Pulling The Covers Off Linux PAM - Page 2

Best of ENP: Linux PAM solves its share of problems, it's true, but at the price of some complexity. Here's how to work through the thicket of PAM configuration choices.

 By Carla Schroder
Page 2 of 2   |  Back to Page 1
Print Article

Continued From Page 1

Setting Sensible Fallbacks in Debian
You should have a sensible system fallback policy for services that are not included in /etc/pam.d/. Red Hat/Fedora by default deny everything that is not allowed. Debian does the opposite. The /etc/pam.d/other file is called when a service tries to authenticate and it has no PAM configuration file of its own. The Debian default is to allow unknown services to log in, using system defaults as defined in the common-*files:

# /etc/pam.d/other
@include common-auth
@include common-account
@include common-password
@include common-session

Using the @include directive is the way to call other files. Another way to do the same thing is make /etc/pam.d/otherlook like this:

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so nullok obscure min=8 max=12 md5
session required pam_unix.so

The tightest (or most paranoid, whichever you prefer) security policy is "deny all, allow as needed," not the "allow anyone who can scam a login" scheme shown here. (Note that the root user is exempt from the password length limitation, and can set passwords of any length for anyone.)

This configuration denies everything that is not specifically allowed:

auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so

Next week we'll dig into syntax and what all these things mean, putting directives in the correct order, and look at specific configurations for different services.


This article was originally published on Oct 30, 2007
Get the Latest Scoop with Networking Update Newsletter