Pulling The Covers Off Linux PAM (Part 2) - Page 2

By  Carla Schroder | Jun 28, 2005
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Continued From Page 1

Re-using Passwords
One of PAM's really nice features is it allows you to use any kind of central authentication server, and users only need to log in once. Then PAM will remember their password and not keep bugging them for it. This magic is implemented using the use_first_pass argument, like this example for LDAP:

auth sufficient /lib/security/pam_ldap.so
auth sufficient /lib/security/pam_unix.so use_first_pass

use_first_pass tells PAM to re-use the password that was given for the previous line. So the pam_ldap.so module asks for a password, then PAM saves it for pam_unix.so, the standard Linux/Unix authentication module, to use. This works only for auth and password modules.

Blocking Users
You can allow or deny users with the pam_access.so module and /etc/security/access.conf. Use this syntax in the file:

permission : users : origins

Permission is either a + or -, indicating allow or deny.

Users are a space-separated list of user names, group names, or netgroup names. Netgroup names must be preceded by @.

Origins are space-separated lists of domain names, hostnames, or IP addresses. This is a useful method for preventing unauthorized users from getting into a machine they're not supposed to be in, even though they have somehow acquired a login. (Hint to high school administrators: this is preferable to hitting students with felony charges after they "hack" an insecure school network.)

Both users and origins support EXCEPT statements, like this:

# Allow only school administrators
-:ALL EXCEPT admins

You can leave it open to all, naming only users and groups to deny access to:

# These users are banned
-:akkana dancer meflin dana drew @art_group:ALL EXCEPT carla

PAM is a powerful, flexible tool that can work wonders for your authentication and security infrastructure. Check out Google Groups, searching on "debian pam" or "red hat pam" or whatever you need, to find good tips and help.

Resources

cschroder@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >