Pulling The Covers Off Linux PAM - Page 2

By Carla Schroder | Posted Oct 29, 2007
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Continued From Page 1

Setting Sensible Fallbacks in Debian
You should have a sensible system fallback policy for services that are not included in /etc/pam.d/. Red Hat/Fedora by default deny everything that is not allowed. Debian does the opposite. The /etc/pam.d/other file is called when a service tries to authenticate and it has no PAM configuration file of its own. The Debian default is to allow unknown services to log in, using system defaults as defined in the common-* files:

# /etc/pam.d/other
@include common-auth
@include common-account
@include common-password
@include common-session

Using the @include directive is the way to call other files. Another way to do the same thing is make /etc/pam.d/other look like this:

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so nullok obscure min=8 max=12 md5
session required pam_unix.so

The tightest (or most paranoid, whichever you prefer) security policy is "deny all, allow as needed," not the "allow anyone who can scam a login" scheme shown here. (Note that the root user is exempt from the password length limitation, and can set passwords of any length for anyone.)

This configuration denies everything that is not specifically allowed:

auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so

Next week we'll dig into syntax and what all these things mean, putting directives in the correct order, and look at specific configurations for different services.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter