
$ # Several dictionaries to be used by cracklib
$ apt-get install wbritish wamerican wfrench wdutch
$ # cracklib installation. If PAM rules are set without it, no passwords could be changed!
$ apt-get install cracklib2
$ # Install the pam_cracklib module
$ apt-get install libpam-cracklib
Add the PAM rules to satisfy the following conditions in desired passwords:
a- Minimum difference between a new and old password = 4
b- Minimum length = 12
c- Prompt user at most 4 times before running with error
d- At least 2 digits, 2 upper case letters, 2 lower case ones and 2 other (!#$...) letters
In /etc/pam.d/common-password:
password required pam_cracklib.so retry=4 minlen=12 difok=4 \ dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2
password required pam_unix.so use_authtok md5
Note: The use_authtok directive is necessary to hand over the password from the previous module

05- Many programs use $TMPDIR for storing temporary files. Not all of them are good at securing the permissions of those files. PAM tmpdir module sets $TMPDIR and $TMP for PAM sessions to /tmp/user/[uid]. Permissions are tight since /tmp/user is only read/write by root. /tmp/user/[uid] is only {read, write, execut}able by that user.This leads to an extra layer of security, making symlink attacks and other /tmp based attacks harder or impossible.
$ apt-get install libpam-tmpdir
in /etc/pam.d/common-session:
session optional pam_tmpdir.so

06- UMASK usage in login.conf is discouraged cause it catches only entries made through login, while setting umask in shell rc files will catch also logins through su, cron, ssh but not other shells. At the same time, using shell rc to set umask won't catch entries which user uses non-shell executables in place of login shell, like the ppp daemon. To solve all of this ambiguity and redundancy problems, it's best to use the pam_umask PAM module.
$ apt-get install libpam-umask
In /etc/pam.d/common-session:
session optional pam_umask.so umask=007

--> Second step is to modify the pam.d/others file. if a PAM-aware service exists with no specific PAM file, the `other' file will be used. This file will deny all services but issue a warning in the logs to the sleeping admin! ( not my type, right ? ;) )

$ : > /etc/pamd.d/other
In /etc/pam.d/other:
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so

--> Third step is to modify the PAM files related to each PAM-aware app as follows:

1- Login, ssh:
01- Remove System details from login/ssh screens
In /etc/pam.d/login:
session optional pam_motd.so motd=/etc/motd
$ cat > /etc/motd.tail
If any problem is found, contact Ahmed S. Darwish - the server admin - at darwish.07 gmail com
Thanks
^D
$ # /etc/motd is a symbolic link for /var/run/motd
$ sed -i 's#uname -snrvm > /var/run/motd#: > /var/run/motd/#' /etc/init.d/bootmisc.sh
$ cat > /etc/issue
Faculity of Computer Science and Information Unix Lab
^D
In /etc/pam.d/login:
auth required pam_issue.so issue=/etc/issue

02- Passwd:
Above customized defaults in common-password are enough.

03- su:
01- Let root be able to do "su" to anything
auth sufficient pam_rootok.so

02- Let the group "wheel" (gid = 0) be the only group allowd to invoke a `su' to root.
$ groupadd wheel && usermod -G wheel ahmed
In /etc/pam.d/su:
auth required pam_wheel.so use_uid

03- Don't use the customized defaults found in common-auth since it does not allow root logins. If it's included, as in the out of the box configuration, you won't be able to access root by any means (except by using init=/bin/sh as a kernel parameter).
$ sed -i 's/@include common-auth/#@include common-auth/' /etc/pam.d/su
$ echo "auth required pam_unix.so" >> /etc/pamd.d/su

I hope you found this article interesting.

To Be Continued ...

HOW TO SUSE Linux Enterprise Desktop SLED10 LDAP - Kerberos Authentication to Active Directory

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account sufficient pam_krb5.so
account required pam_unix2.so

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_unix2.so


#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix2 in combination
# with pam_pwcheck.

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
#
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
#password required pam_make.so /var/yp


#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both
interactive and
# non-interactive). The default is pam_unix2.
#
session required pam_limits.so
session required pam_unix2.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel

#%PAM-1.0
###########line above is part of this file#################
#/etc/pam.d/su config file
###########################################################
#auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so

Recommended Links

Softpanorama Top Visited

Softpanorama Recommended




Etc

Society

Groupthink : Understanding Micromanagers and Control Freaks : Toxic Managers : BureaucraciesHarvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Two Party System as Polyarchy : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

Skeptical Finance : John Kenneth Galbraith : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Oscar Wilde : Talleyrand : Somerset Maugham : War and Peace : Marcus Aurelius : Eric Hoffer : Kurt Vonnegut : Otto Von Bismarck : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Oscar Wilde : Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 26, No.1 (January, 2013) Object-Oriented Cult : Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks: The efficient markets hypothesis : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

 

The Last but not Least


Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine. This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 19, 2014