Scribd
Upload
3K views17 pages

Slides From Pam Training Presentation

This document provides an overview of Pluggable Authentication Modules (PAM) in Linux. It discusses the history and purpose of PAM, how authentication works with PAM through configuration files and modules, common PAM module types and control flags, and examples of PAM configuration files. It also covers potential issues with PAM configuration and provides tips for troubleshooting PAM problems.

Uploaded by

thaddeusq
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views17 pages

Slides From Pam Training Presentation

This document provides an overview of Pluggable Authentication Modules (PAM) in Linux. It discusses the history and purpose of PAM, how authentication works with PAM through configuration files and modules, common PAM module types and control flags, and examples of PAM configuration files. It also covers potential issues with PAM configuration and provides tips for troubleshooting PAM problems.

Uploaded by

thaddeusq
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Cooking with PAM

(Pluggable Authentication Modules)

Thad Van Ry
Linux System Engineer
LDS Church

http://www.linuxnetadmin.com
irc = ThaddeusQ
Caution!!
● Complete Lockout Possible
● Have a separate Root session Open
● Backup PAM config files before changing
● Recommend keep a Live CD close by
Authentication without PAM

login

rlogin
/etc/passwd
telnet

rsh
History of PAM

PAM was defined and developed in 1995 by


Vipin Samar and Charlie Lai of Sun
Microsystems
Authentication with PAM
Configuration File:
sshd /etc/pam.d/sshd
auth required pam_env.so
Request Result auth required pam_unix2.so
Success or Fail account sufficient pam_vas3.so
.
.
PAM .
Library password required pam_pwcheck.so

pam_env.so pam_unix2.so pam_vas3.so pam_pwcheck.so

PAM modules
PAM Requirements
● PAM must be installed (Included in most
modern Unix / Linux OSes)
● Application must be “PAM aware” (can check
using ldd)
$ ldd /bin/login
<snip>
libpam.so.0 => /lib64/libpam.so.0
<snip>
Configuration Files
● On Linux located in /etc/pam.d/
● On AIX in /etc/pam.conf - each line
begins with application name.
● Format:
module_type control_flag module_path [arguments]

● For example:
● auth required /lib/security/pam_pwdb.so shadow nullok
Module type
Four groups of checks - stacks
auth – provide the actual session – used after a
authentication, perhaps user has been
asking for and authenticated to allow
checking a password them to use their
account (mount home
directory, logging
account – makes sure activities, etc.)
the authentication is
allowed (the account
has not expired, time of password – used to set
day restrictions, etc.) passwords
Control Flags
Four types of control flags
required – Must return sufficient – If this
success. If it fails, module ends
continue checking the successfully, other
stack, however, the modules in stack don't
overall result will be a really matter and the
failure. overall result is success.
requisite – Works like optional – This flag
required, but, in case of allows PAM to continue
failure it returns checking other modules
immediately. even if this one has
failed.
include – used to include
other files
Module path

● Can give full path in configuration file:


/lib/security/pam_unix.so

● In Linux, if only module name is given, PAM


looks in /lib/security for module.
Arguments
● Parameters that are passed to the authentication
module
● Usually specific to each module.
● Some useful generic arguments that apply to all
modules:
– debug – Send debugging information to system logs.
– use_first_pass – Do not prompt user for a password a
second time. Use the password entered the first time to
determine eligibility.
– try_first_pass – Similar to use_first_pass, however if the
existing password causes a failure to be returned, the user is
then asked for a second password.
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_env.so
auth required pam_unix2.so
auth required pam_nologin.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok
session required pam_limits.so
session required pam_unix2.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
/etc/pam.d/other
used if PAM aware application doesn't have own
configuration file in /etc/pam.d
#%PAM-1.0
auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so
How can PAM help me?
● Password strength checks can be added to /
etc/pam.d/passwd using
pam_pwcheck.so or pam_cracklib.so
● If there is an issue you're having that deals
with authentication, see if a module has
been created.
How can PAM hurt me?
● Messed up PAM files can lock out access for
everyone including root!!
● Order is important in PAM configuration files.
HELP!!???
● Most modules have a man page. Try looking
there first. (i.e. $ man pam_pwcheck to get
information about pam_pwcheck.so)
● Use debug argument.
● Google is your friend.
● PAM article in January 2009 issue of LJ
– http://www.linuxjournal.com/article/10278
● Linux user group mailing lists
Questions, Comments, Crude
Remarks?

You might also like