Context Navigation

source: postlfs/security/linux-pam.xml@ b1fc5567

Visit:

12.1 gimp3 ken/TL2024 lazarus plabs/newcss rahul/power-profiles-daemon trunk xry111/llvm18

Last change on this file since b1fc5567 was 3c1cfcf7, checked in by Douglas R. Reno <renodr@…>, 6 months ago
Update to Linux-PAM-1.6.0 (Security Update)
Property mode set to `100644`
File size: 18.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "41a10af5fc35a7be472ae9864338e64a">
10	<!ENTITY linux-pam-size "1.0 MB">
11	<!ENTITY linux-pam-buildsize "39 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "db41b71435df078658b3db1f57bb2a49">
16	<!ENTITY linux-pam-docs-size "456 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25
26	<title>Linux-PAM-&linux-pam-version;</title>
27
28	<indexterm zone="linux-pam">
29	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to Linux PAM</title>
34
35	<para>
36	The <application>Linux PAM</application> package contains
37	Pluggable Authentication Modules used by the local
38	system administrator to control how application programs authenticate
39	users.
40	</para>
41
42	&lfs120_checked;
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>
48	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download MD5 sum: &linux-pam-md5sum;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Download size: &linux-pam-size;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated disk space required: &linux-pam-buildsize;
69	</para>
70	</listitem>
71	<listitem>
72	<para>
73	Estimated build time: &linux-pam-time;
74	</para>
75	</listitem>
76	</itemizedlist>
77
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<title>Optional Documentation</title>
81	<listitem>
82	<para>
83	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
84	</para>
85	</listitem>
86	<listitem>
87	<para>
88	Download MD5 sum: &linux-pam-docs-md5sum;
89	</para>
90	</listitem>
91	<listitem>
92	<para>
93	Download size &linux-pam-docs-size;
94	</para>
95	</listitem>
96	</itemizedlist>
97
98	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
99
100	<bridgehead renderas="sect4">Optional</bridgehead>
101	<para role="optional">
102	<xref linkend="libnsl"/>,
103	<xref linkend="libtirpc"/>,
104	<xref linkend="rpcsvc-proto"/>,
105	&berkeley-db;,
106	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>,
107	<ulink url="https://github.com/openSUSE/libeconf">libeconf</ulink>, and
108	<ulink url="https://www.prelude-siem.org">Prelude</ulink>
109	</para>
110	<!-- With 1.5.3, building the doc requires the namespaced version of
111	docbook-xsl, which is beyond BLFS.
112
113	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
114	<para role="optional">
115	<xref linkend="DocBook"/>,
116	<xref linkend="docbook-xsl"/>,
117	<xref linkend="fop"/>,
118	<xref linkend="libxslt"/> and either
119	<xref linkend="lynx"/> or
120	<ulink url="&w3m-url;">W3m</ulink>
121	</para>
122	-->
123	<note>
124	<para role="required">
125	<xref role="runtime" linkend="shadow"/>
126	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
127	must</phrase><phrase revision="sysv">must</phrase> be reinstalled
128	and reconfigured
129	after installing and configuring <application>Linux PAM</application>.
130	</para>
131
132	<para role="recommended">
133	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
134	installed by default. Use <xref role="runtime" linkend="libpwquality"/>
135	to enforce strong passwords.
136	</para>
137	</note>
138
139	</sect2>
140
141	<sect2 role="installation">
142	<title>Installation of Linux PAM</title>
143
144	<para revision="sysv">
145	First, prevent the installation of an unneeded systemd file:
146	</para>
147
148	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
149	-i modules/pam_namespace/Makefile.am &&
150	autoreconf</userinput></screen>
151
152	<para>
153	If you downloaded the documentation, unpack the tarball by issuing
154	the following command.
