Difference between revisions of "Pluggable Authentication Modules (PAM)"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
(Created page with "Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that communicates between the user and an application. PAM modules are available on ...")
 
 
(3 intermediate revisions by one user not shown)
Line 1: Line 1:
Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that communicates between the user and an application. PAM modules are available on a system wide basis, so they can be requested by any application. PAM allows for applications, such as system daemons, to share a single, unified authentication widgetOtherwise, each application would have to include an individually written system which would result in weaker overall security and issues with compatibility.  PAM modules, which are a set of shared libraries for a specific authentication mechanism.  
+
Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that communicates between the user and an application. PAM modules are available on a system wide basis, so they can be requested by any application.  Technically, PAM is used by many UNIX (Solaris/BSD/AIX/HP-UX) operating systems as well as Linux for configuring authentication related services.
  
{{:Spare Entry}}
+
PAM allows for applications, such as system daemons, to share a single, unified authentication widget.  Otherwise, each application would have to include an individually written system which would result in weaker overall security and issues with compatibility.  PAM modules, which are a set of shared libraries for a specific authentication mechanism.
 +
 
 +
PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication.  There is a PAM module that is used to authenticate a user from /etc/.shadow called pam_unix.so - a module used to authenticate all users local and remote during login. 
 +
 
 +
* Options can be passed to pam_unix in the /etc/pam.d/login file
 +
 
 +
Linux use following two files:
 +
 
 +
/etc/pam/common-auth: authentication settings common to all services
 +
/etc/pam.d/common-password: password-related modules common to all services
 +
 
 +
 
 +
 
 +
sample PAM application configuration file:
 +
 
 +
#%PAM-1.0
 +
auth required  pam_securetty.so
 +
auth required  pam_unix.so nullok
 +
auth required  pam_nologin.so
 +
account required  pam_unix.so
 +
password required  pam_cracklib.so retry=3
 +
password required  pam_unix.so shadow nullok use_authtok
 +
session required  pam_unix.so
 +
 
 +
KEY Configuration lines:
 +
 
 +
auth required pam_securetty.so — This module ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists.
 +
 
 +
auth required pam_unix.so nullok — This module prompts the user for a password and then checks the password using the information stored in /etc/passwd and, if it exists, /etc/shadow.
 +
 
 +
auth required pam_nologin.so — This is the final authentication step. It checks whether the /etc/nologin file exists. If it exists and the user is not root, authentication fails.
 +
 
 +
== disable null passwords ==
 +
 
 +
Open /etc/pam/common-auth and find the line that reads:
 +
password required pam_unix.so nullok obscure min=4 max=8 md5
 +
and remove the following parameter:
 +
nullok
 +
Save the file and exit to shell prompt.  Now open file /etc/pam.d/common-password and find the line that reads:
 +
auth required pam_unix.so nullok_secure
 +
Remove the following parameter:
 +
nullok_secure
 +
Now save the file and exit to shell prompt.  These changes will disable any user's able to login using null password.
 +
 
 +
source: [http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html Linux or UNIX disable null passwords] by by NIX Craft.
 +
 
 +
{{:Sparse Entry}}
  
  
 
[[Category:Computer_Technology]]
 
[[Category:Computer_Technology]]
 
[[Category:Linux]]
 
[[Category:Linux]]

Latest revision as of 11:32, 7 February 2014

Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that communicates between the user and an application. PAM modules are available on a system wide basis, so they can be requested by any application. Technically, PAM is used by many UNIX (Solaris/BSD/AIX/HP-UX) operating systems as well as Linux for configuring authentication related services.

PAM allows for applications, such as system daemons, to share a single, unified authentication widget. Otherwise, each application would have to include an individually written system which would result in weaker overall security and issues with compatibility. PAM modules, which are a set of shared libraries for a specific authentication mechanism.

PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication. There is a PAM module that is used to authenticate a user from /etc/.shadow called pam_unix.so - a module used to authenticate all users local and remote during login.

  • Options can be passed to pam_unix in the /etc/pam.d/login file

Linux use following two files:

/etc/pam/common-auth: authentication settings common to all services
/etc/pam.d/common-password: password-related modules common to all services


sample PAM application configuration file:

#%PAM-1.0
auth	required  pam_securetty.so
auth	required  pam_unix.so nullok
auth	required  pam_nologin.so
account	required  pam_unix.so
password	required  pam_cracklib.so retry=3
password	required  pam_unix.so shadow nullok use_authtok
session	required  pam_unix.so

KEY Configuration lines:

auth required pam_securetty.so — This module ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists.

auth required pam_unix.so nullok — This module prompts the user for a password and then checks the password using the information stored in /etc/passwd and, if it exists, /etc/shadow.

auth required pam_nologin.so — This is the final authentication step. It checks whether the /etc/nologin file exists. If it exists and the user is not root, authentication fails.

disable null passwords

Open /etc/pam/common-auth and find the line that reads:

password required pam_unix.so nullok obscure min=4 max=8 md5

and remove the following parameter:

nullok

Save the file and exit to shell prompt. Now open file /etc/pam.d/common-password and find the line that reads:

auth required pam_unix.so nullok_secure

Remove the following parameter:

nullok_secure

Now save the file and exit to shell prompt. These changes will disable any user's able to login using null password.

source: Linux or UNIX disable null passwords by by NIX Craft.

 

Contributeduck176.gif
Note: This page is notably incomplete. You can help. Please contribute by registering your email address and adding your knowledge to this page. The D.U.C.K. wiki was created to be a free informative place that allows an open exchange of accurate information.
Learn more...