Tim Berners Lee is the one person, every web surfer owes something to. In Dec 1990, he was the one who demonstrated the functionality of the web on the Internet as we know today. He is credited with developing the protocol underlying the framework of the Web--viz., HTTP or HyperText Transfer Protocol. Although rudimentary precursors to Todays Internet were present since the day of the ARPANET back in the 60s, it was the introduction of the very important protocol HTTP that brought the web and the Internet to the mainstream.
So obviously, if Tim Berners Lee has something to say about the web and the Internet, one has to sit up and take notice. Recently he published an article on the well respected Science journal 'Scientific American' about his concerns about the waning of Freedom and Neutrality of the Web. You can read the article here.
What is important is that it raises the very important question of what happens when certain individual organizations and companies decide to armtwist the net surfers into following a certain behavior that is profitable to only those organizations/companies and to no one else. Take for example, Apple itunes. It is the most proprietary platform for Music that you can imagine. If you want to listen to the music it offers, you have to make sure you register your device, promise not to share your music with anyone, use only the features the software offers, remain dependent on the vendor and pay up every time you want to listen to something new. Not just that, even the hardware devices are locked in to the itunes account, you cant even change the battery of your device if you wanted to--in short total usurping of your Freedom to use your own hardware and software as you like. In direct violation of the principles on which the Internet community and its philosophies are based. The Internet and the web was designed to be the most open platform of our generation and the generations to follow. However, vested interests like Apple and Microsoft chip away at the very foundations of those principles by monopolizing the web and Business practices that benefit noone else but their coffers...
Monday, November 29, 2010
Tuesday, November 23, 2010
Linux HowTo: Log Rotation with logrotate utility
If you have managed any Linux/Unix system for any length of time, you are bound to have been amazed at the amount of logs and trace files your system is capable of producing. The fact that Linux systems are able to manage all of their jobs and activities based on a handful of configuration files is pretty impressive. And they shell their output to textfiles that can be extremely useful in troubleshooting and debugging. However, this also underlines that you will have to do something about the log and trace files because if you dont, it is highly likely that you will run out of diskspace soon.
Thankfully, Linux comes with an utility to help you in this. The utility is called logrotate. A simple description of the too according to man pages is :
# man -f logrotate
logrotate (8) - rotates, compresses, and mails system logs
logrotate (rpm) - Rotates, compresses, removes and mails system log files.
At the very simplest, logrotate program is a log file manager. Its default configuration can be found in /etc/logrotate.conf. If a certain system utility like syslog or apache seeks little more than the basic default configuration, you can create a new configuration file (or modify an existing configuration file). The non default configuration files are to be found in the directory /etc/logrotate.d.
But wait. That is not all. If you want to automate the management of log rotation you can employ the good old scheduling utility cron. Simply add a new entry for the program (like syslog) whose logs you want to manage using logrotate in crontab.
For example, here is a cron entry to manage logs for syslog utility:
#/etc/cron.daily/logrotate
#! /bin/sh
0 0 * * * /usr/sbin/logrotate /etc/logrotate.d/syslog
In the above, once a day (at midnight), logrotate will read the configuration file for syslog utility (in /etc/logrotate.d) and take the actions specified in that config file. The actions could be as simple as doing certain actions before the rotation and doing certain other action post rotation. In my system, the syslog logrotate config file looks like this:
# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
And the default logrotate config file looks like this:
# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
Thankfully, Linux comes with an utility to help you in this. The utility is called logrotate. A simple description of the too according to man pages is :
# man -f logrotate
logrotate (8) - rotates, compresses, and mails system logs
logrotate (rpm) - Rotates, compresses, removes and mails system log files.
At the very simplest, logrotate program is a log file manager. Its default configuration can be found in /etc/logrotate.conf. If a certain system utility like syslog or apache seeks little more than the basic default configuration, you can create a new configuration file (or modify an existing configuration file). The non default configuration files are to be found in the directory /etc/logrotate.d.
But wait. That is not all. If you want to automate the management of log rotation you can employ the good old scheduling utility cron. Simply add a new entry for the program (like syslog) whose logs you want to manage using logrotate in crontab.
