Login Security

Scott Castaline hscast at charter.net
Fri Oct 3 15:02:50 PDT 2008


Randy McMurchy wrote:
> Dan Nicholson wrote:
> 
>> The pam system's administrator guide is very helpful.
>>
>> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
>>
>> The module pages and some general pam information are available as man
>> pages. See pam(8) and pam_unix(8). The pam_unix page even has a usable
>> example configuration.
>>
>> That said, pam is pretty complex. What has helped me besides reading
>> the documentation is looking at the configuration on the big distros.
>> Since they're distributing to a wide variety of users and settings,
>> they usually have a secure but usable setup. If you have another
>> system around (Ubuntu, Fedora, etc.), take a look at their login and
>> passwd settings.
> 
> Sorry to quote Dan's whole post but it is relevant. Thing that
> bothers me is that the PAM .so stack that BLFS currently uses
> is deprecated. Seems creating and using a system-auth (or
> perhaps auth-system; can't remember) module and config file is
> the way to go now.
> 
> I installed PAM yesterday, and Shadow now installs a set of
> /etc/pam.d files that will lock up the system (of course, I
> tried to login before doing anything further, as instructed
> by the BLFS book). This of course is using most recent Shadow
> and PAM.
> 
> Anyway, I had to delete all the /etc/pam.d files that Shadow
> installed and add the files specified by the BLFS book. We've
> got a lot of work ahead on this one.
> 
> I'm updating LFS to the most recent Shadow, so BLFS will have
> to follow. And the instructions will need to change. Anyone
> with some relevant experience with these newer Shadow and PAM
> packages should step up and let themselves known. :-)
> 
I wound up copying everything from /etc/pam.d and then modified all of 
the files to what is in the book, utilizing cracklib. Also all pkgs used 
were the version as in the book. It seems to be working now. Thanks Dan. 
I booted from LiveCD and made the changes as mentioned above and then 
was able to reboot into my LFS system to finish the config.

Scott



More information about the blfs-support mailing list