r8607 - in trunk/BOOK: . introduction/welcome postlfs/security

dj at linuxfromscratch.org dj at linuxfromscratch.org
Fri Sep 24 22:32:31 PDT 2010


Author: dj
Date: 2010-09-24 23:32:25 -0600 (Fri, 24 Sep 2010)
New Revision: 8607

Modified:
   trunk/BOOK/general.ent
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/shadow.xml
Log:
Added /etc/pam.d/system-* configuration files.

Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent	2010-09-19 20:42:45 UTC (rev 8606)
+++ trunk/BOOK/general.ent	2010-09-25 05:32:25 UTC (rev 8607)
@@ -3,7 +3,7 @@
 $Date$
 -->
 
-<!ENTITY day          "19">                   <!-- Always 2 digits -->
+<!ENTITY day          "25">                   <!-- Always 2 digits -->
 <!ENTITY month        "09">                   <!-- Always 2 digits -->
 <!ENTITY year         "2010">
 <!ENTITY copyrightdate "2001-&year;">

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2010-09-19 20:42:45 UTC (rev 8606)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2010-09-25 05:32:25 UTC (rev 8607)
@@ -41,6 +41,15 @@
 
 -->
     <listitem>
+      <para>September 25th, 2010</para>
+      <itemizedlist>
+        <listitem>
+          <para>[dj] - Added /etc/pam.d/system-* configuration files.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>September 19th, 2010</para>
       <itemizedlist>
         <listitem>

Modified: trunk/BOOK/postlfs/security/shadow.xml
===================================================================
--- trunk/BOOK/postlfs/security/shadow.xml	2010-09-19 20:42:45 UTC (rev 8606)
+++ trunk/BOOK/postlfs/security/shadow.xml	2010-09-25 05:32:25 UTC (rev 8607)
@@ -232,7 +232,7 @@
       <itemizedlist spacing="compact">
       <listitem>
         <para><ulink
-        url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3"/></para>
+        url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html"/></para>
       </listitem>
       <listitem>
         <para><ulink
@@ -296,68 +296,48 @@
       </sect4>
 
       <sect4>
-        <title>'login' (with CrackLib)</title>
+        <title>'system-account'</title>
 
-<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
-<literal># Begin /etc/pam.d/login
+<screen role="root"><userinput>cat > /etc/pam.d/system-account << "EOF"
+<literal># Begin /etc/pam.d/system-account
 
-auth        requisite      pam_nologin.so
-auth        required       pam_securetty.so
-auth        required       pam_unix.so
-account     required       pam_access.so
-account     required       pam_unix.so
-session     required       pam_env.so
-session     required       pam_motd.so
-session     required       pam_limits.so
-session     optional       pam_mail.so      dir=/var/mail standard
-session     optional       pam_lastlog.so
-session     required       pam_unix.so
-password    required       pam_cracklib.so  retry=3
-password    required       pam_unix.so      md5 shadow use_authtok
+account   required    pam_unix.so
 
-# End /etc/pam.d/login</literal>
+# End /etc/pam.d/system-account</literal>
 EOF</userinput></screen>
 
       </sect4>
 
       <sect4>
-        <title>'login' (without CrackLib)</title>
+        <title>'system-auth'</title>
 
-<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
-<literal># Begin /etc/pam.d/login
+<screen role="root"><userinput>cat > /etc/pam.d/system-auth << "EOF"
+<literal># Begin /etc/pam.d/system-auth
 
-auth        requisite      pam_nologin.so
-auth        required       pam_securetty.so
-auth        required       pam_env.so
-auth        required       pam_unix.so
-account     required       pam_access.so
-account     required       pam_unix.so
-session     required       pam_motd.so
-session     required       pam_limits.so
-session     optional       pam_mail.so      dir=/var/mail standard
-session     optional       pam_lastlog.so
-session     required       pam_unix.so
-password    required       pam_unix.so      md5 shadow
+auth      required    pam_unix.so
 
-# End /etc/pam.d/login</literal>
+# End /etc/pam.d/system-auth</literal>
 EOF</userinput></screen>
 
       </sect4>
 
       <sect4>
-        <title>'passwd' (with CrackLib)</title>
+        <title>'system-passwd' (with cracklib)</title>
 
-<screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
-<literal># Begin /etc/pam.d/passwd
+<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
+<literal># Begin /etc/pam.d/system-password
 
-password    required       pam_cracklib.so  type=Linux retry=1 \
-                                            difok=5 diffignore=23 minlen=9 \
-                                            dcredit=1 ucredit=1 lcredit=1 \
-                                            ocredit=1 \
-                                            dictpath=/lib/cracklib/pw_dict
-password    required       pam_unix.so      md5 shadow use_authtok
+# check new passwords for strength (man pam_cracklib)
+password  required    pam_cracklib.so   type=Linux retry=3 difok=5 \
+                                        difignore=23 minlen=9 dcredit=1 \
+                                        ucredit=1 lcredit=1 ocredit=1 \
+                                        dictpath=/lib/cracklib/pw_dict
+# use sha512 hash for encryption, use shadow, and use the
+# authentication token (chosen password) set by pam_cracklib
+# above (or any previous modules)
+password  required    pam_unix.so       sha512 shadow use_authtok
 
-# End /etc/pam.d/passwd</literal>
+# End /etc/pam.d/system-password</literal>
 EOF</userinput></screen>
 
         <note><para>In its default configuration, owing to credits,
@@ -368,14 +348,96 @@
         of your system.</para></note>
 
       </sect4>
+      
+      <sect4>
+        <title>'system-passwd' (without cracklib)</title>
 
+<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
+<literal># Begin /etc/pam.d/system-password
+
+# use sha512 hash for encryption, use shadow, and try to use any perviously
+# defined authentication token (chosen password) set by any prior module
+password  required    pam_unix.so       sha512 shadow try_first_pass
+
+# End /etc/pam.d/system-password</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
       <sect4>
-        <title>'passwd' (without CrackLib)</title>
+        <title>'system-session'</title>
 
+<screen role="root"><userinput>cat > /etc/pam.d/system-session << "EOF"
+<literal># Begin /etc/pam.d/system-session
+
+session   required    pam_unix.so
+
+# End /etc/pam.d/system-session</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
+      <sect4>
+        <title>'login'</title>
+
+<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
+<literal># Begin /etc/pam.d/login
+
+# Set failure delay before next prompt to 3 seconds
+auth      optional    pam_faildelay.so  delay=3000000
+
+# Check to make sure that the user is allowed to login
+auth      requisite   pam_nologin.so
+
+# Check to make sure that root is allowed to login
+auth      required    pam_securetty.so
+
+# Additional group memberships - disabled by default
+#auth      optional    pam_group.so
+
+# include the default auth settings
+auth      include     system-auth
+
+# check access for the user
+account   required    pam_access.so
+
+# include the default account settings
+account   include     system-account
+
+# Set default environment variables for the user
+session   required    pam_env.so
+
+# Set resource limits for the user
+session   required    pam_limits.so
+
+# Display date of last login - Disabled by default
+#session   optional    pam_lastlog.so
+
+# Display the message of the day - Disabled by default
+#session   optional    pam_motd.so
+
+# Check user's mail - Disabled by default
+#session   optional    pam_mail.so      standard quiet
+
+# Use xauth keys (if available)
+session   optional    pam_xauth.so
+
+# include the default session and password settings
+session   include     system-session
+password  include     system-password
+
+# End /etc/pam.d/login</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
+      <sect4>
+        <title>'passwd'</title>
+
 <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
 <literal># Begin /etc/pam.d/passwd
 
-password    required       pam_unix.so      md5 shadow
+password  include     system-password
 
 # End /etc/pam.d/passwd</literal>
 EOF</userinput></screen>
@@ -388,14 +450,21 @@
 <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
 <literal># Begin /etc/pam.d/su
 
-auth        sufficient      pam_rootok.so
-auth        required        pam_unix.so
-account     required        pam_unix.so
-session     optional        pam_mail.so     dir=/var/mail standard
-session     optional        pam_xauth.so
-session     required        pam_env.so
-session     required        pam_unix.so
+# always allow root
+auth      sufficient  pam_rootok.so
 
+# include the default account settings
+account   include     system-account
+
+# Use xauth keys (if available)
+session   optional    pam_xauth.so
+
+# Set default environment variables for the service user
+session   required    pam_env.so
+
+# include system session defaults
+session   include     system-session
+
 # End /etc/pam.d/su</literal>
 EOF</userinput></screen>
 
@@ -405,14 +474,19 @@
         <title>'chage'</title>
 
 <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
-<literal># Begin /etc/pam.d/chage
+<literal>#Begin /etc/pam.d/chage
 
-auth        sufficient      pam_rootok.so
-auth        required        pam_unix.so
-account     required        pam_unix.so
-session     required        pam_unix.so
-password    required        pam_permit.so
+# always allow root
+auth      sufficient  pam_rootok.so
 
+# include system defaults for auth account and session
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+
+# Always permit for authentication updates
+password  required    pam_permit.so
+
 # End /etc/pam.d/chage</literal>
 EOF</userinput></screen>
 
@@ -464,14 +538,14 @@
 <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
 <literal># Begin /etc/pam.d/other
 
+auth        required        pam_warn.so
 auth        required        pam_deny.so
-auth        required        pam_warn.so
+account     required        pam_warn.so
 account     required        pam_deny.so
-account     required        pam_warn.so
+password    required        pam_warn.so
 password    required        pam_deny.so
-password    required        pam_warn.so
+session     required        pam_warn.so
 session     required        pam_deny.so
-session     required        pam_warn.so
 
 # End /etc/pam.d/other</literal>
 EOF</userinput></screen>




More information about the blfs-book mailing list