Linux - PAM
PAM
[toc]
PAM = Pluggable Authentication Modules
PAM Services
4 types of PAM services:
- Authentication service modules.
- Account management modules.
- Session management modules.
- Password management modules.
Linux-PAM Configuration
/etc/pam.d
Any application requires authentication can register with PAM using a service name. list Linux services that use Linux-PAM /etc/pam.d
The configuration of Linux-PAM is in the directory /etc/pam.d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ ls -la /etc/pam.d
total 144
drwxr-xr-x 2 root root 4096 Apr 12 00:53 .
drwxr-xr-x 138 root root 12288 Apr 13 00:10 ..
-rw-r--r-- 1 root root 258 Jan 14 2016 atd
-rw-r--r-- 1 root root 384 Nov 12 2015 chfn
-rw-r--r-- 1 root root 92 Nov 12 2015 chpasswd
-rw-r--r-- 1 root root 581 Nov 12 2015 chsh
-rw-r--r-- 1 root root 1208 Apr 11 21:30 common-account
-rw-r--r-- 1 root root 1221 Apr 11 21:30 common-auth
-rw-r--r-- 1 root root 1480 Apr 11 21:30 common-password
-rw-r--r-- 1 root root 1470 Apr 11 21:30 common-session
-rw-r--r-- 1 root root 1435 Apr 11 21:30 common-session-noninteractive
-rw-r--r-- 1 root root 606 Apr 5 2016 cron
-rw-r--r-- 1 root root 69 Feb 13 2016 cups
-rw-r--r-- 1 root root 56 Jan 26 2015 gnome-screensaver
-rw-r--r-- 1 root root 884 Mar 31 2017 lightdm
-rw-r--r-- 1 root root 551 Mar 31 2017 lightdm-autologin
-rw-r--r-- 1 root root 727 Mar 31 2017 lightdm-greeter
-rw-r--r-- 1 root root 4866 Jan 30 2016 login
-rw-r--r-- 1 root root 80 May 17 2014 newrole
-rw-r--r-- 1 root root 92 Nov 12 2015 newusers
-rw-r--r-- 1 root root 520 Mar 16 2016 other
-rw-r--r-- 1 root root 92 Nov 12 2015 passwd
-rw-r--r-- 1 root root 255 Mar 27 2019 polkit-1
-rw-r--r-- 1 root root 168 Jan 27 2016 ppp
-rw-r--r-- 1 root root 95 May 17 2014 run_init
-rw-r--r-- 1 root root 143 Mar 12 2016 runuser
-rw-r--r-- 1 root root 138 Mar 12 2016 runuser-l
-rw-r--r-- 1 root root 2133 Mar 4 2019 sshd
-rw-r--r-- 1 root root 2257 Nov 12 2015 su
-rw-r--r-- 1 root root 239 Mar 30 2016 sudo
-rw-r--r-- 1 root root 251 Apr 12 2016 systemd-user
-rw-r--r-- 1 root root 56 Mar 12 2019 unity
-rw-r--r-- 1 root root 119 May 8 2018 vmtoolsd
any service file is divided into three columns.
management group,control flags, themodule(so file) used.
four Management Groups in PAM services files:
- Auth Group: it can validate users
- Account Group: controls the access to the service like how many times you should use this service.
- Session Group: responsible for the service environment.
- Password Group: for password updating.
four control flags in services files:
- Requisite: the strongest flag. If the requisite not found or failed to load, it will stop loading other modules and return failure.
- Required: The same as requisite, but if the module failed to load for any reason, it continues loading other modules and returns failure at the end of execution.
- Sufficient: if the module return success, the processing of other modules no longer needed.
- Optional: In the case of failure, the stack of modules continues execution and the return code is ignored.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
$ cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
Modules Order
The order is important because each module depends on the previous module on the stack.
1
2
3
4
5
6
7
8
auth required pam_unix.so
auth optional pam_deny.so
# work correctly, but what will happen if we change the order like this:
auth optional pam_deny.so
auth required pam_unix.so
# No one can log in, so the order matters.
/etc/security
Some PAM modules require configuration files with the PAM configuration to operate. You can find the configuration files in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ ls -la /etc/security
total 64
drwxr-xr-x 4 root root 4096 Apr 11 20:34 .
drwxr-xr-x 138 root root 12288 Apr 13 00:10 ..