155	</para>
156
157	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
158	<!--
159	<para>
160	If you want to regenerate the documentation yourself, fix the
161	<command>configure</command> script so it will detect lynx:
162	</para>
163
164	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
165	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
166	-i configure</userinput></screen>
167	-->
168	<para>
169	Compile and link <application>Linux PAM</application> by
170	running the following commands:
171	</para>
172
173	<screen><userinput>./configure --prefix=/usr \
174	--sbindir=/usr/sbin \
175	--sysconfdir=/etc \
176	--libdir=/usr/lib \
177	--enable-securedir=/usr/lib/security \
178	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
179	make</userinput></screen>
180
181	<para>
182	To test the results, a suitable <filename>/etc/pam.d/other</filename>
183	configuration file must exist.
184	</para>
185
186	<caution>
187	<title>Reinstallation or Upgrade of Linux PAM</title>
188	<para>
189	If you have a system with Linux PAM installed and working, be careful
190	when modifying the files in
191	<filename class="directory">/etc/pam.d</filename>, since your system
192	may become totally unusable. If you want to run the tests, you do not
193	need to create another <filename>/etc/pam.d/other</filename> file. The
194	existing file can be used for the tests.
195	</para>
196
197	<para>
198	You should also be aware that <command>make install</command>
199	overwrites the configuration files in
200	<filename class="directory">/etc/security</filename> as well as
201	<filename>/etc/environment</filename>. If you
202	have modified those files, be sure to back them up.
203	</para>
204	</caution>
205
206	<para>
207	For a first-time installation, create a configuration file by issuing the
208	following commands as the <systemitem class="username">root</systemitem>
209	user:
210	</para>
211
212	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
213
214	cat > /etc/pam.d/other << "EOF"
215	<literal>auth required pam_deny.so
216	account required pam_deny.so
217	password required pam_deny.so
218	session required pam_deny.so</literal>
219	EOF</userinput></screen>
220
221	<para>
222	Now run the tests by issuing <command>make check</command>.
223	Be sure the tests produced no errors before continuing the
224	installation. Note that the tests are very long.
225	Redirect the output to a log file, so you can inspect it thoroughly.
226	</para>
227
228	<para>
229	For a first-time installation, remove the configuration file
230	created earlier by issuing the following command as the
231	<systemitem class="username">root</systemitem> user:
232	</para>
233
234	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
235
236	<para>
237	Now, as the <systemitem class="username">root</systemitem>
238	user:
239	</para>
240
241	<screen role="root"><userinput>make install &&
242	chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
243
244	</sect2>
245
246	<sect2 role="commands">
247	<title>Command Explanations</title>
248
249	<para>
250	<parameter>--enable-securedir=/usr/lib/security</parameter>:
251	This switch sets the installation location for the
252	<application>PAM</application> modules.
253	</para>
254	<!--
255	<para>
256	<option>- -disable-regenerate-docu</option> : If the needed dependencies
257	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
258	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
259	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
260	html and text documentation files, are generated and installed.
261	Furthermore, if <xref linkend="fop"/> is installed, the PDF
262	documentation is generated and installed. Use this switch if you do not
263	want to rebuild the documentation.
264	</para>
265	-->
266	<para>
267	<command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
268	The setuid bit for the <command>unix_chkpwd</command> helper program must be
269	turned on, so that non-<systemitem class="username">root</systemitem>
270	processes can access the shadow file.
271	</para>
272
273	</sect2>
274
275	<sect2 role="configuration">
276	<title>Configuring Linux-PAM</title>
277
278	<sect3 id="pam-config">
279	<title>Configuration Files</title>
280
281	<para>
282	<filename>/etc/security/*</filename> and
283	<filename>/etc/pam.d/*</filename>
284	</para>
285
286	<indexterm zone="linux-pam pam-config">
287	<primary sortas="e-etc-security">/etc/security/*</primary>
288	</indexterm>
289
290	<indexterm zone="linux-pam pam-config">
291	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
292	</indexterm>
293
294	</sect3>
295
296	<sect3>
297	<title>Configuration Information</title>
298
299	<para>
300	Configuration information is placed in
301	<filename class="directory">/etc/pam.d/</filename>.
