Previous Page | Next Page

  1. Introduction
  2. Abbreviated Boot
  3. The Boot Process
  4. Startup and Run Levels
  5. Initialization Scripts
  6. Runlevel Scripts
  7. Login Process
  8. Bash Shell
  9. Filesystems
  10. LILO, Kernel and Root Filesystem
  11. The Kernel
  12. Passwords, Users, Groups, and Quotas
  13. The Environment
  14. The /etc/sysconfig directory
  15. The /proc filesystem
  16. Process Control
  17. Devices
  18. Daemons Services
  19. Inetd and Network Services
  20. Programs and Libraries
  21. Security and PAM
  22. The printer services
  23. Mouse support with gpm
  24. Mail
  25. News
  26. UUCP
  27. LDAP
  28. NFS and RPC
  29. Samba, NetBIOS, WINS, nmbd
  30. Identd (auth)
  31. Telnet and FTP
  32. Apache web server
  33. DNS and named
  34. How X Works
  35. X Scripts
  36. Support for Text
  37. Keymapping for Programs
  38. Keycode Table
  39. Example Keymap File
  40. Terminfo Commands
  41. VT100 ESC sequences
  42. Kernel Revisited
  43. Configuration Files
  44. Credits

Linux Security and PAM

PAM (Pluggable Authentication Modules) provides a layer between applications and the actual authentification mechanism. PAM is a library of loadable modules called by applications which are used for security requirements in each application. They enable the local system administrator to choose how applications authenticate users. They also allow the system administrator to control when a user can login and many other customize able features. PAM is also useful so the authentification method can be modified without changing the application. For instance current logins may be done by checking a password file. You may want to modify it to use a "smart" card instead. All that is necessary is to change the PAM libraries that the application uses to do the authentification rather than re-writing the application. There are four types of modules:

  • auth - Provide the actual authentication to tell who the user is and if they are who they say they are, possibly asking a password then checking it, and setting credentials like as group memberships or kerberos tickets.
  • account - Check to see if the authentication is allowed. It may restrict access based on currently available system resources such as the maximum number of users or the location of the user. Access could be denied if the account has expired or the user is not allowed to log in at this time of day.
  • password - Used to set passwords. Typically, there is one module for each auth module-type
  • session - Used to make it possible for a user to use their account once they have been authenticated. This module does things that need to be done for the user before or after they can be given service such as logging of information concerning the opening or closing of some data exchange with a user, or mounting directories. This module may make the user's mailbox available.

All PAM applications are configured in the directory "/etc/pam.d" or in a file "/etc/pam.conf". PAM is controlled using the configuration file or the configuration directory, but usually not both. If both configurations are used the directory structure takes precedence. In the directory "/etc/pam.d" there is a file for each application. Each application is tied to a set of PAM libraries with a file named after the name of the service in the "/etc/pam.d" directory. In the "/etc/pam.conf" file the first value on each line is the service name. The service name is the name of the program used to access the service, not the program used to provide the service. My "/etc/pam.d/rlogin" file looks like this:

#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_pwdb.so shadow nullok
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_pwdb.so
password   required	/lib/security/pam_cracklib.so
password   required	/lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required	/lib/security/pam_pwdb.so
session    optional	/lib/security/pam_console.so

A general configuration line of the /etc/pam.conf file has the following form:

service-name   module-type   control-flag   module-path   arguments

The service name indicates the type of service such as ftp and is not required for configuration files in the directory "/etc/pam.d".

As you can see multiple modules may be used and multiple modules of each type may be used. The second item is the module type(listed above), the third item is the control flag, and the fourth is the loadable library to be used to perform the function. The control flags are:

  • required - The success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed.
  • requisite - If the module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. This flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium.
  • sufficient - If this module succeeds and no previous required module has failed, no more `stacked' modules of this type are invoked. This means subsequent required modules are not invoked. A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
  • optional - This module is not critical to the success or failure of the user's application for service. In the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application.

