Login Security

Randy McMurchy randy at linuxfromscratch.org
Fri Oct 3 13:27:31 PDT 2008

Dan Nicholson wrote:

> The pam system's administrator guide is very helpful.
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
> The module pages and some general pam information are available as man
> pages. See pam(8) and pam_unix(8). The pam_unix page even has a usable
> example configuration.
> That said, pam is pretty complex. What has helped me besides reading
> the documentation is looking at the configuration on the big distros.
> Since they're distributing to a wide variety of users and settings,
> they usually have a secure but usable setup. If you have another
> system around (Ubuntu, Fedora, etc.), take a look at their login and
> passwd settings.

Sorry to quote Dan's whole post but it is relevant. Thing that
bothers me is that the PAM .so stack that BLFS currently uses
is deprecated. Seems creating and using a system-auth (or
perhaps auth-system; can't remember) module and config file is
the way to go now.

I installed PAM yesterday, and Shadow now installs a set of
/etc/pam.d files that will lock up the system (of course, I
tried to login before doing anything further, as instructed
by the BLFS book). This of course is using most recent Shadow
and PAM.

Anyway, I had to delete all the /etc/pam.d files that Shadow
installed and add the files specified by the BLFS book. We've
got a lot of work ahead on this one.

I'm updating LFS to the most recent Shadow, so BLFS will have
to follow. And the instructions will need to change. Anyone
with some relevant experience with these newer Shadow and PAM
packages should step up and let themselves known. :-)


More information about the blfs-support mailing list