Context Navigation

linux-pam.xml@ d5cc78a

Visit:

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since d5cc78a was 9029db2, checked in by Bruce Dubbs <bdubbs@…>, 3 years ago

Tag most of General Libraries and dependencies

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24241 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 20.6 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "155f2a31d07077b2c63a1f135876c31b">
10	<!ENTITY linux-pam-size "952 KB">
11	<!ENTITY linux-pam-buildsize "37 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "eb03b8191fc886780411054115866ee2">
16	<!ENTITY linux-pam-docs-size "432 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25	<sect1info>
26	<othername>$LastChangedBy$</othername>
27	<date>$Date$</date>
28	</sect1info>
29
30	<title>Linux-PAM-&linux-pam-version;</title>
31
32	<indexterm zone="linux-pam">
33	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
34	</indexterm>
35
36	<sect2 role="package">
37	<title>Introduction to Linux PAM</title>
38
39	<para>
40	The <application>Linux PAM</application> package contains
41	Pluggable Authentication Modules used to enable the local
42	system administrator to choose how applications authenticate
43	users.
44	</para>
45
46	&lfs101_checked;
47
48	<bridgehead renderas="sect3">Package Information</bridgehead>
49	<itemizedlist spacing="compact">
50	<listitem>
51	<para>
52	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download MD5 sum: &linux-pam-md5sum;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download size: &linux-pam-size;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated disk space required: &linux-pam-buildsize;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated build time: &linux-pam-time;
78	</para>
79	</listitem>
80	</itemizedlist>
81
82	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
83	<itemizedlist spacing="compact">
84	<title>Optional Documentation</title>
85	<listitem>
86	<para>
87	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
88	</para>
89	</listitem>
90	<listitem>
91	<para>
92	Download MD5 sum: &linux-pam-docs-md5sum;
93	</para>
94	</listitem>
95	<listitem>
96	<para>
97	Download size &linux-pam-docs-size;
98	</para>
99	</listitem>
100	</itemizedlist>
101
102	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
103
104	<bridgehead renderas="sect4">Optional</bridgehead>
105	<para role="optional">
106	<xref linkend="db"/>,
107	<xref linkend="libnsl"/>,
108	<xref linkend="libtirpc"/>,
109	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
110	<ulink url="http://www.prelude-siem.org">Prelude</ulink>
111	</para>
112
113	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
114	<para role="optional">
115	<xref linkend="DocBook"/>,
116	<xref linkend="docbook-xsl"/>,
117	<xref linkend="fop"/>,
118	<xref linkend="libxslt"/> and either
119	<xref linkend="lynx"/> or
120	<ulink url="&w3m-url;">W3m</ulink>
121	</para>
122
123	<note>
124	<para role="required">
125	<xref role="runtime" linkend="shadow"/>
126	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
127	need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
128	after installing and configuring <application>Linux PAM</application>.
129	</para>
130
131	<para role="recommended">
132	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
133	installed by default. To enforce strong passwords, it is recommended
134	to use <xref role="runtime" linkend="libpwquality"/>.
135	</para>
136	</note>
137
138	<para condition="html" role="usernotes">User Notes:
139	<ulink url="&blfs-wiki;/linux-pam"/>
140	</para>
141	</sect2>
142
143	<sect2 role="installation">
144	<title>Installation of Linux PAM</title>
145
146	<para revision="sysv">
147	First prevent the installation of an unneeded systemd file:
148	</para>
149
150	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
151	-i modules/pam_namespace/Makefile.am &&
152	autoreconf</userinput></screen>
153
154	<para>
155	If you downloaded the documentation, unpack the tarball by issuing
156	the following command.
157	</para>
158
159	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
160
161	<para>
162	If you instead want to regenerate the documentation, fix the
163	<command>configure</command> script so that it detects lynx if installed:
164	</para>
165
166	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
167	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
168	-i configure</userinput></screen>
169
170	<para>
171	Install <application>Linux PAM</application> by
172	running the following commands:
173	</para>
174
175	<screen><userinput>./configure --prefix=/usr \
176	--sysconfdir=/etc \
177	--libdir=/usr/lib \
178	--enable-securedir=/lib/security \
179	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
180	make</userinput></screen>
181
182	<para>
183	To test the results, a suitable <filename>/etc/pam.d/other</filename>
184	configuration file must exist.