The newer syntax for control flags is is delimited with square brackets and consists of a series of value=action tokens with the value being set to one of the following return values The format of the syntax is:

[value1=action1 value2=action2 ...]

The values are:

  • success
  • open_err
  • symbol_err
  • service_err
  • system_err
  • buf_err
  • perm_denied
  • auth_err
  • cred_insufficient
  • authinfo_unavail
  • user_unknown
  • maxtries
  • new_authtok_reqd
  • acct_expired
  • session_err
  • cred_unavail
  • cred_expired
  • cred_err
  • no_module_data
  • conv_err
  • authtok_err
  • authtok_recover_err
  • authtok_lock_busy
  • authtok_disable_aging
  • try_again; ignore
  • abort
  • authtok_expired
  • module_unknown
  • bad_item
  • default - Can be used to set the action for those return values that are not explicitly defined.

The action can be a positive integer or one of the tokens listed below. A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the current type will be skipped. In this way, the administrator can develop a moderately sophisticated stack of modules with a number of different paths of execution. Which path is taken can be determined by the reactions of individual modules.

  • ignore - when used with a stack of modules, the module's return status will not contribute to the return code the application obtains.
  • bad - this action indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack.
  • die - equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application.
  • ok - this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules. In other words, if the former state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override this value. Note, if the former state of the stack holds some value that is indicative of a modules failure, this 'ok' value will not be used to override that value.
  • done - equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application.
  • reset - clear all memory of the state of the module stack and start again with the next stacked module.

The module path is the path and file name of the PAM library to be used to perform the function.

The args are like arguments to a typical Linux shell command. Valid arguments are optional and are specific to specific modules.

