TimeLinux1

Thursday, September 23, 2010

Linux HowTo: PAM (Pluggable Authentication Module)

GNU/Linux or simply Linux is the most secure OS out there. It has a host of security features like SELinux, inbuilt firewall, PAM etc. In this post I talk of PAM (Pluggable Authentication Module). PAM is so secure that if you want you can prevent even root user to login to the system. Security is dear to many System Administration, we of course recommend a little moderation..

- PAM
- Pluggable Auth Module
- a security layer that takes on the task of authentication on behalf of apps instead of apps having to do so themselves.
- each application has its own pam config file. if a specific config is not there, a default file is still there.

So how does PAM Magic work?

- Well, when programs need to authenticate someone, they call one of the functions in pam library.
- pam then checks the config file for that application.  if a specific config is not there, a default file is still there (/etc/pam.d/other)
- the config file tells the pam library module what checks to perform.
- the checks performed by the library module may be as simple as checking /etc/passwd or more complex as checking with an ldap server.
- the config files exist in             /etc/pam.d
- The library modules exist in         /lib/security.
                app -> config -> library module    <->    user

-Each line in a pam config file is evaluated line by line. Each line returns a success or failure flag. The summary of the flags is returned to the app.

-Config file format:
        - col 1        module_type        - auth, account, session, password       
                [auth ask for passw; account=account attribs( egtty type); session=env settings, logging password points to the module to change passw]
        - col 2        control_flag            - required, requisite, sufficient, optional
        - col 3        module_path        - actual path of the library
        - col 4        arguments            - optional, has values like debug, no_warn, use_first_pass etc...

- recommended to leave the default config file /etc/pam.d/other as it is (it is very restrictive by nature).
- To fix pam errors, you can log into single user mode.
- a good place to look for PAM errors is /var/log/messages.
Posted by Unknown at 9:20 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)