185	</para>
186
187	<caution>
188	<title>Reinstallation or upgrade of Linux PAM</title>
189	<para>
190	If you have a system with Linux PAM installed and working, be careful
191	when modifying the files in
192	<filename class="directory">/etc/pam.d</filename>, since your system
193	may become totally unusable. If you want to run the tests, you do not
194	need to create another <filename>/etc/pam.d/other</filename> file. The
195	installed one can be used for that purpose.
196	</para>
197
198	<para>
199	You should also be aware that <command>make install</command>
200	overwrites the configuration files in
201	<filename class="directory">/etc/security</filename> as well as
202	<filename>/etc/environment</filename>. In case you
203	have modified those files, be sure to back them up.
204	</para>
205	</caution>
206
207	<para>
208	For a first installation, create the configuration file by issuing the
209	following commands as the <systemitem class="username">root</systemitem>
210	user:
211	</para>
212
213	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
214
215	cat > /etc/pam.d/other << "EOF"
216	<literal>auth required pam_deny.so
217	account required pam_deny.so
218	password required pam_deny.so
219	session required pam_deny.so</literal>
220	EOF</userinput></screen>
221
222	<para>
223	Now run the tests by issuing <command>make check</command>.
224	Ensure there are no errors produced by the tests before continuing the
225	installation. Note that the checks are quite long. It may be useful to
226	redirect the output to a log file in order to inspect it thoroughly.
227	</para>
228
229	<para>
230	Only in case of a first installation, remove the configuration file
231	created earlier by issuing the following command as the
232	<systemitem class="username">root</systemitem> user:
233	</para>
234
235	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
236
237	<para>
238	Now, as the <systemitem class="username">root</systemitem>
239	user:
240	</para>
241
242	<screen role="root"><userinput>make install &&
243	chmod -v 4755 /sbin/unix_chkpwd &&
244
245	for file in pam pam_misc pamc
246	do
247	mv -v /usr/lib/lib${file}.so.* /lib &&
248	ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
249	done</userinput></screen>
250
251	</sect2>
252
253	<sect2 role="commands">
254	<title>Command Explanations</title>
255
256	<para>
257	<parameter>--enable-securedir=/lib/security</parameter>:
258	This switch sets the installation location for the
259	<application>PAM</application> modules.
260	</para>
261
262	<para>
263	<option>--disable-regenerate-docu</option> : If the needed dependencies
264	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
265	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
266	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
267	html and text documentations are (re)generated and installed.
268	Furthermore, if <xref linkend="fop"/> is installed, the PDF
269	documentation is generated and installed. Use this switch if you do not
270	want to rebuild the documentation.
271	</para>
272
273	<para>
274	<command>chmod -v 4755 /sbin/unix_chkpwd</command>:
275	The <command>unix_chkpwd</command> helper program must be setuid
276	so that non-<systemitem class="username">root</systemitem>
277	processes can access the shadow file.
278	</para>
279
280	</sect2>
281
282	<sect2 role="configuration">
283	<title>Configuring Linux-PAM</title>
284
285	<sect3 id="pam-config">
286	<title>Config Files</title>
287
288	<para>
289	<filename>/etc/security/*</filename> and
290	<filename>/etc/pam.d/*</filename>
291	</para>
292
293	<indexterm zone="linux-pam pam-config">
294	<primary sortas="e-etc-security">/etc/security/*</primary>
295	</indexterm>
296
297	<indexterm zone="linux-pam pam-config">
298	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
299	</indexterm>
300
301	</sect3>
302
303	<sect3>
304	<title>Configuration Information</title>
305
306	<para>
307	Configuration information is placed in
308	<filename class="directory">/etc/pam.d/</filename>.
309	Below is an example file:
310	</para>
311
312	<screen><literal># Begin /etc/pam.d/other
313
314	auth required pam_unix.so nullok
315	account required pam_unix.so
316	session required pam_unix.so
317	password required pam_unix.so nullok
318
319	# End /etc/pam.d/other</literal></screen>
320
321	<para>
322	Now set up some generic files. As the
323	<systemitem class="username">root:</systemitem> user
324	</para>
325
326	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
327	cat > /etc/pam.d/system-account << "EOF" &&
328	<literal># Begin /etc/pam.d/system-account
329
330	account required pam_unix.so
331
332	# End /etc/pam.d/system-account</literal>
333	EOF
334
335	cat > /etc/pam.d/system-auth << "EOF" &&
336	<literal># Begin /etc/pam.d/system-auth
337
338	auth required pam_unix.so
339
340	# End /etc/pam.d/system-auth</literal>
341	EOF
342
343	cat > /etc/pam.d/system-session << "EOF"
344	<literal># Begin /etc/pam.d/system-session
345
346	session required pam_unix.so
347
348	# End /etc/pam.d/system-session</literal>
349	EOF
350	cat > /etc/pam.d/system-password << "EOF"
351	<literal># Begin /etc/pam.d/system-password
352
353	# use sha512 hash for encryption, use shadow, and try to use any previously
354	# defined authentication token (chosen password) set by any prior module
355	password required pam_unix.so sha512 shadow try_first_pass
356
357	# End /etc/pam.d/system-password</literal>
358	EOF
359	</userinput></screen>
360
361	<para>
362	If you wish to enable strong password support, install
363	<xref linkend="libpwquality"/>, and follow the
364	instructions in that page to configure the pam_pwquality
365	PAM module with strong password support.
366	</para>
367
368	<!-- With the removal of the pam_cracklib module, we're supposed to be using
369	libpwquality. That already includes instructions in it's configuration
370	information page, so we'll use those instead.
371
372	Linux-PAM must be installed prior to libpwquality so that PAM support
373	is built in, and the PAM module is built.
374	-->
375	<!--
376	<para>
377	The remaining generic file depends on whether <xref
378	linkend="cracklib"/> is installed. If it is installed, use:
379	</para>
380
381	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
382	<literal># Begin /etc/pam.d/system-password
383
384	# check new passwords for strength (man pam_cracklib)
385	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
386	minlen=9 dcredit=1 ucredit=1 \
387	lcredit=1 ocredit=1 minclass=0 \
388	maxrepeat=0 maxsequence=0 \
389	maxclassrepeat=0 \
390	dictpath=/lib/cracklib/pw_dict
391	# use sha512 hash for encryption, use shadow, and use the
392	# authentication token (chosen password) set by pam_cracklib
393	# above (or any previous modules)
394	password required pam_unix.so sha512 shadow use_authtok
395
396	# End /etc/pam.d/system-password</literal>
397	EOF</userinput></screen>
398
399	<note>
400	<para>
401	In its default configuration, pam_cracklib will
402	allow multiple case passwords as short as 6 characters, even with
403	the <parameter>minlen</parameter> value set to 11. You should review
404	the pam_cracklib(8) man page and determine if these default values
405	are acceptable for the security of your system.
406	</para>
407	</note>
408
409	<para>
410	If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
411	use:
412	</para>
413
414	<screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"
415	<literal># Begin /etc/pam.d/system-password
416
417	# use sha512 hash for encryption, use shadow, and try to use any previously
418	# defined authentication token (chosen password) set by any prior module
419	password required pam_unix.so sha512 shadow try_first_pass
420
421	# End /etc/pam.d/system-password</literal>
422	EOF</userinput></screen>
423	-->
424	<para>
425	Now add a restrictive <filename>/etc/pam.d/other</filename>
426	configuration file. With this file, programs that are PAM aware will
427	not run unless a configuration file specifically for that application
428	is created.
429	</para>
430
431	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
432	<literal># Begin /etc/pam.d/other
433
434	auth required pam_warn.so
435	auth required pam_deny.so
436	account required pam_warn.so
437	account required pam_deny.so
438	password required pam_warn.so
439	password required pam_deny.so
440	session required pam_warn.so
441	session required pam_deny.so
442
443	# End /etc/pam.d/other</literal>
444	EOF</userinput></screen>
445
446	<para>
447	The <application>PAM</application> man page (<command>man
448	pam</command>) provides a good starting point for descriptions
449	of fields and allowable entries. The
450	<ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
451	Linux-PAM System Administrators' Guide
452	</ulink> is recommended for additional information.
453	</para>
454
455	<important>
456	<para>
457	You should now reinstall the <xref linkend="shadow"/>
458	<phrase revision="sysv">package.</phrase>
459	<phrase revision="systemd"> and <xref linkend="systemd"/>
460	packages.</phrase>
461	</para>
462	</important>
463
464	</sect3>
465
466	</sect2>
467
468	<sect2 role="content">
469	<title>Contents</title>
470
471	<segmentedlist>
472	<segtitle>Installed Program</segtitle>
473	<segtitle>Installed Libraries</segtitle>
474	<segtitle>Installed Directories</segtitle>
475
476	<seglistitem>
477	<seg>
478	faillock, mkhomedir_helper, pam_namespace_helper,
479	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
480	unix_update
481	</seg>
482	<seg>
483	libpam.so, libpamc.so and libpam_misc.so
484	</seg>
485	<seg>
486	/etc/security,
487	/lib/security,
488	/usr/include/security and
489	/usr/share/doc/Linux-PAM-&linux-pam-version;
490	</seg>
491	</seglistitem>
492	</segmentedlist>
493
494	<variablelist>
495	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
496	<?dbfo list-presentation="list"?>
497	<?dbhtml list-presentation="table"?>
498
499	<varlistentry id="faillock">
500	<term><command>faillock</command></term>
501	<listitem>
502	<para>
503	displays and modifies the authentication failure record files
504	</para>
505	<indexterm zone="linux-pam faillock">
506	<primary sortas="b-faillock">faillock</primary>
507	</indexterm>
508	</listitem>
509	</varlistentry>
510
511	<varlistentry id="mkhomedir_helper">
512	<term><command>mkhomedir_helper</command></term>
513	<listitem>
514	<para>
515	is a helper binary that creates home directories
516	</para>
517	<indexterm zone="linux-pam mkhomedir_helper">
518	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
519	</indexterm>
520	</listitem>
521	</varlistentry>
522
523	<varlistentry id="pam_namespace_helper">
524	<term><command>pam_namespace_helper</command></term>
525	<listitem>
526	<para>
527	is a helper program used to configure a private namespace for a
528	user session
529	</para>
530	<indexterm zone="linux-pam pam_namespace_helper">
531	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
532	</indexterm>
533	</listitem>
534	</varlistentry>
535
536	<varlistentry id="pwhistory_helper">
537	<term><command>pwhistory_helper</command></term>
538	<listitem>
539	<para>
540	is a helper program that transfers password hashes from passwd or
541	shadow to opasswd
542	</para>
543	<indexterm zone="linux-pam pwhistory_helper">
544	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
545	</indexterm>
546	</listitem>
547	</varlistentry>
548	<!-- Removed with the removal of the pam_tally{,2} module
549	<varlistentry id="pam_tally">
550	<term><command>pam_tally</command></term>
551	<listitem>
552	<para>
553	is used to interrogate and manipulate the login counter file.
554	</para>
555	<indexterm zone="linux-pam pam_tally">
556	<primary sortas="b-pam_tally">pam_tally</primary>
557	</indexterm>
558	</listitem>
559	</varlistentry>
560
561	<varlistentry id="pam_tally2">
562	<term><command>pam_tally2</command></term>
563	<listitem>
564	<para>
565	is used to interrogate and manipulate the login counter file, but
566	does not have some limitations that <command>pam_tally</command>
567	does.
568	</para>
569	<indexterm zone="linux-pam pam_tally2">
570	<primary sortas="b-pam_tally2">pam_tally2</primary>
571	</indexterm>
572	</listitem>
573	</varlistentry>
574	-->
575
576	<varlistentry id="pam_timestamp_check">
577	<term><command>pam_timestamp_check</command></term>
578	<listitem>
579	<para>
580	is used to check if the default timestamp is valid
581	</para>
582	<indexterm zone="linux-pam pam_timestamp_check">
583	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
584	</indexterm>
585	</listitem>
586	</varlistentry>
587
588	<varlistentry id="unix_chkpwd">
589	<term><command>unix_chkpwd</command></term>
590	<listitem>
591	<para>
592	is a helper binary that verifies the password of the current user
593	</para>
594	<indexterm zone="linux-pam unix_chkpwd">
595	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
596	</indexterm>
597	</listitem>
598	</varlistentry>
599
600	<varlistentry id="unix_update">
601	<term><command>unix_update</command></term>
602	<listitem>
603	<para>
604	is a helper binary that updates the password of a given user
605	</para>
606	<indexterm zone="linux-pam unix_update">
607	<primary sortas="b-unix_update">unix_update</primary>
608	</indexterm>
609	</listitem>
610	</varlistentry>
611
612	<varlistentry id="libpam">
613	<term><filename class="libraryfile">libpam.so</filename></term>
614	<listitem>
615	<para>
616	provides the interfaces between applications and the
617	PAM modules
618	</para>
619	<indexterm zone="linux-pam libpam">
620	<primary sortas="c-libpam">libpam.so</primary>
621	</indexterm>
622	</listitem>
623	</varlistentry>
624
625	</variablelist>
626
627	</sect2>
628
629	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/linux-pam.xml@ d5cc78a

Download in other formats: