%general-entities; ]> Linux-PAM The Linux PAM package contains Pluggable Authentication Modules used by the local system administrator to control how application programs authenticate users. &lfs121_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &linux-pam-md5sum; Download size: &linux-pam-size; Estimated disk space required: &linux-pam-buildsize; Estimated build time: &linux-pam-time; Additional Downloads Download (HTTP): Download MD5 sum: &linux-pam-docs-md5sum; Download size: &linux-pam-docs-size; Linux PAM Dependencies Optional , , , &berkeley-db;, libaudit, libeconf, and Prelude and mustmust be reinstalled and reconfigured after installing and configuring Linux PAM. With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not installed by default. Use to enforce strong passwords. For the PAM module pam_loginuid.so (referred by the PAM configuration file system-session if is built is rebuilt with PAM support later) to work, a kernel configuration parameter need to be set or the module will just do nothing: Linux-PAM First, prevent the installation of an unneeded systemd file: sed -e /service_DATA/d \ -i modules/pam_namespace/Makefile.am && autoreconf If you downloaded the documentation, unpack the tarball by issuing the following command. tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1 Compile and link Linux PAM by running the following commands: ./configure --prefix=/usr \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --libdir=/usr/lib \ --enable-securedir=/usr/lib/security \ --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; && make To test the results, a suitable /etc/pam.d/other configuration file must exist. If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The existing file can be used for the tests. You should also be aware that make install overwrites the configuration files in /etc/security as well as /etc/environment. If you have modified those files, be sure to back them up. For a first-time installation, create a configuration file by issuing the following commands as the root user: install -v -m755 -d /etc/pam.d && cat > /etc/pam.d/other << "EOF" auth required pam_deny.so account required pam_deny.so password required pam_deny.so session required pam_deny.so EOF Now run the tests by issuing make check. Be sure the tests produced no errors before continuing the installation. Note that the tests are very long. Redirect the output to a log file, so you can inspect it thoroughly. For a first-time installation, remove the configuration file created earlier by issuing the following command as the root user: rm -fv /etc/pam.d/other Now, as the root user: make install && chmod -v 4755 /usr/sbin/unix_chkpwd --enable-securedir=/usr/lib/security: This switch sets the installation location for the PAM modules. chmod -v 4755 /usr/sbin/unix_chkpwd: The setuid bit for the unix_chkpwd helper program must be turned on, so that non-root processes can access the shadow file. /etc/security/* and /etc/pam.d/* /etc/security/* /etc/pam.d/* Configuration information is placed in /etc/pam.d/. Here is a sample file: # Begin /etc/pam.d/other auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so password required pam_unix.so nullok # End /etc/pam.d/other Now create some generic configuration files. As the root user: install -vdm755 /etc/pam.d && cat > /etc/pam.d/system-account << "EOF" && # Begin /etc/pam.d/system-account account required pam_unix.so # End /etc/pam.d/system-account EOF cat > /etc/pam.d/system-auth << "EOF" && # Begin /etc/pam.d/system-auth auth required pam_unix.so # End /etc/pam.d/system-auth EOF cat > /etc/pam.d/system-session << "EOF" && # Begin /etc/pam.d/system-session session required pam_unix.so # End /etc/pam.d/system-session EOF cat > /etc/pam.d/system-password << "EOF" # Begin /etc/pam.d/system-password # use yescrypt hash for encryption, use shadow, and try to use any # previously defined authentication token (chosen password) set by any # prior module. password required pam_unix.so yescrypt shadow try_first_pass # End /etc/pam.d/system-password EOF If you wish to enable strong password support, install , and follow the instructions on that page to configure the pam_pwquality PAM module with strong password support. Next, add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application exists. cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_warn.so auth required pam_deny.so account required pam_warn.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_warn.so session required pam_deny.so # End /etc/pam.d/other EOF The PAM man page (man pam) provides a good starting point to learn about the several fields, and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information. You should now reinstall the package and packages. Installed Program Installed Libraries Installed Directories faillock, mkhomedir_helper, pam_namespace_helper, pam_timestamp_check, pwhistory_helper, unix_chkpwd and unix_update libpam.so, libpamc.so and libpam_misc.so /etc/security, /usr/lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-&linux-pam-version; Short Descriptions faillock displays and modifies the authentication failure record files faillock mkhomedir_helper is a helper binary that creates home directories mkhomedir_helper pam_namespace_helper is a helper program used to configure a private namespace for a user session pam_namespace_helper pwhistory_helper is a helper program that transfers password hashes from passwd or shadow to opasswd pwhistory_helper pam_timestamp_check is used to check if the default timestamp is valid pam_timestamp_check unix_chkpwd is a helper binary that verifies the password of the current user unix_chkpwd unix_update is a helper binary that updates the password of a given user unix_update libpam.so provides the interfaces between applications and the PAM modules libpam.so