For example, here is a cron entry to manage logs for syslog utility:
#/etc/cron.daily/logrotate
#! /bin/sh
0 0 * * * /usr/sbin/logrotate /etc/logrotate.d/syslog
In the above, once a day (at midnight), logrotate will read the configuration file for syslog utility (in /etc/logrotate.d) and take the actions specified in that config file. The actions could be as simple as doing certain actions before the rotation and doing certain other action post rotation. In my system, the syslog logrotate config file looks like this:
# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
And the default logrotate config file looks like this:
# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
Monday, November 22, 2010
Android will be the # 1 Mobile Platform
Going by the impressive growth that Android has registered in the short 2 years it has been around, all indications are that it is doing great and will keep doing so for a long time to come. Infact, it is only a matter of time before it becomes the #1 Mobile Platform. Even Steve Wozniak agrees.
And that is cool. Android is based on Linux. Linux is based on the GNU / Opensource License. This means, if corporations like Google, identify the opportunities behind FOSS (Free Open Source Softwares), and are willing to enhance and advance its development, then even the most proprietary of companies (like Apple) will acknowledge the challenge FOSS presents.
While this is certainly a positive news, FOSS still has a long way to go before it can become mainstream. Take a look at computer sales for the home consumer market for example. There are hardly any manufacturers who are willing to use FOSS as OEM install for their hardware. Look at proprietary companies like Microsoft and Apple on the other hand, they are easily accessible. This is a lesson for FOSS community. The Opensource ideals are good and great. But until some the critical mass of End user experience of Linux and Android reaches that of the competitors in terms of reach and polish, there are many challenges in the way for FOSS to become universally acceptable. Nevertheless, good job. Keep it up Linux and Android !!
And that is cool. Android is based on Linux. Linux is based on the GNU / Opensource License. This means, if corporations like Google, identify the opportunities behind FOSS (Free Open Source Softwares), and are willing to enhance and advance its development, then even the most proprietary of companies (like Apple) will acknowledge the challenge FOSS presents.
While this is certainly a positive news, FOSS still has a long way to go before it can become mainstream. Take a look at computer sales for the home consumer market for example. There are hardly any manufacturers who are willing to use FOSS as OEM install for their hardware. Look at proprietary companies like Microsoft and Apple on the other hand, they are easily accessible. This is a lesson for FOSS community. The Opensource ideals are good and great. But until some the critical mass of End user experience of Linux and Android reaches that of the competitors in terms of reach and polish, there are many challenges in the way for FOSS to become universally acceptable. Nevertheless, good job. Keep it up Linux and Android !!
Thursday, November 11, 2010
Linux HowTo: My Top 10 Linux Commands
My Top Ten Linux Commands of all Time:
# ps - Process status. Comes with a lot of options eg: 'ps -ef' and 'ps -l'
# man - Manual of commands. Very useful for quick reference on commands. eg: man -f <cmd>
# find - Finds files by names, file type, modify time etc. eg: find . -name <filename>
# grep - Searches regular expressions in files. eg: grep <search criterion> <filename>
# vim - Visual editor improved. Indispensable for shell scripting.eg: vim <shell script>
# who - Tells who is logged in.
# w - Similar to who but more detailed.
# uname - info about the system, OS, kernel version etc. eg: uname -r, uname -a
# ping - Sends an ICMP packet to check basic network connectivity. eg: ping <remotehost>
# mailx - inbuilt mail agent. Very useful in sending notifications and alerts esp from shell scripts.
- eg: # mailx -s "subject" recipient1, recipient2,.. < message body
# ps - Process status. Comes with a lot of options eg: 'ps -ef' and 'ps -l'
# man - Manual of commands. Very useful for quick reference on commands. eg: man -f <cmd>
# find - Finds files by names, file type, modify time etc. eg: find . -name <filename>
# grep - Searches regular expressions in files. eg: grep <search criterion> <filename>
# vim - Visual editor improved. Indispensable for shell scripting.eg: vim <shell script>
# who - Tells who is logged in.
# w - Similar to who but more detailed.
# uname - info about the system, OS, kernel version etc. eg: uname -r, uname -a
# ping - Sends an ICMP packet to check basic network connectivity. eg: ping <remotehost>
# mailx - inbuilt mail agent. Very useful in sending notifications and alerts esp from shell scripts.
- eg: # mailx -s "subject" recipient1, recipient2,.. < message body
Amazon removes Books advising Paedophiles
First Read this - http://news.blogs.cnn.com/2010/11/10/amazon-com-book-defending-pedophilia-sparks-boycott-call/?hpt=Sbin
Then Read this - http://www.abc.net.au/news/stories/2010/11/12/3064233.htm?section=justin
Amazon was recently in news for putting on sale on its ubiquitous Amazon.com the book advising Paedophiles.
