Difference between revisions of "Pluggable Authentication Modules (PAM)"
| (One intermediate revision by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that communicates between the user and an application. PAM modules are available on a system wide basis, so they can be requested by any application. PAM allows for applications, such as system daemons, to share a single, unified authentication widget. Otherwise, each application would have to include an individually written system which would result in weaker overall security and issues with compatibility. PAM modules, which are a set of shared libraries for a specific authentication mechanism. | + | Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that communicates between the user and an application. PAM modules are available on a system wide basis, so they can be requested by any application. Technically, PAM is used by many UNIX (Solaris/BSD/AIX/HP-UX) operating systems as well as Linux for configuring authentication related services. |
| + | |||
| + | PAM allows for applications, such as system daemons, to share a single, unified authentication widget. Otherwise, each application would have to include an individually written system which would result in weaker overall security and issues with compatibility. PAM modules, which are a set of shared libraries for a specific authentication mechanism. | ||
PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication. There is a PAM module that is used to authenticate a user from /etc/.shadow called pam_unix.so - a module used to authenticate all users local and remote during login. | PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication. There is a PAM module that is used to authenticate a user from /etc/.shadow called pam_unix.so - a module used to authenticate all users local and remote during login. | ||
* Options can be passed to pam_unix in the /etc/pam.d/login file | * Options can be passed to pam_unix in the /etc/pam.d/login file | ||
| + | |||
| + | Linux use following two files: | ||
| + | |||
| + | /etc/pam/common-auth: authentication settings common to all services | ||
| + | /etc/pam.d/common-password: password-related modules common to all services | ||
| + | |||
| + | |||
sample PAM application configuration file: | sample PAM application configuration file: | ||
| Line 24: | Line 33: | ||
auth required pam_nologin.so — This is the final authentication step. It checks whether the /etc/nologin file exists. If it exists and the user is not root, authentication fails. | auth required pam_nologin.so — This is the final authentication step. It checks whether the /etc/nologin file exists. If it exists and the user is not root, authentication fails. | ||
| + | == disable null passwords == | ||
| + | |||
| + | Open /etc/pam/common-auth and find the line that reads: | ||
| + | password required pam_unix.so nullok obscure min=4 max=8 md5 | ||
| + | and remove the following parameter: | ||
| + | nullok | ||
| + | Save the file and exit to shell prompt. Now open file /etc/pam.d/common-password and find the line that reads: | ||
| + | auth required pam_unix.so nullok_secure | ||
| + | Remove the following parameter: | ||
| + | nullok_secure | ||
| + | Now save the file and exit to shell prompt. These changes will disable any user's able to login using null password. | ||
| + | source: [http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html Linux or UNIX disable null passwords] by by NIX Craft. | ||
{{:Sparse Entry}} | {{:Sparse Entry}} | ||
Latest revision as of 11:32, 7 February 2014
Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that communicates between the user and an application. PAM modules are available on a system wide basis, so they can be requested by any application. Technically, PAM is used by many UNIX (Solaris/BSD/AIX/HP-UX) operating systems as well as Linux for configuring authentication related services.
PAM allows for applications, such as system daemons, to share a single, unified authentication widget. Otherwise, each application would have to include an individually written system which would result in weaker overall security and issues with compatibility. PAM modules, which are a set of shared libraries for a specific authentication mechanism.
PAM is not itself a password database, but rather its configuration tells the system how exactly to do the authentication. There is a PAM module that is used to authenticate a user from /etc/.shadow called pam_unix.so - a module used to authenticate all users local and remote during login.
- Options can be passed to pam_unix in the /etc/pam.d/login file
Linux use following two files:
/etc/pam/common-auth: authentication settings common to all services /etc/pam.d/common-password: password-related modules common to all services
sample PAM application configuration file:
#%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so
KEY Configuration lines:
auth required pam_securetty.so — This module ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists.
auth required pam_unix.so nullok — This module prompts the user for a password and then checks the password using the information stored in /etc/passwd and, if it exists, /etc/shadow.
auth required pam_nologin.so — This is the final authentication step. It checks whether the /etc/nologin file exists. If it exists and the user is not root, authentication fails.
disable null passwords
Open /etc/pam/common-auth and find the line that reads:
password required pam_unix.so nullok obscure min=4 max=8 md5
and remove the following parameter:
nullok
Save the file and exit to shell prompt. Now open file /etc/pam.d/common-password and find the line that reads:
auth required pam_unix.so nullok_secure
Remove the following parameter:
nullok_secure
Now save the file and exit to shell prompt. These changes will disable any user's able to login using null password.
source: Linux or UNIX disable null passwords by by NIX Craft.
 Learn more... |
