Linux-PAM-&linux-pam-version;

%general-entities; ]> $LastChangedBy$ $Date$ Linux-PAM-&linux-pam-version; Linux-PAM Introduction to Linux PAM The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users. &lfs91_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &linux-pam-md5sum; Download size: &linux-pam-size; Estimated disk space required: &linux-pam-buildsize; Estimated build time: &linux-pam-time; Additional Downloads Optional Documentation Download (HTTP): Download MD5 sum: &linux-pam-docs-md5sum; Download size &linux-pam-docs-size; Linux PAM Dependencies Optional , , and Prelude Optional (To Rebuild the Documentation) , , , and either or W3m and needneeds to be reinstalled after installing and configuring Linux PAM. User Notes: Installation of Linux PAM If you downloaded the documentation, unpack the tarball by issuing the following command. tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1 If you instead want to regenerate the documentation, fix the configure script so that it detects lynx if installed: sed -e 's/dummy links/dummy lynx/' \ -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \ -i configure Install Linux PAM by running the following commands: ./configure --prefix=/usr \ --sysconfdir=/etc \ --libdir=/usr/lib \ --enable-securedir=/lib/security \ --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; && make To test the results, a suitable /etc/pam.d/other configuration file must exist. Reinstallation or upgrade of Linux PAM If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The installed one can be used for that purpose. You should also be aware that make install overwrites the configuration files in /etc/security as well as /etc/environment. In case you have modified those files, be sure to back them up. For a first installation, create the configuration file by issuing the following commands as the root user: install -v -m755 -d /etc/pam.d && cat > /etc/pam.d/other << "EOF" auth required pam_deny.so account required pam_deny.so password required pam_deny.so session required pam_deny.so EOF Now run the tests by issuing make check. Ensure there are no errors produced by the tests before continuing the installation. Note that the checks are quite long. It may be useful to redirect the output to a log file in order to inspect it thoroughly. Only in case of a first installation, remove the configuration file created earlier by issuing the following command as the root user: rm -fv /etc/pam.d/other Now, as the root user: make install && chmod -v 4755 /sbin/unix_chkpwd && for file in pam pam_misc pamc do mv -v /usr/lib/lib${file}.so.* /lib && ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so done Command Explanations --enable-securedir=/lib/security: This switch sets install location for the PAM modules. : If the needed dependencies (, , , and or W3m) are installed, the manual pages, and the html and text documentations are (re)generated and installed. Furthermore, if is installed, the PDF documentation is generated and installed. Use this switch if you do not want to rebuild the documentation. chmod -v 4755 /sbin/unix_chkpwd: The unix_chkpwd helper program must be setuid so that non-root processes can access the shadow file. Configuring Linux-PAM Config Files /etc/security/* and /etc/pam.d/* /etc/security/* /etc/pam.d/* Configuration Information Configuration information is placed in /etc/pam.d/. Below is an example file: # Begin /etc/pam.d/other auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so password required pam_unix.so nullok # End /etc/pam.d/other Now set up some generic files. As root: install -vdm755 /etc/pam.d && cat > /etc/pam.d/system-account << "EOF" && # Begin /etc/pam.d/system-account account required pam_unix.so # End /etc/pam.d/system-account EOF cat > /etc/pam.d/system-auth << "EOF" && # Begin /etc/pam.d/system-auth auth required pam_unix.so # End /etc/pam.d/system-auth EOF cat > /etc/pam.d/system-session << "EOF" # Begin /etc/pam.d/system-session session required pam_unix.so # End /etc/pam.d/system-session EOF The remaining generic file depends on whether is installed. If it is installed, use: cat > /etc/pam.d/system-password << "EOF" # Begin /etc/pam.d/system-password # check new passwords for strength (man pam_cracklib) password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \ minlen=9 dcredit=1 ucredit=1 \ lcredit=1 ocredit=1 minclass=0 \ maxrepeat=0 maxsequence=0 \ maxclassrepeat=0 \ dictpath=/lib/cracklib/pw_dict # use sha512 hash for encryption, use shadow, and use the # authentication token (chosen password) set by pam_cracklib # above (or any previous modules) password required pam_unix.so sha512 shadow use_authtok # End /etc/pam.d/system-password EOF In its default configuration, pam_cracklib will allow multiple case passwords as short as 6 characters, even with the minlen value set to 11. You should review the pam_cracklib(8) man page and determine if these default values are acceptable for the security of your system. If is NOT installed, use: cat > /etc/pam.d/system-password << "EOF" # Begin /etc/pam.d/system-password # use sha512 hash for encryption, use shadow, and try to use any previously # defined authentication token (chosen password) set by any prior module password required pam_unix.so sha512 shadow try_first_pass # End /etc/pam.d/system-password EOF Now add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application is created. cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_warn.so auth required pam_deny.so account required pam_warn.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_warn.so session required pam_deny.so # End /etc/pam.d/other EOF The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information. You should now reinstall the package. and packages. Contents Installed Program Installed Libraries Installed Directories mkhomedir_helper, pam_tally, pam_tally2, pam_timestamp_check, unix_chkpwd and unix_update libpam.so, libpamc.so and libpam_misc.so /etc/security, /lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-&linux-pam-version; Short Descriptions mkhomedir_helper is a helper binary that creates home directories. mkhomedir_helper pam_tally is used to interrogate and manipulate the login counter file. pam_tally pam_tally2 is used to interrogate and manipulate the login counter file, but does not have some limitations that pam_tally does. pam_tally2 pam_timestamp_check is used to check if the default timestamp is valid pam_timestamp_check unix_chkpwd is a helper binary that verifies the password of the current user. unix_chkpwd unix_update is a helper binary that updates the password of a given user. unix_update libpam.so provides the interfaces between applications and the PAM modules. libpam.so