But after a media outcry, it was promptly taken off the sales. Earlier it was reported that they had defended their decision to put the book on sale in the first place. Whatever the initial move, looks like, the vehement protests and barrage of emails and phonecalls made them change their mind.
I think that is a smart move on their part to remove the book from sales on their site. In doing so, they have probably helped arrest the damage to their reputation (and may be even the stock price?). In my opinion, the Internet is a Free phenomenon which at the same time is incredibly resilient to perversity. While Freedom on the Internet can allow a certain organization to try to do something they deem right, the response of the Internet community is sometimes big enough for the organization to revert or atleast rethink their first move. That is important. Afterall, Freedom is good thing but abuse of Freedom is not. One person's Freedom to do something can not be allowed to take another's Freedom. Not on the Internet atleast. I think, Amazon's book sale would have encouraged paedophiles and thus resulted in violation of Freedom of many others who dont want the Internet to be used as a medium to pronounce perversity. Lesson learnt by Amazon, I suppose...
Then Read this - http://www.abc.net.au/news/stories/2010/11/12/3064233.htm?section=justin
Amazon was recently in news for putting on sale on its ubiquitous Amazon.com the book advising Paedophiles.
But after a media outcry, it was promptly taken off the sales. Earlier it was reported that they had defended their decision to put the book on sale in the first place. Whatever the initial move, looks like, the vehement protests and barrage of emails and phonecalls made them change their mind.
I think that is a smart move on their part to remove the book from sales on their site. In doing so, they have probably helped arrest the damage to their reputation (and may be even the stock price?). In my opinion, the Internet is a Free phenomenon which at the same time is incredibly resilient to perversity. While Freedom on the Internet can allow a certain organization to try to do something they deem right, the response of the Internet community is sometimes big enough for the organization to revert or atleast rethink their first move. That is important. Afterall, Freedom is good thing but abuse of Freedom is not. One person's Freedom to do something can not be allowed to take another's Freedom. Not on the Internet atleast. I think, Amazon's book sale would have encouraged paedophiles and thus resulted in violation of Freedom of many others who dont want the Internet to be used as a medium to pronounce perversity. Lesson learnt by Amazon, I suppose...
Thursday, November 4, 2010
Linux HowTo: SSh Primer
Secured Shell or ssh uses the technology of public-key-cryptography as the base.
-it requires two keys to open a file (public + private); somewhat like a bank locker which req two keys (bank's + user's)
-public key is freely accessible.
-private key is strictly restricted.
-The combination of public + private key is supposed to be unique.
-how it works?
. both receiver and sender must have access to each others public key
. sender encrypts: sender priv key + receiver pub key + data
. sender sends
. receiver decrypts: sender pub key + receiver priv key + data
Note:
-ssh is a proprietary protocol owned by the Finnish company ssh communications security.
-although the source code for original ssh is open, varios restrictions are imposed about its use and distribution.
-openssh is the opensource version of ssh under the openbsd project and is more popular and secure than the original ssh.
-To be fully secure, all insecure connections in a network need to be eliminated.
-eg: host 'a' connects to host 'b' via telnet; host b connects to host 'c' via ssh.
then in this case, due to the insecure a-b conn, the traffic bet b-c can be monitored and cracked.
-useful commands:
# yum -y install openssh-server
# rpm -qa | grep -i openssh
# service sshd start | stop | status
# ssh -6 user@server [ ipv6 ]
More
. /etc/ssh/sshd_config [ server daemon ]
. /etc/ssh/ssh_config [ client daemon ]
. ~/.ssh/known_hosts [ a directory of ssh hosts ]
-ssh tunneling = port forwarding = poor man's vpn
-using one hostA to connect securely to another hostB (ie via hostA)
clientA# ssh -L local_port:hostA:dest_port hostB
ie: clientA-----hostA====hostB
ie: user on clientA authenticates on hostA but securely connects to hostB.
ie: it is a way for people inside a firewall or proxy to bypass the firewall restrictions and get to the computers in the outside world.
