Pulling The Covers Off Linux PAM - Page 2

By  Carla Schroder | Oct 29, 2007
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Continued From Page 1

Setting Sensible Fallbacks in Debian
You should have a sensible system fallback policy for services that are not included in /etc/pam.d/. Red Hat/Fedora by default deny everything that is not allowed. Debian does the opposite. The /etc/pam.d/other file is called when a service tries to authenticate and it has no PAM configuration file of its own. The Debian default is to allow unknown services to log in, using system defaults as defined in the common-* files:

# /etc/pam.d/other
@include common-auth
@include common-account
@include common-password
@include common-session

Using the @include directive is the way to call other files. Another way to do the same thing is make /etc/pam.d/other look like this:


auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so nullok obscure min=8 max=12 md5
session required pam_unix.so

The tightest (or most paranoid, whichever you prefer) security policy is "deny all, allow as needed," not the "allow anyone who can scam a login" scheme shown here. (Note that the root user is exempt from the password length limitation, and can set passwords of any length for anyone.)

This configuration denies everything that is not specifically allowed:

auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so

Next week we'll dig into syntax and what all these things mean, putting directives in the correct order, and look at specific configurations for different services.

Resources

cschroder@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >