Context Navigation

source: postlfs/security/linux-pam.xml

Visit:

trunk

Last change on this file was 2773977, checked in by Xi Ruoyao <xry111@…>, 2 days ago
linux-pam: Get rid of rpath
Property mode set to `100644`
File size: 19.7 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "8ad1e72d1ff6480d8e0af658e2d7b768">
10	<!ENTITY linux-pam-size "1.0 MB">
11	<!ENTITY linux-pam-buildsize "39 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "46dc9f9a27ef73a2fbe3b667877e88da">
16	<!ENTITY linux-pam-docs-size "455 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25
26	<title>Linux-PAM-&linux-pam-version;</title>
27
28	<indexterm zone="linux-pam">
29	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to Linux PAM</title>
34
35	<para>
36	The <application>Linux PAM</application> package contains
37	Pluggable Authentication Modules used by the local
38	system administrator to control how application programs authenticate
39	users.
40	</para>
41
42	&lfs121_checked;
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>
48	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download MD5 sum: &linux-pam-md5sum;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Download size: &linux-pam-size;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated disk space required: &linux-pam-buildsize;
69	</para>
70	</listitem>
71	<listitem>
72	<para>
73	Estimated build time: &linux-pam-time;
74	</para>
75	</listitem>
76	</itemizedlist>
77
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<title>Optional Documentation</title>
81	<listitem>
82	<para>
83	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
84	</para>
85	</listitem>
86	<listitem>
87	<para>
88	Download MD5 sum: &linux-pam-docs-md5sum;
89	</para>
90	</listitem>
91	<listitem>
92	<para>
93	Download size: &linux-pam-docs-size;
94	</para>
95	</listitem>
96	</itemizedlist>
97
98	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
99
100	<bridgehead renderas="sect4">Optional</bridgehead>
101	<para role="optional">
102	<xref linkend="libnsl"/>,
103	<xref linkend="libtirpc"/>,
104	<xref linkend="rpcsvc-proto"/>,
105	&berkeley-db;,
106	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>,
107	<ulink url="https://github.com/openSUSE/libeconf">libeconf</ulink>, and
108	<ulink url="https://www.prelude-siem.org">Prelude</ulink>
109	</para>
110	<!-- With 1.5.3, building the doc requires the namespaced version of
111	docbook-xsl, which is beyond BLFS.
112
113	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
114	<para role="optional">
115	<xref linkend="DocBook"/>,
116	<xref linkend="docbook-xsl"/>,
117	<xref linkend="fop"/>,
118	<xref linkend="libxslt"/> and either
119	<xref linkend="lynx"/> or
120	<ulink url="&w3m-url;">W3m</ulink>
121	</para>
122	-->
123	<note>
124	<para role="required">
125	<xref role="runtime" linkend="shadow"/>
126	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
127	must</phrase><phrase revision="sysv">must</phrase> be reinstalled
128	and reconfigured
129	after installing and configuring <application>Linux PAM</application>.
130	</para>
131
132	<para role="recommended">
133	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
134	installed by default. Use <xref role="runtime" linkend="libpwquality"/>
135	to enforce strong passwords.
136	</para>
137	</note>
138
139	</sect2>
140
141	<sect2 role="kernel" id="linux-pam-kernel">
142	<title>Kernel Configuration</title>
143
144	<para>
145	For the PAM module <filename
146	class='libraryfile'>pam_loginuid.so</filename> (referred by
147	the PAM configuration file <filename>system-session</filename> if
148	<phrase revision='sysv'><xref linkend='elogind'/> is
149	built</phrase><phrase revision='systemd'><xref linkend='systemd'/> is
150	rebuilt with PAM support</phrase> later) to work,
151	a kernel configuration parameter need to be set or the module will
152	just do nothing:
153	</para>
154
155	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
156	href="linux-pam-kernel.xml"/>
157
158	<indexterm zone="linux-pam linux-pam-kernel">
159	<primary sortas="d-linux-pam">Linux-PAM</primary>
160	</indexterm>
161
162	</sect2>
163
164	<sect2 role="installation">
165	<title>Installation of Linux PAM</title>
166
167	<para revision="sysv">
168	First, prevent the installation of an unneeded systemd file:
169	</para>
170
171	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
172	-i modules/pam_namespace/Makefile.am</userinput></screen>
173
174	<!-- https://github.com/linux-pam/linux-pam/issues/809 -->
175	<para>
176	The shipped <filename>libtool.m4</filename> file has a configuration
177	inconsistent with LFS <filename class='directory'>/usr</filename>
178	hierarchy. This issue would cause
179	<filename class='libraryfile'>libpam_misc.so</filename> linked with
180	an rpath flag which may sometimes cause troubles or even security
181	issues. Regenerate the building system to fix the inconsistency:
182	</para>
183
184	<screen><userinput>autoreconf -fi</userinput></screen>
185
186	<para>
187	If you downloaded the documentation, unpack the tarball by issuing
188	the following command.