-ssh tunneling = port forwarding = a way to forward otherwise insecure tcp traffic through ssh.
-utility = allows users to access securely their company data while remote (home, internet, etc)
-as long as the user has an ip conn to the Internet, he can connect to the remote server securely.
-sftp is a secure ftp service offered under ssh daemon.
# sftp user@host
sftp>bla bla
sftp> bye
-it requires two keys to open a file (public + private); somewhat like a bank locker which req two keys (bank's + user's)
-public key is freely accessible.
-private key is strictly restricted.
-The combination of public + private key is supposed to be unique.
-how it works?
. both receiver and sender must have access to each others public key
. sender encrypts: sender priv key + receiver pub key + data
. sender sends
. receiver decrypts: sender pub key + receiver priv key + data
Note:
-ssh is a proprietary protocol owned by the Finnish company ssh communications security.
-although the source code for original ssh is open, varios restrictions are imposed about its use and distribution.
-openssh is the opensource version of ssh under the openbsd project and is more popular and secure than the original ssh.
-To be fully secure, all insecure connections in a network need to be eliminated.
-eg: host 'a' connects to host 'b' via telnet; host b connects to host 'c' via ssh.
then in this case, due to the insecure a-b conn, the traffic bet b-c can be monitored and cracked.
-useful commands:
# yum -y install openssh-server
# rpm -qa | grep -i openssh
# service sshd start | stop | status
# ssh -6 user@server [ ipv6 ]
More
. /etc/ssh/sshd_config [ server daemon ]
. /etc/ssh/ssh_config [ client daemon ]
. ~/.ssh/known_hosts [ a directory of ssh hosts ]
-ssh tunneling = port forwarding = poor man's vpn
-using one hostA to connect securely to another hostB (ie via hostA)
clientA# ssh -L local_port:hostA:dest_port hostB
ie: clientA-----hostA====hostB
ie: user on clientA authenticates on hostA but securely connects to hostB.
ie: it is a way for people inside a firewall or proxy to bypass the firewall restrictions and get to the computers in the outside world.
-ssh tunneling = port forwarding = a way to forward otherwise insecure tcp traffic through ssh.
-utility = allows users to access securely their company data while remote (home, internet, etc)
-as long as the user has an ip conn to the Internet, he can connect to the remote server securely.
-sftp is a secure ftp service offered under ssh daemon.
# sftp user@host
sftp>bla bla
sftp> bye
Linux HowTo: Virtualization Primer - VM, Xen, KVM
Virtualization - abstraction of computer resources to simulate a non-real env (via h/w, s/w or both).
-Some virtualization terms:
-host os - the base host
-guest os/vm - the virtual machine
-hypervisor - also called virtual machine monitor (vmm)
- the abstraction layer that emulates a virtual set of resources (eg cpu, ram, disk)
-h/w emulation - s/w is used to emulate cpu instruction set. so guest vm runs slower than a standalone. eg bochs
-para virtualization - s/w based where the guest vm kernel is modified to fit in the host env. speed comparable to a standalone. eg xen
-full virtualization - the vm is broken at the host cpu level. guest vm runs without any overhead or modification. eg kvm
-kvm
- kernel based vm
- builtin linux kernel based, ie, it turns the linux kernel into a hypervisor.
- since various linux distros are based on the common kernel, kvm is compatible to several distros.
-virt-install Command:
-virt-install is a cmd line tool to create virtual machines.
-you can install it in this way:
# yum groupinstall virtualization or
# yum install virt-install
-the virtual machine daemon is libvirtd.
-eg: # service libvirtd start | stop | status
-To create a vm env:
# virt-install --prompt [it prompts you for responses like vm name, ram, disk etc]
-Some virtualization terms:
-host os - the base host
-guest os/vm - the virtual machine
-hypervisor - also called virtual machine monitor (vmm)
- the abstraction layer that emulates a virtual set of resources (eg cpu, ram, disk)
-h/w emulation - s/w is used to emulate cpu instruction set. so guest vm runs slower than a standalone. eg bochs
-para virtualization - s/w based where the guest vm kernel is modified to fit in the host env. speed comparable to a standalone. eg xen
-full virtualization - the vm is broken at the host cpu level. guest vm runs without any overhead or modification. eg kvm
-kvm
- kernel based vm
- builtin linux kernel based, ie, it turns the linux kernel into a hypervisor.
