source: postlfs/security/linux-pam.xml@ 024fb949

11.3 12.0 12.1 12.2 gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/for-12.3 xry111/llvm18 xry111/spidermonkey128 xry111/xf86-video-removal
Last change on this file since 024fb949 was 024fb949, checked in by Pierre Labastie <pierre.labastie@…>, 23 months ago

Returns to a more reasonable value of rounds in shadow

  • Property mode set to 100644
File size: 20.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "895e8adfa14af334f679bbeb28503f66">
10 <!ENTITY linux-pam-size "966 KB">
11 <!ENTITY linux-pam-buildsize "39 MB (with tests)">
12 <!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14 <!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15 <!ENTITY linux-pam-docs-md5sum "ceb3dc248cb2f49a40904b93cb91db1b">
16 <!ENTITY linux-pam-docs-size "433 KB">
17 <!--
18 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19 -->
20]>
21
22<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23 <?dbhtml filename="linux-pam.html"?>
24
25 <sect1info>
26 <date>$Date$</date>
27 </sect1info>
28
29 <title>Linux-PAM-&linux-pam-version;</title>
30
31 <indexterm zone="linux-pam">
32 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
33 </indexterm>
34
35 <sect2 role="package">
36 <title>Introduction to Linux PAM</title>
37
38 <para>
39 The <application>Linux PAM</application> package contains
40 Pluggable Authentication Modules used by the local
41 system administrator to control how application programs authenticate
42 users.
43 </para>
44
45 &lfs112_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &linux-pam-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &linux-pam-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &linux-pam-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &linux-pam-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <title>Optional Documentation</title>
84 <listitem>
85 <para>
86 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
87 </para>
88 </listitem>
89 <listitem>
90 <para>
91 Download MD5 sum: &linux-pam-docs-md5sum;
92 </para>
93 </listitem>
94 <listitem>
95 <para>
96 Download size &linux-pam-docs-size;
97 </para>
98 </listitem>
99 </itemizedlist>
100
101 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
102
103 <bridgehead renderas="sect4">Optional</bridgehead>
104 <para role="optional">
105 <xref linkend="db"/>,
106 <xref linkend="libnsl"/>,
107 <xref linkend="libtirpc"/>,
108 <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
109 <ulink url="https://www.prelude-siem.org">Prelude</ulink>
110 </para>
111
112 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113 <para role="optional">
114 <xref linkend="DocBook"/>,
115 <xref linkend="docbook-xsl"/>,
116 <xref linkend="fop"/>,
117 <xref linkend="libxslt"/> and either
118 <xref linkend="lynx"/> or
119 <ulink url="&w3m-url;">W3m</ulink>
120 </para>
121
122 <note>
123 <para role="required">
124 <xref role="runtime" linkend="shadow"/>
125 <phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
126 must</phrase><phrase revision="sysv">must</phrase> be reinstalled
127 and reconfigured
128 after installing and configuring <application>Linux PAM</application>.
129 </para>
130
131 <para role="recommended">
132 With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
133 installed by default. Use <xref role="runtime" linkend="libpwquality"/>
134 to enforce strong passwords.
135 </para>
136 </note>
137
138 <para condition="html" role="usernotes">User Notes:
139 <ulink url="&blfs-wiki;/linux-pam"/>
140 </para>
141 </sect2>
142
143 <sect2 role="installation">
144 <title>Installation of Linux PAM</title>
145
146 <para revision="sysv">
147 First, prevent the installation of an unneeded systemd file:
148 </para>
149
150<screen revision="sysv"><userinput>sed -e /service_DATA/d \
151 -i modules/pam_namespace/Makefile.am &amp;&amp;
152autoreconf</userinput></screen>
153
154 <para>
155 If you downloaded the documentation, unpack the tarball by issuing
156 the following command.
157 </para>
158
159<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
160
161 <para>
162 If you want to regenerate the documentation yourself, fix the
163 <command>configure</command> script so it will detect lynx:
164 </para>
165
166<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
167 -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
168 -i configure</userinput></screen>
169
170 <para>
171 Compile and link <application>Linux PAM</application> by
172 running the following commands:
173 </para>
174
175<screen><userinput>./configure --prefix=/usr \
176 --sbindir=/usr/sbin \
177 --sysconfdir=/etc \
178 --libdir=/usr/lib \
179 --enable-securedir=/usr/lib/security \
180 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &amp;&amp;
181make</userinput></screen>
182
183 <para>
184 To test the results, a suitable <filename>/etc/pam.d/other</filename>
185 configuration file must exist.
