Beyond Linux^® From Scratch (System V Edition) - Version 2021-04-13

Chapter 4. Security

Prev
libcap-2.49 with PAM
Next
liboauth-1.0.3
Up
Home

Linux-PAM-1.5.1

Introduction to Linux PAM

The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users.

This package is known to build and work properly using an LFS-10.1 platform.

Package Information

Download (HTTP): https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1.tar.xz
Download MD5 sum: 155f2a31d07077b2c63a1f135876c31b
Download size: 952 KB
Estimated disk space required: 37 MB (with tests)
Estimated build time: 0.4 SBU (with tests)

Additional Downloads

Optional Documentation

Download (HTTP): https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1-docs.tar.xz
Download MD5 sum: eb03b8191fc886780411054115866ee2
Download size 432 KB

Linux PAM Dependencies

Optional

Berkeley DB-5.3.28, libnsl-1.3.0, libtirpc-1.3.1, libaudit, and Prelude

Optional (To Rebuild the Documentation)

docbook-xml-4.5, docbook-xsl-1.79.2, fop-2.6, libxslt-1.1.34 and either Lynx-2.8.9rel.1 or W3m

[Note]

Note

Shadow-4.8.1 needs to be reinstalled after installing and configuring Linux PAM.

With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not installed by default. To enforce strong passwords, it is recommended to use libpwquality-1.4.4.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/linux-pam

Installation of Linux PAM

First prevent the installation of an unneeded systemd file:

sed -e /service_DATA/d \
    -i modules/pam_namespace/Makefile.am &&
autoreconf

If you downloaded the documentation, unpack the tarball by issuing the following command.

tar -xf ../Linux-PAM-1.5.1-docs.tar.xz --strip-components=1

If you instead want to regenerate the documentation, fix the configure script so that it detects lynx if installed:

sed -e 's/dummy elinks/dummy lynx/'                                    \
    -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
    -i configure

Install Linux PAM by running the following commands:

./configure --prefix=/usr                    \
            --sysconfdir=/etc                \
            --libdir=/usr/lib                \
            --enable-securedir=/lib/security \
            --docdir=/usr/share/doc/Linux-PAM-1.5.1 &&
make

To test the results, a suitable /etc/pam.d/other configuration file must exist.

[Caution]

Reinstallation or upgrade of Linux PAM

If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The installed one can be used for that purpose.

You should also be aware that make install overwrites the configuration files in /etc/security as well as /etc/environment. In case you have modified those files, be sure to back them up.

For a first installation, create the configuration file by issuing the following commands as the root user:

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so
EOF

Now run the tests by issuing make check. Ensure there are no errors produced by the tests before continuing the installation. Note that the checks are quite long. It may be useful to redirect the output to a log file in order to inspect it thoroughly.

Only in case of a first installation, remove the configuration file created earlier by issuing the following command as the root user:

rm -fv /etc/pam.d/other

Now, as the root user:

make install &&
chmod -v 4755 /sbin/unix_chkpwd &&

for file in pam pam_misc pamc
do
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done

Command Explanations

--enable-securedir=/lib/security: This switch sets the installation location for the PAM modules.

--disable-regenerate-docu : If the needed dependencies (docbook-xml-4.5, docbook-xsl-1.79.2, libxslt-1.1.34, and Lynx-2.8.9rel.1 or W3m) are installed, the manual pages, and the html and text documentations are (re)generated and installed. Furthermore, if fop-2.6 is installed, the PDF documentation is generated and installed. Use this switch if you do not want to rebuild the documentation.

chmod -v 4755 /sbin/unix_chkpwd: The unix_chkpwd helper program must be setuid so that non-root processes can access the shadow file.

Configuring Linux-PAM

Config Files

/etc/security/* and /etc/pam.d/*

Configuration Information

Configuration information is placed in /etc/pam.d/. Below is an example file:

# Begin /etc/pam.d/other

auth            required        pam_unix.so     nullok
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so     nullok

# End /etc/pam.d/other

Now set up some generic files. As the root: user

install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account

account   required    pam_unix.so

# End /etc/pam.d/system-account
EOF

cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      required    pam_unix.so

# End /etc/pam.d/system-auth
EOF

cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session

session   required    pam_unix.so

# End /etc/pam.d/system-session
EOF
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password  required    pam_unix.so       sha512 shadow try_first_pass

# End /etc/pam.d/system-password
EOF

If you wish to enable strong password support, install libpwquality-1.4.4, and follow the instructions in that page to configure the pam_pwquality PAM module with strong password support.

Now add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application is created.

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_warn.so
auth        required        pam_deny.so
account     required        pam_warn.so
account     required        pam_deny.so
password    required        pam_warn.so
password    required        pam_deny.so
session     required        pam_warn.so
session     required        pam_deny.so

# End /etc/pam.d/other
EOF

The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.

[Important]

Important

You should now reinstall the Shadow-4.8.1 package.

Contents

Installed Program: faillock, mkhomedir_helper, pam_namespace_helper, pam_timestamp_check, pwhistory_helper, unix_chkpwd and unix_update

Installed Libraries: libpam.so, libpamc.so and libpam_misc.so

Installed Directories: /etc/security, /lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-1.5.1

Short Descriptions

faillock	displays and modifies the authentication failure record files
mkhomedir_helper	is a helper binary that creates home directories
pam_namespace_helper	is a helper program used to configure a private namespace for a user session
pwhistory_helper	is a helper program that transfers password hashes from passwd or shadow to opasswd
pam_timestamp_check	is used to check if the default timestamp is valid
unix_chkpwd	is a helper binary that verifies the password of the current user
unix_update	is a helper binary that updates the password of a given user
`libpam.so`	provides the interfaces between applications and the PAM modules

Last updated on 2021-02-20 00:13:48 -0600

Prev
libcap-2.49 with PAM
Next
liboauth-1.0.3
Up
Home