Understanding Pluggable Authentication Modules

A Pluggable Authentication Module (PAM) performs the actual MD5 encryption, described in the "Learning the Role of Shadow Passwords" section. PAM provides a flexible method for authenticating users on Linux systems. Through settings in configuration files, you can change the authentication method on the fly, without having to actually modify programs, such as login and passwd, which verify a user's identity.

Linux uses PAM extensively, and the configuration files are in the /etc/pam.d directory of your system. Check out the contents of this directory on your system by typing the following command:

Each configuration file in this directory specifies how users are authenticated for a specific utility. For example, there is a file for each of login, passwd, su, and a whole host of the GUI redhat-config utilities. Here's what I see when I type cat /etc/pam.d/passwd on my system:

auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth

These lines indicate that authentication, account management, and password checking should all be done by using the pam_stack module (/1ib/security/pam_stack.so) with the argument service=system-auth. Essentially, the pam_stack module refers to another configuration file in the /etc/pam.d directory. In this case, the configuration file is

/etc/pam.d/system-auth. Here's the content of the /etc/pam.d/system-auth file on my Linux PC:

#%PAM-1.0 # This file is auto-generated.

# User changes w be destroyed the next time authconfig is run.

#%PAM-1.0 # This file is auto-generated.

# User changes w be destroyed the next time authconfig is run.

auth

requ

red

/l

b/security/$

SA/pam_

_env.so

auth

suff

cient

/l

b/security/$

SA/pam_

_unix.so likeauth nullok

auth

requ

red

/l

b/security/$

SA/pam_

_deny.so

account

requ

red

/l

b/security/$

SA/pam_

unix.so

account

suff

cient

/l

b/security/$

SA/pam_

_succeed_if.so uid < 100 quiet

account

requ

red

/l

b/security/$

SA/pam_

_permit.so

password

requ

site

/l

b/security/$

SA/pam_

_cracklib.so retry=3

password

suff

cient

/l

b/security/$

SA/pam_

_unix.so nullok use_authtok md5 shadow

password

requ

red

/l

b/security/$

SA/pam_

_deny.so

session

required

/lib/security/$

SA/pam_

Jimits.so

session

required

/lib/security/$

SA/pam_

unix.so

Although I won't go over all the details, here's a brief explanation of PAM configuration files.

Each line in a PAM configuration file specifies the rules to be used for a specific type of authentication service. The general syntax of each line in a PAM configuration file is the following:

module-type control module-path module-arguments The meaning of these four fields is as follows:

• module-type denotes the type of service being controlled by this line. The acceptable module types are: account for verifying the account (for example, whether the user's password has expired or whether a user is permitted access to the requested service); auth for authenticating a user's claimed identity, typically by using some challenge-response method where the user is asked for a password; password for updating passwords; and session for performing tasks before the user is given access to a service and after the user is done with the service.

• control determines the behavior of a PAM in case the module does not succeed in the authentication task. Typically, the control field is set to required or sufficient. If the control field is set to required, the module must be successful for the authentication to continue. If the control field is set to sufficient and the module is successful, no other checks are needed and the authentication is considered complete.

• module-path specifies the pathname of a PAM module —a shared library object—that implements the service. In the pathname /lib/security/$ISA/, ISA refers to an environment variable that you can set to a subdirectory where you decide to organize the PAM modules for your system. Typically, ISA is not defined and the PAM modules are located in the / lib/security directory.

• module-arguments lists any module-specific options that are then passed to the module. It is up to the module to parse and interpret these options. Everything after the first three fields is interpreted as module arguments.

In the /etc/pam.d/system-auth file, the first three lines are for auth service:

Here the first auth line loads the PAM module pam_env.so that can set or unset environment variables. The second auth line specifies an authentication module that checks the user's identity by using the PAM module pam_unix.so with the arguments likeauth nullok. The options in the argument string have the following meanings:

♦ likeauth: Returns the same value whether the module is used to set new credentials or authenticate an existing user name

♦ nullok: Allows a blank password

The third auth line in the /etc/pam.d/system-auth file uses the pam_deny.so module to deny access to the requested service if the pam_unix.so module's authentication is unsuccessful.

Following the auth lines in the /etc/pam.d/system-auth file comes an account line:

account required /lib/security/$ISA/pam_unix.so

The account service uses the pam_unix.so module to make sure that the user account has not expired, that the user is allowed to log in at a given time of day, and so on.

Later in the /etc/pam.d/system-auth file, you see two password lines in the /etc/pam.d/ system-auth file that specify how passwords are set:

password requisite /lib/security/$ISA/pam_cracklib.so retry=3

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow

The first password line uses the pam_cracklib.so module to try to crack the new password (that's what the cracklib in the module's name indicates). The retry=3 argument indicates that the user can try to enter a new password three times at most. The second password line indicates that the MD5 encryption is used to store the password in the /etc/ shadow file.

The /etc/pam.d/passwd configuration file applies when you use the passwd command to change passwords. Here's an example where I am trying to change my password (the text in italic is my comment):

passwd

Changing password for naba

(current) UNIX password: I type my current password New UNIX password: I type "xyzz" BAD PASSWORD: it is too short

New UNIX password: I type "transport" as password BAD PASSWORD: it is based on a dictionary word New UNIX password: I type "naba12" as the new password BAD PASSWORD: it is based on your username passwd: Authentication token manipulation error

In this case, the passwd program is using the PAM module to check my identity (when I first type my current password) and making sure that each of the new passwords I try are strong. Finally, the PAM modules abort the passwd program after I fail to select a good password in three tries.

auth auth auth required /lib/security/$ISA/pam_env.so sufficient /lib/security/$ISA/pam_unix.so likeauth nullok required /lib/security/$ISA/pam_deny.so

Was this article helpful?

0 0
Make Money Writing

Make Money Writing

This Report Will Show You How To Make Money By Providing Writing Services To Other Internet Marketers. Learn how to make money by writing the right way. Grab your copy of this report now and learn. Why writing is a great way to earn money. How to compete with cheap writers, even if you charge a lot more money.

Get My Free Ebook


Post a comment