shadow: recommended pam.d/login

Jonathan Oksman jonathan.oksman at gmail.com
Fri Mar 23 10:35:15 PDT 2007


Hello once again everyone,

In the section of the book for shadow, after installing PAM, there is
a small problem I have noticed with the suggested pam.d/login.  Here
it is for reference:

> # Begin /etc/pam.d/login
>
> auth        requisite      pam_securetty.so
> auth        requisite      pam_nologin.so
> auth        required       pam_unix.so
> account     required       pam_access.so
> account     required       pam_unix.so
> session     required       pam_env.so
> session     required       pam_motd.so
> session     required       pam_limits.so
> session     optional       pam_mail.so      dir=/var/mail standard
> session     optional       pam_lastlog.so
> session     required       pam_unix.so
> password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
>                                             dcredit=3 ocredit=3 \
>                                             ucredit=2 lcredit=2
> password    required       pam_unix.so      md5 shadow use_authtok
>
> # End /etc/pam.d/login

The problem with this configuration is that it allows users to brute
force for usernames at the login prompt.  The breakdown is like this:

- user enters an incorrect name
- pam_securetty.so fails to validate the username, and returns
  incomplete.  since it is a requisite, login fails right here.

The way to make login behave as it did before installing PAM would be to
make the following configuration:

> # Begin /etc/pam.d/login
>
> auth        requisite     pam_nologin.so
> auth        required      pam_securetty.so
> auth        required      pam_unix.so
> account     required       pam_access.so
> account     required       pam_unix.so
> session     required       pam_env.so
> session     required       pam_motd.so
> session     required       pam_limits.so
> session     optional       pam_mail.so      dir=/var/mail standard
> session     optional       pam_lastlog.so
> session     required       pam_unix.so
> password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
>                                             dcredit=3 ocredit=3 \
>                                             ucredit=2 lcredit=2
> password    required       pam_unix.so      md5 shadow use_authtok
>
> # End /etc/pam.d/login

This makes PAM take whatever you entered for a username and still ask
for a password. Of course, if the account cannot be verified at the
next stage of authentication then access is denied, but now nobody
learns anything about the system.

Looking only at the auth portion of the configuration, it could also
be arranged as such to get the same effect:

> auth    requisite   pam_nologin.so
> auth    required    pam_securetty.so
> auth    sufficient  pam_unix.so
> auth    required    pam_deny.so

This still makes authentication with pam_unix required since pam_deny
will fail if one sufficient has not been met. This leaves configuration
open to other authentication schemes to be added in the future if the
user chooses.

If others are in agreement to my first change I'll add a ticket. Not for
a few hours though, since I'm stuck in lynx at this computer and don't
feel like attempting to navigate the wiki like this... *laughs*

The second example is just what I've been using since it seems stable.
I doubt that needs to be included for the book, although it does show
off some of the abilities of pam_deny.


Jonathan



More information about the blfs-dev mailing list