- since various linux distros are based on the common kernel, kvm is compatible to several distros.
-virt-install Command:
-virt-install is a cmd line tool to create virtual machines.
-you can install it in this way:
# yum groupinstall virtualization or
# yum install virt-install
-the virtual machine daemon is libvirtd.
-eg: # service libvirtd start | stop | status
-To create a vm env:
# virt-install --prompt [it prompts you for responses like vm name, ram, disk etc]
Wednesday, November 3, 2010
Linux HowTo: NFS Primer
NFS or Network File System was introduced by Sun Microsystems in the 1980s as a mechanism to share files with remote hosts. In those days, when the network technology were primitive (and the Internet unknown), this was a great innovation. Over the years, NFS has matured and has been adopted by virtually all Unix and Linux systems. This discussion is a brief primer of the same topic.
-in nfs, which is a client-server technology, the client server communication happens via rpc (remote procedure call).
-portmap - is the rpc service manager. Whenever a service wants to make itself available on the nfs server, it needs to register itself with portmap.
-portmap tells the client, where the service is located on the server.
-current versions of nfs are 2, 3 & 4. version 3 being the most common and widely used.
-nfs can be a kernel builtin or it can be a standalone nfs daemon.
-the default seems to be the standalone nfs daemon.
-the primary nfs config file is /etc/exports. and its format is:
<dir> <client(permi)> [ there could be multiple clients ]
-to export /etc/exports:
# exportfs <option>
-eg: # exportfs -a=export all, -r=reexport, -o=options like ro, rw, no_root_squash (default is root_squash)etc
-to see current mounts:
# showmount -e
-to mount an nfs fs on client side:
# mount -o <options> server:/dir options like ro, rw, soft, hard, bg etc...
-hard mount - client waits indefinitely
-soft mount - client will timeout eventually
-nfs intr - nfs interrupt option - enables processes to interrupt and move on if nfs is not responding.
-default block size in nfs:
- version 2,3 - 1 KB
- version 4 - 4 KB
-the above can be tuned using wsize & rsize params (write and read).
-eg: in /etc/exports:
serverA:/home /mnt/home nfsvers=3,rw,bg,rsize=8192,rsize=8192
-in nfs, which is a client-server technology, the client server communication happens via rpc (remote procedure call).
-portmap - is the rpc service manager. Whenever a service wants to make itself available on the nfs server, it needs to register itself with portmap.
-portmap tells the client, where the service is located on the server.
-current versions of nfs are 2, 3 & 4. version 3 being the most common and widely used.
-nfs can be a kernel builtin or it can be a standalone nfs daemon.
-the default seems to be the standalone nfs daemon.
-the primary nfs config file is /etc/exports. and its format is:
<dir> <client(permi)> [ there could be multiple clients ]
-to export /etc/exports:
# exportfs <option>
-eg: # exportfs -a=export all, -r=reexport, -o=options like ro, rw, no_root_squash (default is root_squash)etc
-to see current mounts:
# showmount -e
-to mount an nfs fs on client side:
# mount -o <options> server:/dir options like ro, rw, soft, hard, bg etc...
-hard mount - client waits indefinitely
-soft mount - client will timeout eventually
-nfs intr - nfs interrupt option - enables processes to interrupt and move on if nfs is not responding.
-default block size in nfs:
- version 2,3 - 1 KB
- version 4 - 4 KB
-the above can be tuned using wsize & rsize params (write and read).
-eg: in /etc/exports:
serverA:/home /mnt/home nfsvers=3,rw,bg,rsize=8192,rsize=8192
Tuesday, November 2, 2010
Linux HowTo: Preventing SYN Flood denial of service attacks
-Denial of Service Attacks - are malicious attacks on a system by a remote host which sends numerous connection requests in a rapid succession there by overwhelming the resources of the destination and effectively 'denying' its services to other legitimate users or hosts.
-SYN flag - a special denial of service tcp packet sent by source host to dest host when starting a tcp connection.
-SYNACK - the acknowledgement of SYN flag from dest to source.
-after the source receives the SYNack, it sends a ack to the SYNack (to dest). this completes the handshaking.
