Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux PAM Linux Server

Pluggable Authentication Modules (PAM) are a group of dynamically loadable library modules that govern how individual applications verify their users. PAM configuration files are stored on directory /etc/pam.d/ and they can be modified to suit particular needs. Each PAM configuration file controls the way user authentication and authorization is managed on the standard Linux commands that are PAM-aware, that means that the command makes use of libpam library. Documentation of each service PAM configuration file can be found on /usr/share/doc/pam directory or just trying 'man pam_nameofcommand'

In order to verify if a Linux command is PAM-aware you can use the 'ldd' command. In the following example the command '/bin/login' uses libpam library so login is PAM-aware:

# ldd /bin/login | grep pam
libpam.so.0 => /lib/libpam.so.0
...

PAM configuration

Each line in all PAM configuration file, /etc/pam.d/nameofcommand is written in the following format:

module_type control_flag module [arguments]

--> The PAM system divides the process of verifying users into four separate module_type that can be one of the following:

auth
Authentication management establishes users identity. PAM auth command decides whether to prompt for a username and/or a password.

account
Account management allows/denies access according to the account policies. PAM account command may deny access according to time, password expiration, or a specific list of restricted users.

password
Password management manages password policies. PAM password command may limit the number of times a user can try to log in before a console is reset.

session
Session management applies settings for an application. PAM session command may set default settings for a login console.

--> The control_flag determines how the configuration file reacts when a module flags success or failure and can be one of the following :

required
If the module works, the command proceeds. If it fails, PAM proceeds to the next command in the configuration file-but the command controlled by PAM will still fail.

requisite
Stops the process if the module fails.

sufficient
If the module works, the login or other authentication proceeds and no other commands need be processed.

optional
PAM ignores module success or failure.

include
Includes all module_type directives from the noted configuration file. If the directive is 'password include system-auth', this includes all password directives from the PAM system-auth file.

--> All PAM modules are installed on /lib/security (/lib64/security for 64-bits system) directory. You can list all of them with the command 'ls -lrt /lib/security'.

# ls -1rt /lib/security/

pam_ck_connector.so
pam_oddjob_mkhomedir.so
pam_xauth.so
pam_wheel.so
pam_warn.so
pam_userdb.so
pam_unix.so
pam_umask.so
pam_tty_audit.so
pam_timestamp.so
pam_time.so
pam_tally2.so
pam_succeed_if.so
pam_stress.so
pam_shells.so
pam_sepermit.so
pam_selinux.so
pam_securetty.so
pam_rootok.so
pam_rhosts.so
pam_pwhistory.so
pam_postgresok.so
pam_permit.so
pam_nologin.so
pam_namespace.so
pam_motd.so
pam_mkhomedir.so
pam_mail.so
pam_loginuid.so
pam_localuser.so
pam_listfile.so
pam_limits.so
pam_lastlog.so
pam_keyinit.so
pam_issue.so
pam_group.so
pam_ftp.so
pam_filter.so
pam_faildelay.so
pam_exec.so
pam_env.so
pam_echo.so
pam_deny.so
pam_debug.so
pam_cracklib.so
pam_console.so
pam_chroot.so
pam_access.so
pam_cap.so
pam_ldap.so
pam_krb5.so
pam_passwdqc.so
pam_fprintd.so
pam_winbind.so
pam_smbpass.so
pam_sss.so
pam_filter
pam_selinux_permit.so
pam_unix_acct.so
pam_unix_session.so
pam_unix_passwd.so
pam_unix_auth.so
pam_krb5afs.so
pam_krb5


For more information about each PAM module open his main page. For example documentation about pam_chroot.so try 'man pam_chroot'.

PAM configuration file example : /etc/pam.d/reboot

It manages authentication and authorization on the execution of the 'reboot' command.

# cat /etc/pam.d/reboot

auth sufficient pam_rootok.so
auth required pam_console.so
#auth include system-auth
account required pam_permit.so


The first line 'auth sufficient pam_rootok.so' makes if the user that is executing 'reboot' command is root (UID=0) the execution is allowed and no other PAM lines are processed.

The second line 'auth required pam_console.so' allows the execution of the command 'reboot' if the user that is executing the command is logged at the physical console. If this is the case PAM will continue processing next pam lines , if not PAM will fail at the end of the processing and the 'reboot' command will not be executed.

Next line is commented, so it will not have any PAM effect.

Last line 'account required pam_permit.so' always permit access. In this particular case is the last line on the PAM configuration file so if PAM gets here 'reboot' execution will be allowed finally. The opposite of this PAM module is pam_deny.so, it always fails dening access.

-->As conclusion user root or any user logged at physical console will be allowed to execute the command 'reboot' through PAM.
Note that the line order on a PAM configuration file is very important !!!

Using PAM to control access to users to any services

PAM through the pam_listfile.so module, allows great flexibility in allowing/denying specific accounts to any service. This example shows how this module is used for the vsftpd FTP server in the /etc/pam.d/vsftpd PAM configuration file:

# cat /etc/pam.d/vsftpd

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
...


With this PAM configuration users listed on file /etc/vsftpd.ftpusers have denied access to the vsftpd service. Similar lines can be added to other services as pop (/etc/pam.d/pop) or ssh (/etc/pam.d/sshd) to restrict access to this services through PAM.

Note that if you change sense=deny for sense=allow users listed on /etc/vsftpd.ftpusers will be allowed. For more info 'man pam_listfile'.

Questions

1.- PAM security modules are applied to all Linux commands (true/false).

2.- PAM is installed by default on RHEL6 system by the pam RPM (true/false).

3.- Which PAM module check will make PAM fails immediately with no more PAM process if the module fails.

4.- Which directory contains PAM configuration files ?

A - /etc/pam.conf/
B - /etc/pam.d/
C - /etc/pam/
D - /lib/pam.d/

5.- Which of the following PAM lines will permit access to root user ?

A - auth sufficient pam_rootok.so
B - account required pam_permit.so
C - Both of them
D - None of them

Labs

1.- Edit 'reboot' PAM configuration file to make sure than all users at physical console except root must type their password when running it.

2.- Modify 'reboot' PAM configuration file in order to allow the execution of this command only to console users listed on /etc/reboot.allow file with authentication.

3.- Change 'reboot' PAM configuration file to make sure that nobody unless root can execute this command.

-- This page is part of Linux Server online tutorial --