Cooking with PAM

(Pluggable Authentication Modules)

Thad Van Ry
Linux System Engineer
LDS Church

http://www.linuxnetadmin.com
irc = ThaddeusQ
 Caution!!
● Complete Lockout Possible
● Have a separate Root session Open
● Backup PAM config files before changing
● Recommend keep a Live CD close by
Authentication without PAM

login

rlogin
/etc/passwd
telnet

rsh
 History of PAM

PAM was defined and developed in 1995 by

Vipin Samar and Charlie Lai of Sun
Microsystems
 Authentication with PAM
Configuration File:
sshd /etc/pam.d/sshd
auth required pam_env.so
Request Result auth required pam_unix2.so
Success or Fail account sufficient pam_vas3.so
.
.
PAM .
Library password required pam_pwcheck.so

pam_env.so pam_unix2.so pam_vas3.so pam_pwcheck.so

PAM modules
 PAM Requirements
● PAM must be installed (Included in most
modern Unix / Linux OSes)
● Application must be “PAM aware” (can check
using ldd)
$ ldd /bin/login
<snip>
libpam.so.0 => /lib64/libpam.so.0
<snip>
 Configuration Files
● On Linux located in /etc/pam.d/
● On AIX in /etc/pam.conf - each line
begins with application name.
● Format:
module_type control_flag module_path [arguments]

● For example:
● auth required /lib/security/pam_pwdb.so shadow nullok
 Module type
Four groups of checks - stacks
auth – provide the actual session – used after a
authentication, perhaps user has been
asking for and authenticated to allow
checking a password them to use their
account (mount home
directory, logging
account – makes sure activities, etc.)
the authentication is
allowed (the account
has not expired, time of password – used to set
day restrictions, etc.) passwords
 Control Flags
Four types of control flags
required – Must return sufficient – If this
success. If it fails, module ends
continue checking the successfully, other
stack, however, the modules in stack don't
overall result will be a really matter and the
failure. overall result is success.
requisite – Works like optional – This flag
required, but, in case of allows PAM to continue
failure it returns checking other modules
immediately. even if this one has
failed.
include – used to include
other files
 Module path

● Can give full path in configuration file:

/lib/security/pam_unix.so

● In Linux, if only module name is given, PAM

looks in /lib/security for module.
 Arguments
● Parameters that are passed to the authentication
module
● Usually specific to each module.
● Some useful generic arguments that apply to all
modules:
– debug – Send debugging information to system logs.
– use_first_pass – Do not prompt user for a password a
second time. Use the password entered the first time to
determine eligibility.
– try_first_pass – Similar to use_first_pass, however if the
existing password causes a failure to be returned, the user is
then asked for a second password.
 /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_env.so
auth required pam_unix2.so
auth required pam_nologin.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok
session required pam_limits.so
session required pam_unix2.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
 /etc/pam.d/other
used if PAM aware application doesn't have own
configuration file in /etc/pam.d
#%PAM-1.0
auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so
 How can PAM help me?
● Password strength checks can be added to /
etc/pam.d/passwd using
pam_pwcheck.so or pam_cracklib.so
● If there is an issue you're having that deals
with authentication, see if a module has
been created.
 How can PAM hurt me?
● Messed up PAM files can lock out access for
everyone including root!!
● Order is important in PAM configuration files.
 HELP!!???
● Most modules have a man page. Try looking
there first. (i.e. $ man pam_pwcheck to get
information about pam_pwcheck.so)
● Use debug argument.
● Google is your friend.
● PAM article in January 2009 issue of LJ
– http://www.linuxjournal.com/article/10278
● Linux user group mailing lists
Questions, Comments, Crude
Remarks?