-until this time, a table of SYN and SYNack is maintained on the dest.
-SYN flood - a situation in which, the source sends numerous SYN flags but no SYNack; so the SYN just pile up on the dest and bring it down.
-SYN cookie - a linux mechanism to prevent SYN flood by tracking the rate of SYN. if the rate is high, it gets rid of the SYN.
-to activate SYN cookie:
# sysctl net.ipv4.tcp_syncookies [shows]
# sysctl -w net.ipv4.tcp_syncookies=1 [sets ] To make it persistent across reboots, edit /etc/sysctl.conf
-to set the max number of simultaneous open files:
# cat /proc/sysc/fs/file-max [shows]
# sysctl -w fs.file-max=value
-SYN flag - a special denial of service tcp packet sent by source host to dest host when starting a tcp connection.
-SYNACK - the acknowledgement of SYN flag from dest to source.
-after the source receives the SYNack, it sends a ack to the SYNack (to dest). this completes the handshaking.
-until this time, a table of SYN and SYNack is maintained on the dest.
-SYN flood - a situation in which, the source sends numerous SYN flags but no SYNack; so the SYN just pile up on the dest and bring it down.
-SYN cookie - a linux mechanism to prevent SYN flood by tracking the rate of SYN. if the rate is high, it gets rid of the SYN.
-to activate SYN cookie:
# sysctl net.ipv4.tcp_syncookies [shows]
# sysctl -w net.ipv4.tcp_syncookies=1 [sets ] To make it persistent across reboots, edit /etc/sysctl.conf
-to set the max number of simultaneous open files:
# cat /proc/sysc/fs/file-max [shows]
# sysctl -w fs.file-max=value
Linux HowTo: PAM Primer
PAM - Pluggable Auth Module
- a security layer in Linux that takes on the task of authentication on behalf of apps instead of apps having to do so themselves.
- each application has its own pam config file. if a specific config is not there, a default file is still there.
-how? - when programs need to authenticate someone, they call one of the functions in pam library.
- pam then checks the config file for that application. if a specific config is not there, a default file is still there (/etc/pam.d/other)
- the config file tells the pam library module what checks to perform.
- the checks performed by the library module may be as simple as checking /etc/passwd or more complex as checking with an ldap server.
- the config files exist in /etc/pam.d
- The library modules exist in /lib/security.
app -> config -> library module <-> user
-Each line in a pam config file is evaluated line by line. Each line returns a success or failure flag. The summary of the flags is returned to the app.
-Config file format:
- col 1 module_type - auth, account, session, password
[auth ask for passw; account=account attribs( egtty type); session=env settings, logging password points to the module to change passw]
- col 2 control_flag - required, requisite, sufficient, optional
- col 3 module_path - actual path of the library
- col 4 arguments - optional, has values like debug, no_warn, use_first_pass etc...
-recommended to leave the default config file /etc/pam.d/other as it is (it is very restrictive by nature).
-To fix pam errors, you can log into single user mode.
-a good place to look is /var/log/messages.
- a security layer in Linux that takes on the task of authentication on behalf of apps instead of apps having to do so themselves.
- each application has its own pam config file. if a specific config is not there, a default file is still there.
-how? - when programs need to authenticate someone, they call one of the functions in pam library.
- pam then checks the config file for that application. if a specific config is not there, a default file is still there (/etc/pam.d/other)
- the config file tells the pam library module what checks to perform.
- the checks performed by the library module may be as simple as checking /etc/passwd or more complex as checking with an ldap server.
- the config files exist in /etc/pam.d
- The library modules exist in /lib/security.
app -> config -> library module <-> user
-Each line in a pam config file is evaluated line by line. Each line returns a success or failure flag. The summary of the flags is returned to the app.
-Config file format:
- col 1 module_type - auth, account, session, password
[auth ask for passw; account=account attribs( egtty type); session=env settings, logging password points to the module to change passw]
- col 2 control_flag - required, requisite, sufficient, optional
- col 3 module_path - actual path of the library
- col 4 arguments - optional, has values like debug, no_warn, use_first_pass etc...
-recommended to leave the default config file /etc/pam.d/other as it is (it is very restrictive by nature).
-To fix pam errors, you can log into single user mode.
-a good place to look is /var/log/messages.
Subscribe to:
Posts (Atom)