Listing of available PAM modules

  • pam_access - The module type is account. Requires a configuration file /etc/security/access.conf. This module provides logdaemon style login access control based on login names and on host (or domain) names, internet addresses (or network numbers), or on terminal line names in case of non-networked logins. Diagnostics are reported through syslog
  • pam_chroot - Management groups provided are account; session; authentication. This module is intended to provide a transparent wrapper around the average user, one that puts them in a fake file-system (eg, their '/' is really /some/where/else). Useful if you have several classes of users, and are slightly paranoid about security. Can be used to limit who else users can see on the system, and to limit the selection of programs they can run.
  • pam_cracklib - Management group provided is password. Requires the system library libcrack and a system dictionary: /usr/lib/cracklib_dict. The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices. The default action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token. This module can be plugged into the password stack of a given application to provide some plug-in strength-checking for passwords. This module works in the following manner: it first calls the Cracklib routine to check the strength of the password; if crack likes the password, the module does an additional set of strength checks.
  • pam_deny - Management groups provided are account; authentication; password; session. This module can be used to deny access. It always indicates a failure to the application through the PAM framework
  • pam_env - Management group provided is authentication (setcred). Requires /etc/security/pam_env.conf. This module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST
  • pam_filter - Management groups provided are account; authentication; password; session. To function it requires filters to be installed on the system. This module was written to offer a plug-in alternative to programs like ttysnoop (XXX - need a reference). Since writing a filter that performs this function has not occurred, it is currently only a toy. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams. (This can be very annoying and is not kind to termcap based editors).
  • pam_ftp - Management group provided is authentication. The purpose of this module is to provide a pluggable anonymous ftp mode of access. This module intercepts the user's name and password. If the name is ``ftp'' or ``anonymous'', the user's password is broken up at the `@' delimiter into a PAM_RUSER and a PAM_RHOST part; these pam-items being set accordingly. The username is set to ``ftp''. In this case the module succeeds. Alternatively, the module sets the PAM_AUTHTOK item with the entered password and fails.
  • pam_group - Management group provided is authentication. Requires an /etc/security/group.conf file. Can be compiled with or without libpwdb. This module provides group-settings based on the user's name and the terminal they are requesting a given service from. It takes note of the time of day. This module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. The group memberships are listed in text form in the /etc/security/group.conf file.
  • pam_issue - Management group provided is authentication(pam_sm_authenticate). This module prepends the issue file (/etc/issue by default) when prompting for a username. This module allows you to prepend an issue file to the username prompt. It also by default parses escape codes in the issue file similar to some common getty's (using \x format). Recognized escapes:
    • d - current date
    • s - operating system name
    • l - name of this tty
    • m - architecture of this system (i686, sparc, powerpc, ...)
    • n - hostname of this system
    • o - domainname of this system
    • r - release number of the operation system (eg. 2.2.12)
    • t - current time
    • u - number of users currently logged in
    • U - same as u, except it is suffixed with "user" or "users" (eg. "1 user" or "10 users"
    • v - version/build-date of the operating system (eg. "#3 Mon Aug 23 14:38:16 EDT 1999" on Linux).
  • pam_krb4 - Management groups provided are authentication; password; session. Requires libraries - libkrb, libdes, libcom_err, libkadm; and a set of Kerberos include files. Gets Kerberos ticket granting ticket via a Kerberos key distribution center reached via the network. This module provides an interface for doing Kerberos verification of a user's password, getting the user a Kerberos ticket granting ticket for use with the Kerberos ticket granting service, destroying the user's tickets at logout time, and changing a Kerberos password. This component of the module currently sets the user's KRBTKFILE environment variable (although there is currently no way to export this), as well as deleting the user's ticket file upon logout (until PAM_CRED_DELETE is supported by login).
  • pam_lastlog - Management group provided is auth. Uses information contained in the /var/log/lastlog file. This session module maintains the /var/log/lastlog file. Adding an open entry when called via the pam_open_seesion() function and completing it when pam_close_session() is called. This module can also display a line of information about the last login of the user. If an application already performs these tasks, it is not necessary to use this module.
  • pam_limits - Management group provided is session. Requires an /etc/security/limits.conf file and kernel support for resource limits. Also uses the library, libpwdb. This module, through the Linux-PAM open-session hook, sets limits on the system resources that can be obtained in a user-session. Its actions are dictated more explicitly through the configuration file discussed below.
  • pam_listfile - Management group provided is authentication. The module gets the item of the type specified -- user specifies the username, PAM_USER; tty specifies the name of the terminal over which the request has been made, PAM_TTY; rhost specifies the name of the remote host (if any) from which the request was made, PAM_RHOST; and ruser specifies the name of the remote user (if available) who made the request, PAM_RUSER -- and looks for an instance of that item in the file filename. filename contains one line per item listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is returned, causing the authorization request to fail.
    Classic ``ftpusers'' authentication can be implemented with this entry in /etc/pam.conf:
    #
    # deny ftp-access to users listed in the /etc/ftpusers file
    #
    ftp     auth     required       pam_listfile.so \
            onerr=succeed item=user sense=deny file=/etc/ftpusers
    