189	</para>
190
191	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
192	<!--
193	<para>
194	If you want to regenerate the documentation yourself, fix the
195	<command>configure</command> script so it will detect lynx:
196	</para>
197
198	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
199	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
200	-i configure</userinput></screen>
201	-->
202	<para>
203	Compile and link <application>Linux PAM</application> by
204	running the following commands:
205	</para>
206
207	<screen><userinput>./configure --prefix=/usr \
208	--sbindir=/usr/sbin \
209	--sysconfdir=/etc \
210	--libdir=/usr/lib \
211	--enable-securedir=/usr/lib/security \
212	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
213	make</userinput></screen>
214
215	<para>
216	To test the results, a suitable <filename>/etc/pam.d/other</filename>
217	configuration file must exist.
218	</para>
219
220	<caution>
221	<title>Reinstallation or Upgrade of Linux PAM</title>
222	<para>
223	If you have a system with Linux PAM installed and working, be careful
224	when modifying the files in
225	<filename class="directory">/etc/pam.d</filename>, since your system
226	may become totally unusable. If you want to run the tests, you do not
227	need to create another <filename>/etc/pam.d/other</filename> file. The
228	existing file can be used for the tests.
229	</para>
230
231	<para>
232	You should also be aware that <command>make install</command>
233	overwrites the configuration files in
234	<filename class="directory">/etc/security</filename> as well as
235	<filename>/etc/environment</filename>. If you
236	have modified those files, be sure to back them up.
237	</para>
238	</caution>
239
240	<para>
241	For a first-time installation, create a configuration file by issuing the
242	following commands as the <systemitem class="username">root</systemitem>
243	user:
244	</para>
245
246	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
247
248	cat > /etc/pam.d/other << "EOF"
249	<literal>auth required pam_deny.so
250	account required pam_deny.so
251	password required pam_deny.so
252	session required pam_deny.so</literal>
253	EOF</userinput></screen>
254
255	<para>
256	Now run the tests by issuing <command>make check</command>.
257	Be sure the tests produced no errors before continuing the
258	installation. Note that the tests are very long.
259	Redirect the output to a log file, so you can inspect it thoroughly.
260	</para>
261
262	<para>
263	For a first-time installation, remove the configuration file
264	created earlier by issuing the following command as the
265	<systemitem class="username">root</systemitem> user:
266	</para>
267
268	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
269
270	<para>
271	Now, as the <systemitem class="username">root</systemitem>
272	user:
273	</para>
274
275	<screen role="root"><userinput>make install &&
276	chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
277
278	</sect2>
279
280	<sect2 role="commands">
281	<title>Command Explanations</title>
282
283	<para>
284	<parameter>--enable-securedir=/usr/lib/security</parameter>:
285	This switch sets the installation location for the
286	<application>PAM</application> modules.
287	</para>
288	<!--
289	<para>
290	<option>- -disable-regenerate-docu</option> : If the needed dependencies
291	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
292	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
293	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
294	html and text documentation files, are generated and installed.
295	Furthermore, if <xref linkend="fop"/> is installed, the PDF
296	documentation is generated and installed. Use this switch if you do not
297	want to rebuild the documentation.
298	</para>
299	-->
300	<para>
301	<command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
302	The setuid bit for the <command>unix_chkpwd</command> helper program must be
303	turned on, so that non-<systemitem class="username">root</systemitem>
304	processes can access the shadow file.