-rw-r--r-- 1 root root 4620 Mar 16 2016 access.conf
-rw-r--r-- 1 root root 3635 Mar 16 2016 group.conf
-rw-r--r-- 1 root root 2150 Mar 16 2016 limits.conf
drwxr-xr-x 2 root root 4096 Mar 16 2016 limits.d
-rw-r--r-- 1 root root 1440 Mar 16 2016 namespace.conf
drwxr-xr-x 2 root root 4096 Mar 16 2016 namespace.d
-rwxr-xr-x 1 root root 1019 Mar 16 2016 namespace.init
-rw------- 1 root root 0 Jan 29 10:26 opasswd # for the old password
-rw-r--r-- 1 root root 2972 Mar 16 2016 pam_env.conf
-rw-r--r-- 1 root root 1718 Oct 26 2015 pwquality.conf
-rw-r--r-- 1 root root 419 Mar 16 2016 sepermit.conf
-rw-r--r-- 1 root root 2179 Mar 16 2016 time.conf # limit time usr to lonin
/lib/security/
where PAM modules actually are
use
login limits
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
$ cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, <domain> must be
# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
# - chroot - change root to directory (Debian-specific)
sample to setup
#<domain> <type> <item> <value>
#
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
bob - maxlogins 4
// how many bob can login in the same time.
# End of file
stop ssh login
create deny login file:
1
2
3
4
5
$ touch /etc/ssh/sshd.deny
# add line
bob
line
add limit to sshd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/etc/pam.d$ cat sshd
# PAM configuration for the Secure Shell service
# add line
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/sshd.deny onerr=succeed
// this will take some arguments
// username in /etc/ssh/sshd.deny, not allow to login
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
PAM Modules
PAM built-in modules on your system
pam_succeed_if Module
This module allows access for the specified groups.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
only users in the group whose ID 1000 or 2000 are allowed to log in.
auth required pam_succeed_if.so gid=1000,2000
any user id greater than or equal 1000 can log in.
auth requisite pam_succeed_if.so uid >= 1000
Only people in the group named mygroup can log in.
auth required pam_succeed_if.so user ingroup mygroup
pam_nologin Module
allows root only to login if /etc/nologin file is available.
- used with auth, account management groups.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
allows root only to login
$ touch /etc/nologin
auth required pam_nologin.so
search in configuration file, /etc/pam.d:
$ grep nologin.so *
lightdm:auth requisite pam_nologin.so
lightdm-autologin:auth requisite pam_nologin.so
login:auth requisite pam_nologin.so
ppp:auth required pam_nologin.so
sshd:account required pam_nologin.so
pam_access Module
This module works like the pam_succeed_if module except the pam_access module checks logging from networked hosts, while the pam_succeed_if module doesn’t care.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
only mygroup users are allowed to login
plus sign means allow
minus sign means deny.
account required pam_access.so accessfile=/etc/security/access.conf
# type rules in the
/etc/security/access.conf
+:mygroup
-:ALL:ALL
This module is used with auth, account, session, password management groups.
pam_deny Module
The module is used for restricting access. It will always return a non-OK. This module is used with auth, account, session, password management groups.
1
2
3
4
5
use it at the end of your module stack to protect yourself from any misconfiguration.
use it at the beginning of the module stack, your service will be disabled:
auth required pam_deny.so
auth required pam_unix.so
pam_unix Module
This module is used to check the user’s credentials against /etc/shadow file. This module is used with auth, session, password management groups.
1
2
3
4
5
this module used in many services in your system.
auth required pam_unix.so
pam_localuser Module
This module is used to check if the user is listed in /etc/passwd.
- used with auth, session, password, account management groups.
1
account sufficient pam_localuser.so
pam_mysql Module
Instead of checking user’s credentials against/etc/shadow, you can use a MySQL database as a backend using the pam_mysql module.
- used with auth, session, password, account management groups.
1
2
3
4
5
6
7
8
9
10
11
It can be used like this:
auth sufficient pam_mysql.so user=myuser passwd=mypassword host=localhost db=mydb table=users usercolumn=username passwdcolumn=password
The parameters for pam_mysql is used to validate the user.
install if it is not on your system:
$ yum install libpam-mysql
pam_cracklib module
This module ensures that you will use strong passwords.
- used with password management group.
1
2
3
4
5
password required pam_cracklib.so retry=4 minlen=12 difok=6
# ensures
Password minimum length = 12
Four times to pick a strong password, otherwise, it will exit.
Your new password must have 6 new characters from the old password.
pam_rootok Module
This module checks if the user ID is 0 that means only root users can run this service.
- used with auth management group.
1
2
3
4
5
to ensure that a specific service is allowed for root users only.
auth sufficient pam_rootok.so
pam_limits Module
This module is used to set limits on the system resources, even root users are affected by these limits.
- used with the session management group.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
The limits configuration are in the dir:
/etc/security/limits.d/
session required pam_limits.so
You can use this module to protect your system resources.
The limits in /etc/security/limits.conf file could be hard or soft.
- Hard: The user cannot change its value, but root can.
- Soft: normal user can change it.
The limits could be fsize, cpu, nproc, nproc, data, and many other limits.
@mygroup hard nproc 50
myuser hard cpu 5000
The first limit for mygroup members which sets the number of processes for each one of them to be 50.
The second limit for the user named myuser which limits the CPU time to 5000 minutes.
.
This post is licensed under CC BY 4.0 by the author.
Comments powered by Disqus.