  • pam_mail - Management group provided is auth. Requires default mail directory /var/spool/mail/. This module looks at the user's mail directory and indicates whether the user has any mail in it. This module provides the ``you have new mail'' service to the user. It can be plugged into any application that has credential hooks. It gives a single message indicating the newness of any mail it finds in the user's mail folder. This module also sets the Linux-PAM environment variable, MAIL, to the user's mail directory. Although the module supplies functions for the authentication management group of functions, it cannot be used to authenticate a user; its authentication function instructs libpam to simply ignore it when authenticating the user.
  • pam_mkhomedir - Management group provided is session. Creates home directories on the fly for authenticated users. This module is useful for distributed systems where the user account is managed in a central database (such as NIS, NIS+, or LDAP) and accessed through miltiple systems. It frees the administrator from having to create a default home directory on each of the systems by creating it upon the first successfully authenticated login of that user. The skeleton directory (usually /etc/skel/) is used to copy default files and also set's a umask for the creation.
  • pam_motd - Management group provided is session(open). This module outputs the motd file (/etc/motd by default) upon successful login. This module allows you to have arbitrary motd's (message of the day) output after a successful login. By default this file is /etc/motd, but is configurable to any file.
  • pam_nologin - Management group provided is authentication. Provides standard Unix nologin authentication. If the file /etc/nologin exists, only root is allowed to log in; other users are turned away with an error message. All users (root or otherwise) are shown the contents of /etc/nologin. If the file /etc/nologin does not exist, this module succeeds silently.
  • pam_permit - Management groups provided are account; authentication; password; session. This module is very dangerous. It should be used with extreme caution. Its action is always to permit access. It does nothing else.
  • pam_pwdb - Management groups provided are account; authentication; password; session. Requires properly configured libpwdb. This module is a pluggable replacement for the pam_unix_.. modules. It uses the generic interface of the Password Database library. It is used to ensure users account and password are still active.
  • pam_radius - Management group provided is session. This module is intended to provide the session service for users authenticated with a RADIUS server. At the present stage, the only option supported is the use of the RADIUS server as an accounting server.
  • pam_rhosts_auth - Management group provided is authentication. This module performs the standard network authentication for services, as used by traditional implementations of rlogin and rsh etc. The authentication mechanism of this module is based on the contents of two files; /etc/hosts.equiv (or _PATH_HEQUIV in #include <netdb.h>) and ~/.rhosts. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "remote-host remote-user" pairs to that user's account on the current host. Access is granted to the user if their host is present in /etc/hosts.equiv and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file.
  • pam_rootok - Management group provided is authentication. This module is for use in situations where the superuser wishes to gain access to a service without having to enter a password. This module authenticates the user if their uid is 0. Applications that are created setuid-root generally retain the uid of the user but run with the authority of an enhanced effective-uid. It is the real uid that is checked.
  • pam_securetty - Management group provided is authentication. Requires the /etc/securetty file. Requires the application to fill in the PAM_TTY item correctly in order to act meaningfully. Provides standard Unix securetty checking, which causes authentication for root to fail unless PAM_TTY is set to a string listed in the /etc/securetty file. For all other users, it succeeds.
  • pam_time - Management group provided is account. Requires a configuration file /etc/security/time.conf. Running a well regulated system occasionally involves restricting access to certain services in a selective manner. This module offers some time control for access to services offered by a system. Its actions are determined with a configuration file. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request. This module bases its actions on the rules listed in its configuration file: /etc/security/pam.conf.
  • pam_unix - Management groups provided are account; authentication; password; session. This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.
  • pam_userdb - Management group provided is authentication. Requires Berkeley DB. Look up users in a .db database and verify their password against what is contained in that database.
  • pam_warn - Management groups provided are authentication; password. Logs information about the remote user and host (if pam-items are known). Log the service, terminal, user, remote user and remote host to syslog(3). The items are not probed for, but instead obtained from the standard pam-items.
  • pam_wheel - Management group provided is authentication. Requires libpwdb. Only permit root access to members of the wheel (gid=0) group. This module is used to enforce the so-called wheel group. By default, it permits root access to the system if the applicant user is a member of the wheel group (first, the module checks for the existence of a 'wheel' group. Otherwise the module defines the group with group-id 0 to be the wheel group).

Some PAM files

  • /etc/securetty/pam.conf
  • /etc/security/access.conf
  • /etc/security/group.conf
  • /etc/security/limits.conf
  • /etc/security/pam-env.conf
  • /etc/security/time.conf
  • /etc/pam.d/other
  • /usr/lib/libpam.so.* - The shared library providing applications with access to Linux-PAM.
  • /etc/pam.conf - The Linux-PAM configuration file.
  • /usr/lib/security/pam_*.so - The primary location for Linux-PAM dynamically loadable object files; the modules.