305	</para>
306
307	</sect2>
308
309	<sect2 role="configuration">
310	<title>Configuring Linux-PAM</title>
311
312	<sect3 id="pam-config">
313	<title>Configuration Files</title>
314
315	<para>
316	<filename>/etc/security/*</filename> and
317	<filename>/etc/pam.d/*</filename>
318	</para>
319
320	<indexterm zone="linux-pam pam-config">
321	<primary sortas="e-etc-security">/etc/security/*</primary>
322	</indexterm>
323
324	<indexterm zone="linux-pam pam-config">
325	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
326	</indexterm>
327
328	</sect3>
329
330	<sect3>
331	<title>Configuration Information</title>
332
333	<para>
334	Configuration information is placed in
335	<filename class="directory">/etc/pam.d/</filename>.
336	Here is a sample file:
337	</para>
338
339	<screen><literal># Begin /etc/pam.d/other
340
341	auth required pam_unix.so nullok
342	account required pam_unix.so
343	session required pam_unix.so
344	password required pam_unix.so nullok
345
346	# End /etc/pam.d/other</literal></screen>
347
348	<para>
349	Now create some generic configuration files. As the
350	<systemitem class="username">root</systemitem> user:
351	</para>
352
353	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
354	cat > /etc/pam.d/system-account << "EOF" &&
355	<literal># Begin /etc/pam.d/system-account
356
357	account required pam_unix.so
358
359	# End /etc/pam.d/system-account</literal>
360	EOF
361
362	cat > /etc/pam.d/system-auth << "EOF" &&
363	<literal># Begin /etc/pam.d/system-auth
364
365	auth required pam_unix.so
366
367	# End /etc/pam.d/system-auth</literal>
368	EOF
369
370	cat > /etc/pam.d/system-session << "EOF" &&
371	<literal># Begin /etc/pam.d/system-session
372
373	session required pam_unix.so
374
375	# End /etc/pam.d/system-session</literal>
376	EOF
377
378	cat > /etc/pam.d/system-password << "EOF"
379	<literal># Begin /etc/pam.d/system-password
380
381	# use yescrypt hash for encryption, use shadow, and try to use any
382	# previously defined authentication token (chosen password) set by any
383	# prior module.
384	password required pam_unix.so yescrypt shadow try_first_pass
385
386	# End /etc/pam.d/system-password</literal>
387	EOF
388	</userinput></screen>
389
390	<para>
391	If you wish to enable strong password support, install
392	<xref linkend="libpwquality"/>, and follow the
393	instructions on that page to configure the pam_pwquality
394	PAM module with strong password support.
395	</para>
396
397	<para>
398	Next, add a restrictive <filename>/etc/pam.d/other</filename>
399	configuration file. With this file, programs that are PAM aware will
400	not run unless a configuration file specifically for that application
401	exists.
402	</para>
403
404	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
405	<literal># Begin /etc/pam.d/other
406
407	auth required pam_warn.so
408	auth required pam_deny.so
409	account required pam_warn.so
410	account required pam_deny.so
411	password required pam_warn.so
412	password required pam_deny.so
413	session required pam_warn.so
414	session required pam_deny.so
415
416	# End /etc/pam.d/other</literal>
417	EOF</userinput></screen>
418
419	<para>
420	The <application>PAM</application> man page (<command>man
421	pam</command>) provides a good starting point to learn
422	about the several fields, and allowable entries.
423	<!-- not accessible 2022-09-08 -->
424	<!-- it's available at a different address 2022-10-23-->
425	The
426	<ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
427	Linux-PAM System Administrators' Guide
428	</ulink> is recommended for additional information.
429	</para>
430
431	<important>
432	<para>
433	You should now reinstall the <xref linkend="shadow"/>
434	<phrase revision="sysv">package</phrase>
435	<phrase revision="systemd"> and <xref linkend="systemd"/>
436	packages</phrase>.
437	</para>
438	</important>
439
440	</sect3>
441
442	</sect2>
443
444	<sect2 role="content">
445	<title>Contents</title>
446
447	<segmentedlist>
448	<segtitle>Installed Program</segtitle>
449	<segtitle>Installed Libraries</segtitle>
450	<segtitle>Installed Directories</segtitle>
451
452	<seglistitem>
453	<seg>
454	faillock, mkhomedir_helper, pam_namespace_helper,
455	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
456	unix_update
457	</seg>
458	<seg>
459	libpam.so, libpamc.so and libpam_misc.so
460	</seg>
461	<seg>
462	/etc/security,
463	/usr/lib/security,
464	/usr/include/security and
465	/usr/share/doc/Linux-PAM-&linux-pam-version;
466	</seg>
467	</seglistitem>
468	</segmentedlist>
469
470	<variablelist>
471	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
472	<?dbfo list-presentation="list"?>
473	<?dbhtml list-presentation="table"?>
474
475	<varlistentry id="faillock">
476	<term><command>faillock</command></term>
477	<listitem>
478	<para>
479	displays and modifies the authentication failure record files
480	</para>
481	<indexterm zone="linux-pam faillock">
482	<primary sortas="b-faillock">faillock</primary>
483	</indexterm>
484	</listitem>
485	</varlistentry>
486
487	<varlistentry id="mkhomedir_helper">
488	<term><command>mkhomedir_helper</command></term>
489	<listitem>
490	<para>
491	is a helper binary that creates home directories
492	</para>
493	<indexterm zone="linux-pam mkhomedir_helper">
494	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
495	</indexterm>
496	</listitem>
497	</varlistentry>
498
499	<varlistentry id="pam_namespace_helper">
500	<term><command>pam_namespace_helper</command></term>
501	<listitem>
502	<para>
503	is a helper program used to configure a private namespace for a
504	user session
505	</para>
506	<indexterm zone="linux-pam pam_namespace_helper">
507	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
508	</indexterm>
509	</listitem>
510	</varlistentry>
511
512	<varlistentry id="pwhistory_helper">
513	<term><command>pwhistory_helper</command></term>
514	<listitem>
515	<para>
516	is a helper program that transfers password hashes from passwd or
517	shadow to opasswd
518	</para>
519	<indexterm zone="linux-pam pwhistory_helper">
520	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
521	</indexterm>
522	</listitem>
523	</varlistentry>
524	<!-- Removed with the removal of the pam_tally{,2} module
525	<varlistentry id="pam_tally">
526	<term><command>pam_tally</command></term>
527	<listitem>
528	<para>
529	is used to interrogate and manipulate the login counter file.
530	</para>
531	<indexterm zone="linux-pam pam_tally">
532	<primary sortas="b-pam_tally">pam_tally</primary>
533	</indexterm>
534	</listitem>
535	</varlistentry>
536
537	<varlistentry id="pam_tally2">
538	<term><command>pam_tally2</command></term>
539	<listitem>
540	<para>
541	is used to interrogate and manipulate the login counter file, but
542	does not have some limitations that <command>pam_tally</command>
543	does.
544	</para>
545	<indexterm zone="linux-pam pam_tally2">
546	<primary sortas="b-pam_tally2">pam_tally2</primary>
547	</indexterm>
548	</listitem>
549	</varlistentry>
550	-->
551
552	<varlistentry id="pam_timestamp_check">
553	<term><command>pam_timestamp_check</command></term>
554	<listitem>
555	<para>
556	is used to check if the default timestamp is valid
557	</para>
558	<indexterm zone="linux-pam pam_timestamp_check">
559	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
560	</indexterm>
561	</listitem>
562	</varlistentry>
563
564	<varlistentry id="unix_chkpwd">
565	<term><command>unix_chkpwd</command></term>
566	<listitem>
567	<para>
568	is a helper binary that verifies the password of the current user
569	</para>
570	<indexterm zone="linux-pam unix_chkpwd">
571	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
572	</indexterm>
573	</listitem>
574	</varlistentry>
575
576	<varlistentry id="unix_update">
577	<term><command>unix_update</command></term>
578	<listitem>
579	<para>
580	is a helper binary that updates the password of a given user
581	</para>
582	<indexterm zone="linux-pam unix_update">
583	<primary sortas="b-unix_update">unix_update</primary>
584	</indexterm>
585	</listitem>
586	</varlistentry>
587
588	<varlistentry id="libpam">
589	<term><filename class="libraryfile">libpam.so</filename></term>
590	<listitem>
591	<para>
592	provides the interfaces between applications and the
593	PAM modules
594	</para>
595	<indexterm zone="linux-pam libpam">
596	<primary sortas="c-libpam">libpam.so</primary>
597	</indexterm>
598	</listitem>
599	</varlistentry>
600
601	</variablelist>
602
603	</sect2>
604
605	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: