Pulling The Covers Off Linux PAM (Part 2)
In part 1 of our look at Linux PAM, we learned how to remove the annoying failed-login delay, lock out users who have too many failed login attempts and how to set a restrictive fallback configuration. Today we'll look at Linux distribution differences, dig into the module types, what order to put things in, and what the different options mean. You should have part 1 handy so you can refer to the examples.
Red Hat v. The World
Red Hat is (in)famous for heavily customizing its Linux releases. This gets confusing when howto authors assume that Red Hat = Linux and don't bother to point out the Red Hat-specific bits, or when you're reading the program author's documentation and it makes no sense for Red Hat. When you're studying PAM there are two items in particular that you'll see a lot of that belong to Red Hat and its derivatives: the pam_stack.so module, and the system_auth file. They are always used together, like this example from Fedora's /etc/pam.d/login shows:
auth required pam_stack.so service=system-auth
pam_stack.so works a bit like the @include statements in Debian PAM configuration files (see part 1 for an example); it calls the stack defined for another service. Red Hat uses it with the system_auth file to create a system default, which makes it easy to add a new PAM service, and to make global changes. pam_stack.so fully supports recursion, so be very careful that you do not make it reference itself either directly or through referencing other configuration files, or it will get stuck in a loop.
Your /etc.init.d/pam.d files all use this syntax:
module-type control-flag module-path arguments
The first three are required; arguments are optional.
Four Module Types
This does the work of verifying a user's identity and credentials. PAM is so flexible it will recognize many types of authorizations: login/password, biometrics, medieval chants, or anything else you can think of and have the talent to code.
This performs non-authentication account management, like checking to see if the user is authorized to use the system, and it manages access restrictions, such as time of day and type of service.
Updates passwords, allows or denies null passwords, verifies password strength and encryption type, re-uses passwords to avoid forcing users to have multiple logins, can check databases, and set credentials like Kerberos tickets (define) or group memberships.
For all the little odds and ends that make life nicer, like mounting directories, stopping or starting services, creating files, and setting resource limits.
These can be a bit confusing, so let's take a closer look. These determine what PAM does next based upon the result of the check performed.
The user must pass this check to continue. If it fails the other modules are checked, then the user is denied. Some folks think this adds a bit of security by not revealing where the failure occurred.
The user must pass this check to continue. If it fails, no more checks are run and the user is notified immediately.
If this succeeds and no other checks fail you have a successful authentication. If one of these fails it is ignored as long as required or requisite checks succeed.
optional modules can fail all over the place and authentication won't be denied, unless there are no other modules for that service.
You'll find these in the documentation for the individual modules, like in Chapter 6 of the The Linux-PAM System Administrators Guide. Any modules that are not included in this, such as third-party and Red Hat modules, hopefully will come with their own documentation.
Now let's do some fun stuff with PAM.
Locking Out Everyone, Hahaha
Suppose you want only the root user to be able to log into a system, and no one else. Why? Maybe you want to perform some system maintenance. Maybe you're just feeling ornery. Let's assume the first scenario. First tell everyone to find a stopping point in their work:
Important Message From Your BOFH
**the system is going down for maintenance in FIVE MINUTES**
**you have been WARNED**
Hit CTRL+D to send the message. Then create a nologin file:
# touch /etc/nologin
Then kick all the logged-in users off the system. Rebooting is the easy way. Now no one else can log in and you can get your work done in peace and quiet. This works because
auth requisite pam_nologin.so
is a standard line in /etc/pam.d/login on most Linux distributions. Note that this replaces the NOLOGINS_FILE option from /etc/login.defs.
One of PAM's really nice features is it allows you to use any kind of central authentication server, and users only need to log in once. Then PAM will remember their password and not keep bugging them for it. This magic is implemented using the use_first_pass argument, like this example for LDAP:
auth sufficient /lib/security/pam_ldap.so
auth sufficient /lib/security/pam_unix.so use_first_pass
use_first_pass tells PAM to re-use the password that was given for the previous line. So the pam_ldap.so module asks for a password, then PAM saves it for pam_unix.so, the standard Linux/Unix authentication module, to use. This works only for auth and password modules.
You can allow or deny users with the pam_access.so module and /etc/security/access.conf. Use this syntax in the file:
permission : users : origins
Permission is either a + or -, indicating allow or deny.
Users are a space-separated list of user names, group names, or netgroup names. Netgroup names must be preceded by @.
Origins are space-separated lists of domain names, hostnames, or IP addresses. This is a useful method for preventing unauthorized users from getting into a machine they're not supposed to be in, even though they have somehow acquired a login. (Hint to high school administrators: this is preferable to hitting students with felony charges after they "hack" an insecure school network.)
Both users and origins support EXCEPT statements, like this:
# Allow only school administrators
-:ALL EXCEPT admins
You can leave it open to all, naming only users and groups to deny access to:
# These users are banned
-:akkana dancer meflin dana drew @art_group:ALL EXCEPT carla
PAM is a powerful, flexible tool that can work wonders for your authentication and security infrastructure. Check out Google Groups, searching on "debian pam" or "red hat pam" or whatever you need, to find good tips and help.