302	Here is a sample file:
303	</para>
304
305	<screen><literal># Begin /etc/pam.d/other
306
307	auth required pam_unix.so nullok
308	account required pam_unix.so
309	session required pam_unix.so
310	password required pam_unix.so nullok
311
312	# End /etc/pam.d/other</literal></screen>
313
314	<para>
315	Now create some generic configuration files. As the
316	<systemitem class="username">root</systemitem> user:
317	</para>
318
319	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
320	cat > /etc/pam.d/system-account << "EOF" &&
321	<literal># Begin /etc/pam.d/system-account
322
323	account required pam_unix.so
324
325	# End /etc/pam.d/system-account</literal>
326	EOF
327
328	cat > /etc/pam.d/system-auth << "EOF" &&
329	<literal># Begin /etc/pam.d/system-auth
330
331	auth required pam_unix.so
332
333	# End /etc/pam.d/system-auth</literal>
334	EOF
335
336	cat > /etc/pam.d/system-session << "EOF" &&
337	<literal># Begin /etc/pam.d/system-session
338
339	session required pam_unix.so
340
341	# End /etc/pam.d/system-session</literal>
342	EOF
343
344	cat > /etc/pam.d/system-password << "EOF"
345	<literal># Begin /etc/pam.d/system-password
346
347	# use yescrypt hash for encryption, use shadow, and try to use any
348	# previously defined authentication token (chosen password) set by any
349	# prior module.
350	password required pam_unix.so yescrypt shadow try_first_pass
351
352	# End /etc/pam.d/system-password</literal>
353	EOF
354	</userinput></screen>
355
356	<para>
357	If you wish to enable strong password support, install
358	<xref linkend="libpwquality"/>, and follow the
359	instructions on that page to configure the pam_pwquality
360	PAM module with strong password support.
361	</para>
362
363	<para>
364	Next, add a restrictive <filename>/etc/pam.d/other</filename>
365	configuration file. With this file, programs that are PAM aware will
366	not run unless a configuration file specifically for that application
367	exists.
368	</para>
369
370	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
371	<literal># Begin /etc/pam.d/other
372
373	auth required pam_warn.so
374	auth required pam_deny.so
375	account required pam_warn.so
376	account required pam_deny.so
377	password required pam_warn.so
378	password required pam_deny.so
379	session required pam_warn.so
380	session required pam_deny.so
381
382	# End /etc/pam.d/other</literal>
383	EOF</userinput></screen>
384
385	<para>
386	The <application>PAM</application> man page (<command>man
387	pam</command>) provides a good starting point to learn
388	about the several fields, and allowable entries.
389	<!-- not accessible 2022-09-08 -->
390	<!-- it's available at a different address 2022-10-23-->
391	The
392	<ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
393	Linux-PAM System Administrators' Guide
394	</ulink> is recommended for additional information.
395	</para>
396
397	<important>
398	<para>
399	You should now reinstall the <xref linkend="shadow"/>
400	<phrase revision="sysv">package</phrase>
401	<phrase revision="systemd"> and <xref linkend="systemd"/>
402	packages</phrase>.
403	</para>
404	</important>
405
406	</sect3>
407
408	</sect2>
409
410	<sect2 role="content">
411	<title>Contents</title>
412
413	<segmentedlist>
414	<segtitle>Installed Program</segtitle>
415	<segtitle>Installed Libraries</segtitle>
416	<segtitle>Installed Directories</segtitle>
417
418	<seglistitem>
419	<seg>
420	faillock, mkhomedir_helper, pam_namespace_helper,
421	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
422	unix_update
423	</seg>
424	<seg>
425	libpam.so, libpamc.so and libpam_misc.so
426	</seg>
427	<seg>
428	/etc/security,
429	/usr/lib/security,
430	/usr/include/security and
431	/usr/share/doc/Linux-PAM-&linux-pam-version;
432	</seg>
433	</seglistitem>
434	</segmentedlist>
435
436	<variablelist>
437	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
438	<?dbfo list-presentation="list"?>
439	<?dbhtml list-presentation="table"?>
440
441	<varlistentry id="faillock">
442	<term><command>faillock</command></term>
443	<listitem>
444	<para>
445	displays and modifies the authentication failure record files
446	</para>
447	<indexterm zone="linux-pam faillock">
448	<primary sortas="b-faillock">faillock</primary>
449	</indexterm>
450	</listitem>
451	</varlistentry>
452
453	<varlistentry id="mkhomedir_helper">
454	<term><command>mkhomedir_helper</command></term>
455	<listitem>
456	<para>
457	is a helper binary that creates home directories
458	</para>
459	<indexterm zone="linux-pam mkhomedir_helper">
460	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
461	</indexterm>
462	</listitem>
463	</varlistentry>
464
465	<varlistentry id="pam_namespace_helper">
466	<term><command>pam_namespace_helper</command></term>
467	<listitem>
468	<para>
469	is a helper program used to configure a private namespace for a
470	user session
471	</para>
472	<indexterm zone="linux-pam pam_namespace_helper">
473	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
474	</indexterm>
475	</listitem>
476	</varlistentry>
477
478	<varlistentry id="pwhistory_helper">
479	<term><command>pwhistory_helper</command></term>
480	<listitem>
481	<para>
482	is a helper program that transfers password hashes from passwd or
483	shadow to opasswd
484	</para>
485	<indexterm zone="linux-pam pwhistory_helper">
486	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
487	</indexterm>
488	</listitem>
489	</varlistentry>
490	<!-- Removed with the removal of the pam_tally{,2} module
491	<varlistentry id="pam_tally">
492	<term><command>pam_tally</command></term>
493	<listitem>
494	<para>
495	is used to interrogate and manipulate the login counter file.
496	</para>
497	<indexterm zone="linux-pam pam_tally">
498	<primary sortas="b-pam_tally">pam_tally</primary>
499	</indexterm>
500	</listitem>
501	</varlistentry>
502
503	<varlistentry id="pam_tally2">
504	<term><command>pam_tally2</command></term>
505	<listitem>
506	<para>
507	is used to interrogate and manipulate the login counter file, but
508	does not have some limitations that <command>pam_tally</command>
509	does.
510	</para>
511	<indexterm zone="linux-pam pam_tally2">
512	<primary sortas="b-pam_tally2">pam_tally2</primary>
513	</indexterm>
514	</listitem>
515	</varlistentry>
516	-->
517
518	<varlistentry id="pam_timestamp_check">
519	<term><command>pam_timestamp_check</command></term>
520	<listitem>
521	<para>
522	is used to check if the default timestamp is valid
523	</para>
524	<indexterm zone="linux-pam pam_timestamp_check">
525	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
526	</indexterm>
527	</listitem>
528	</varlistentry>
529
530	<varlistentry id="unix_chkpwd">
531	<term><command>unix_chkpwd</command></term>
532	<listitem>
533	<para>
534	is a helper binary that verifies the password of the current user
535	</para>
536	<indexterm zone="linux-pam unix_chkpwd">
537	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
538	</indexterm>
539	</listitem>
540	</varlistentry>
541
542	<varlistentry id="unix_update">
543	<term><command>unix_update</command></term>
544	<listitem>
545	<para>
546	is a helper binary that updates the password of a given user
547	</para>
548	<indexterm zone="linux-pam unix_update">
549	<primary sortas="b-unix_update">unix_update</primary>
550	</indexterm>
551	</listitem>
552	</varlistentry>
553
554	<varlistentry id="libpam">
555	<term><filename class="libraryfile">libpam.so</filename></term>
556	<listitem>
557	<para>
558	provides the interfaces between applications and the
559	PAM modules
560	</para>
561	<indexterm zone="linux-pam libpam">
562	<primary sortas="c-libpam">libpam.so</primary>
563	</indexterm>
564	</listitem>
565	</varlistentry>
566
567	</variablelist>
568
569	</sect2>
570
571	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: