Pluggable
Authentication Module (PAM)
Pluggable
Authentication Modules (PAM) are a group of dynamically loadable
library modules that govern how individual applications verify their
users. PAM configuration files are stored on directory /etc/pam.d/
and they can be modified to suit particular needs. Each PAM
configuration file controls the way user authentication and
authorization is managed on the standard Linux commands that are
PAM-aware, that means that the command makes use of libpam library.
Documentation of each service PAM configuration file can be found on
/usr/share/doc/pam directory or just trying 'man pam_nameofcommand'
In order to verify if a Linux command is PAM-aware you can use the 'ldd' command. In the following example the command '/bin/login' uses libpam library so login is PAM-aware:
# ldd /bin/login | grep pam
libpam.so.0 => /lib/libpam.so.0
...
In order to verify if a Linux command is PAM-aware you can use the 'ldd' command. In the following example the command '/bin/login' uses libpam library so login is PAM-aware:
# ldd /bin/login | grep pam
libpam.so.0 => /lib/libpam.so.0
...
PAM configuration
Each line in all PAM
configuration file, /etc/pam.d/nameofcommand is written in the
following format:
module_type control_flag module [arguments]
--> The PAM system divides the process of verifying users into four separate module_type that can be one of the following:
auth
Authentication management establishes users identity. PAM auth command decides whether to prompt for a username and/or a password.
account
Account management allows/denies access according to the account policies. PAM account command may deny access according to time, password expiration, or a specific list of restricted users.
password
Password management manages password policies. PAM password command may limit the number of times a user can try to log in before a console is reset.
session
Session management applies settings for an application. PAM session command may set default settings for a login console.
--> The control_flag determines how the configuration file reacts when a module flags success or failure and can be one of the following :
required
If the module works, the command proceeds. If it fails, PAM proceeds to the next command in the configuration file-but the command controlled by PAM will still fail.
requisite
Stops the process if the module fails.
sufficient
If the module works, the login or other authentication proceeds and no other commands need be processed.
optional
PAM ignores module success or failure.
include
Includes all module_type directives from the noted configuration file. If the directive is 'password include system-auth', this includes all password directives from the PAM system-auth file.
--> All PAM modules are installed on /lib/security (/lib64/security for 64-bits system) directory. You can list all of them with the command 'ls -lrt /lib/security'.
# ls -1rt /lib/security/
pam_ck_connector.so
pam_oddjob_mkhomedir.so
pam_xauth.so
pam_wheel.so
pam_warn.so
pam_userdb.so
pam_unix.so
pam_umask.so
pam_tty_audit.so
pam_timestamp.so
pam_time.so
pam_tally2.so
pam_succeed_if.so
pam_stress.so
pam_shells.so
pam_sepermit.so
pam_selinux.so
pam_securetty.so
pam_rootok.so
pam_rhosts.so
pam_pwhistory.so
pam_postgresok.so
pam_permit.so
pam_nologin.so
pam_namespace.so
pam_motd.so
pam_mkhomedir.so
pam_mail.so
pam_loginuid.so
pam_localuser.so
pam_listfile.so
pam_limits.so
pam_lastlog.so
pam_keyinit.so
pam_issue.so
pam_group.so
pam_ftp.so
pam_filter.so
pam_faildelay.so
pam_exec.so
pam_env.so
pam_echo.so
pam_deny.so
pam_debug.so
pam_cracklib.so
pam_console.so
pam_chroot.so
pam_access.so
pam_cap.so
pam_ldap.so
pam_krb5.so
pam_passwdqc.so
pam_fprintd.so
pam_winbind.so
pam_smbpass.so
pam_sss.so
pam_filter
pam_selinux_permit.so
pam_unix_acct.so
pam_unix_session.so
pam_unix_passwd.so
pam_unix_auth.so
pam_krb5afs.so
pam_krb5
For more information about each PAM module open his main page. For example documentation about pam_chroot.so try 'man pam_chroot'.
module_type control_flag module [arguments]
--> The PAM system divides the process of verifying users into four separate module_type that can be one of the following:
auth
Authentication management establishes users identity. PAM auth command decides whether to prompt for a username and/or a password.
account
Account management allows/denies access according to the account policies. PAM account command may deny access according to time, password expiration, or a specific list of restricted users.
password
Password management manages password policies. PAM password command may limit the number of times a user can try to log in before a console is reset.
session
Session management applies settings for an application. PAM session command may set default settings for a login console.
--> The control_flag determines how the configuration file reacts when a module flags success or failure and can be one of the following :
required
If the module works, the command proceeds. If it fails, PAM proceeds to the next command in the configuration file-but the command controlled by PAM will still fail.
requisite
Stops the process if the module fails.
sufficient
If the module works, the login or other authentication proceeds and no other commands need be processed.
optional
PAM ignores module success or failure.
include
Includes all module_type directives from the noted configuration file. If the directive is 'password include system-auth', this includes all password directives from the PAM system-auth file.
--> All PAM modules are installed on /lib/security (/lib64/security for 64-bits system) directory. You can list all of them with the command 'ls -lrt /lib/security'.
# ls -1rt /lib/security/
pam_ck_connector.so
pam_oddjob_mkhomedir.so
pam_xauth.so
pam_wheel.so
pam_warn.so
pam_userdb.so
pam_unix.so
pam_umask.so
pam_tty_audit.so
pam_timestamp.so
pam_time.so
pam_tally2.so
pam_succeed_if.so
pam_stress.so
pam_shells.so
pam_sepermit.so
pam_selinux.so
pam_securetty.so
pam_rootok.so
pam_rhosts.so
pam_pwhistory.so
pam_postgresok.so
pam_permit.so
pam_nologin.so
pam_namespace.so
pam_motd.so
pam_mkhomedir.so
pam_mail.so
pam_loginuid.so
pam_localuser.so
pam_listfile.so
pam_limits.so
pam_lastlog.so
pam_keyinit.so
pam_issue.so
pam_group.so
pam_ftp.so
pam_filter.so
pam_faildelay.so
pam_exec.so
pam_env.so
pam_echo.so
pam_deny.so
pam_debug.so
pam_cracklib.so
pam_console.so
pam_chroot.so
pam_access.so
pam_cap.so
pam_ldap.so
pam_krb5.so
pam_passwdqc.so
pam_fprintd.so
pam_winbind.so
pam_smbpass.so
pam_sss.so
pam_filter
pam_selinux_permit.so
pam_unix_acct.so
pam_unix_session.so
pam_unix_passwd.so
pam_unix_auth.so
pam_krb5afs.so
pam_krb5
For more information about each PAM module open his main page. For example documentation about pam_chroot.so try 'man pam_chroot'.
PAM configuration file example : /etc/pam.d/reboot
It manages authentication
and authorization on the execution of the 'reboot' command.
# cat /etc/pam.d/reboot
auth sufficient pam_rootok.so
auth required pam_console.so
#auth include system-auth
account required pam_permit.so
The first line 'auth sufficient pam_rootok.so' makes if the user that is executing 'reboot' command is root (UID=0) the execution is allowed and no other PAM lines are processed.
The second line 'auth required pam_console.so' allows the execution of the command 'reboot' if the user that is executing the command is logged at the physical console. If this is the case PAM will continue processing next pam lines , if not PAM will fail at the end of the processing and the 'reboot' command will not be executed.
Next line is commented, so it will not have any PAM effect.
Last line 'account required pam_permit.so' always permit access. In this particular case is the last line on the PAM configuration file so if PAM gets here 'reboot' execution will be allowed finally. The opposite of this PAM module is pam_deny.so, it always fails dening access.
-->As conclusion user root or any user logged at physical console will be allowed to execute the command 'reboot' through PAM.
Note that the line order on a PAM configuration file is very important !!!
# cat /etc/pam.d/reboot
auth sufficient pam_rootok.so
auth required pam_console.so
#auth include system-auth
account required pam_permit.so
The first line 'auth sufficient pam_rootok.so' makes if the user that is executing 'reboot' command is root (UID=0) the execution is allowed and no other PAM lines are processed.
The second line 'auth required pam_console.so' allows the execution of the command 'reboot' if the user that is executing the command is logged at the physical console. If this is the case PAM will continue processing next pam lines , if not PAM will fail at the end of the processing and the 'reboot' command will not be executed.
Next line is commented, so it will not have any PAM effect.
Last line 'account required pam_permit.so' always permit access. In this particular case is the last line on the PAM configuration file so if PAM gets here 'reboot' execution will be allowed finally. The opposite of this PAM module is pam_deny.so, it always fails dening access.
-->As conclusion user root or any user logged at physical console will be allowed to execute the command 'reboot' through PAM.
Note that the line order on a PAM configuration file is very important !!!
Using PAM to control access to users to any services
PAM through the
pam_listfile.so module, allows great flexibility in allowing/denying
specific accounts to any service. This example shows how this module
is used for the vsftpd FTP server in the /etc/pam.d/vsftpd PAM
configuration file:
# cat /etc/pam.d/vsftpd
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
...
With this PAM configuration users listed on file /etc/vsftpd.ftpusers have denied access to the vsftpd service. Similar lines can be added to other services as pop (/etc/pam.d/pop) or ssh (/etc/pam.d/sshd) to restrict access to this services through PAM.
Note that if you change sense=deny for sense=allow users listed on /etc/vsftpd.ftpusers will be allowed. For more info 'man pam_listfile'.
# cat /etc/pam.d/vsftpd
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
...
With this PAM configuration users listed on file /etc/vsftpd.ftpusers have denied access to the vsftpd service. Similar lines can be added to other services as pop (/etc/pam.d/pop) or ssh (/etc/pam.d/sshd) to restrict access to this services through PAM.
Note that if you change sense=deny for sense=allow users listed on /etc/vsftpd.ftpusers will be allowed. For more info 'man pam_listfile'.
No comments :
Post a Comment