186 </para>
187
188 <caution>
189 <title>Reinstallation or Upgrade of Linux PAM</title>
190 <para>
191 If you have a system with Linux PAM installed and working, be careful
192 when modifying the files in
193 <filename class="directory">/etc/pam.d</filename>, since your system
194 may become totally unusable. If you want to run the tests, you do not
195 need to create another <filename>/etc/pam.d/other</filename> file. The
196 existing file can be used for the tests.
197 </para>
198
199 <para>
200 You should also be aware that <command>make install</command>
201 overwrites the configuration files in
202 <filename class="directory">/etc/security</filename> as well as
203 <filename>/etc/environment</filename>. If you
204 have modified those files, be sure to back them up.
205 </para>
206 </caution>
207
208 <para>
209 For a first-time installation, create a configuration file by issuing the
210 following commands as the <systemitem class="username">root</systemitem>
211 user:
212 </para>
213
214<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
215
216cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
217<literal>auth required pam_deny.so
218account required pam_deny.so
219password required pam_deny.so
220session required pam_deny.so</literal>
221EOF</userinput></screen>
222
223 <para>
224 Now run the tests by issuing <command>make check</command>.
225 Be sure the tests produced no errors before continuing the
226 installation. Note that the tests are very long.
227 Redirect the output to a log file, so you can inspect it thoroughly.
228 </para>
229
230 <para>
231 For a first-time installation, remove the configuration file
232 created earlier by issuing the following command as the
233 <systemitem class="username">root</systemitem> user:
234 </para>
235
236<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
237
238 <para>
239 Now, as the <systemitem class="username">root</systemitem>
240 user:
241 </para>
242
243<screen role="root"><userinput>make install &amp;&amp;
244chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
245
246 </sect2>
247
248 <sect2 role="commands">
249 <title>Command Explanations</title>
250
251 <para>
252 <parameter>--enable-securedir=/usr/lib/security</parameter>:
253 This switch sets the installation location for the
254 <application>PAM</application> modules.
255 </para>
256
257 <para>
258 <option>--disable-regenerate-docu</option> : If the needed dependencies
259 (<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
260 linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
261 url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
262 html and text documentation files, are generated and installed.
263 Furthermore, if <xref linkend="fop"/> is installed, the PDF
264 documentation is generated and installed. Use this switch if you do not
265 want to rebuild the documentation.
266 </para>
267
268 <para>
269 <command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
270 The setuid bit for the <command>unix_chkpwd</command> helper program must be
271 turned on, so that non-<systemitem class="username">root</systemitem>
272 processes can access the shadow file.
273 </para>
274
275 </sect2>
276
277 <sect2 role="configuration">
278 <title>Configuring Linux-PAM</title>
279
280 <sect3 id="pam-config">
281 <title>Configuration Files</title>
282
283 <para>
284 <filename>/etc/security/*</filename> and
285 <filename>/etc/pam.d/*</filename>
286 </para>
287
288 <indexterm zone="linux-pam pam-config">
289 <primary sortas="e-etc-security">/etc/security/*</primary>
290 </indexterm>
291
292 <indexterm zone="linux-pam pam-config">
293 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
294 </indexterm>
295
296 </sect3>
297
298 <sect3>
299 <title>Configuration Information</title>
300
301 <para>
302 Configuration information is placed in
303 <filename class="directory">/etc/pam.d/</filename>.
304 Here is a sample file:
305 </para>
306
307<screen><literal># Begin /etc/pam.d/other
308
309auth required pam_unix.so nullok
310account required pam_unix.so
311session required pam_unix.so
312password required pam_unix.so nullok
313
314# End /etc/pam.d/other</literal></screen>
315
316 <para>
317 Now create some generic configuration files. As the
318 <systemitem class="username">root</systemitem> user:
319 </para>
320
321<screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
322cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF" &amp;&amp;
323<literal># Begin /etc/pam.d/system-account
324
325account required pam_unix.so
326
327# End /etc/pam.d/system-account</literal>
328EOF
329
330cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF" &amp;&amp;
331<literal># Begin /etc/pam.d/system-auth
332
333auth required pam_unix.so
334
335# End /etc/pam.d/system-auth</literal>
336EOF
337
338cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
339<literal># Begin /etc/pam.d/system-session
340
341session required pam_unix.so
342
343# End /etc/pam.d/system-session</literal>
344EOF
345cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
346<literal># Begin /etc/pam.d/system-password
347
348# use sha512 hash for encryption, use shadow, and try to use any previously
349# defined authentication token (chosen password) set by any prior module
350# Use the same number of rounds as shadow.
351password required pam_unix.so sha512 shadow try_first_pass \
352 rounds=500000
353
354# End /etc/pam.d/system-password</literal>
355EOF
356</userinput></screen>
357
358 <para>
359 If you wish to enable strong password support, install
360 <xref linkend="libpwquality"/>, and follow the
361 instructions on that page to configure the pam_pwquality
362 PAM module with strong password support.
363 </para>
364
365<!-- With the removal of the pam_cracklib module, we're supposed to be using
366 libpwquality. That already includes instructions in its configuration
367 information page, so we'll use those instead.
368
369 Linux-PAM must be installed prior to libpwquality so that PAM support
370 is built in, and the PAM module is built.
371-->
372<!-- WARNING: If for any reason the instructions below are reinstated be
373 careful with the number of rounds, which should match the one in shadow.
374 <para>
375 The remaining generic file depends on whether <xref
376 linkend="cracklib"/> is installed. If it is installed, use:
377 </para>
378
379<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
380<literal># Begin /etc/pam.d/system-password
381
382# check new passwords for strength (man pam_cracklib)
383password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
384 minlen=9 dcredit=1 ucredit=1 \
385 lcredit=1 ocredit=1 minclass=0 \
386 maxrepeat=0 maxsequence=0 \
387 maxclassrepeat=0 \
388 dictpath=/lib/cracklib/pw_dict
389# use sha512 hash for encryption, use shadow, and use the
390# authentication token (chosen password) set by pam_cracklib
391# above (or any previous modules)
392password required pam_unix.so sha512 shadow use_authtok
393
394# End /etc/pam.d/system-password</literal>
395EOF</userinput></screen>
396
397 <note>
398 <para>
399 In its default configuration, pam_cracklib will
400 allow multiple case passwords as short as 6 characters, even with
401 the <parameter>minlen</parameter> value set to 11. You should review
402 the pam_cracklib(8) man page and determine if these default values
403 are acceptable for the security of your system.
404 </para>
405 </note>
406
407 <para>
408 If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
409 use:
410 </para>
411
412<screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
413<literal># Begin /etc/pam.d/system-password
414
415# use sha512 hash for encryption, use shadow, and try to use any previously
416# defined authentication token (chosen password) set by any prior module
417password required pam_unix.so sha512 shadow try_first_pass
418
419# End /etc/pam.d/system-password</literal>
420EOF</userinput></screen>
421-->
422 <para>
423 Next, add a restrictive <filename>/etc/pam.d/other</filename>
424 configuration file. With this file, programs that are PAM aware will
425 not run unless a configuration file specifically for that application
426 exists.
427 </para>
428
429<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
430<literal># Begin /etc/pam.d/other
431
432auth required pam_warn.so
433auth required pam_deny.so
434account required pam_warn.so
435account required pam_deny.so
436password required pam_warn.so
437password required pam_deny.so
438session required pam_warn.so
439session required pam_deny.so
440
441# End /etc/pam.d/other</literal>
442EOF</userinput></screen>
443
444 <para>
445 The <application>PAM</application> man page (<command>man
446 pam</command>) provides a good starting point to learn
447 about the several fields, and allowable entries.
448 <!-- not accessible 2022-09-08 -->
449 <!-- it's available at a different address 2022-10-23-->
450 The
451 <ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
452 Linux-PAM System Administrators' Guide
453 </ulink> is recommended for additional information.
454 </para>
455
456 <important>
457 <para>
458 You should now reinstall the <xref linkend="shadow"/>
459 <phrase revision="sysv">package</phrase>
460 <phrase revision="systemd"> and <xref linkend="systemd"/>
461 packages</phrase>.
462 </para>
463 </important>
464
465 </sect3>
466
467 </sect2>
468
469 <sect2 role="content">
470 <title>Contents</title>
471
472 <segmentedlist>
473 <segtitle>Installed Program</segtitle>
474 <segtitle>Installed Libraries</segtitle>
475 <segtitle>Installed Directories</segtitle>
476
477 <seglistitem>
478 <seg>
479 faillock, mkhomedir_helper, pam_namespace_helper,
480 pam_timestamp_check, pwhistory_helper, unix_chkpwd and
481 unix_update
482 </seg>
483 <seg>
484 libpam.so, libpamc.so and libpam_misc.so
485 </seg>
486 <seg>
487 /etc/security,
488 /usr/lib/security,
489 /usr/include/security and
490 /usr/share/doc/Linux-PAM-&linux-pam-version;
491 </seg>
492 </seglistitem>
493 </segmentedlist>
494
495 <variablelist>
496 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
497 <?dbfo list-presentation="list"?>
498 <?dbhtml list-presentation="table"?>
499
500 <varlistentry id="faillock">
501 <term><command>faillock</command></term>
502 <listitem>
503 <para>
504 displays and modifies the authentication failure record files
505 </para>
506 <indexterm zone="linux-pam faillock">
507 <primary sortas="b-faillock">faillock</primary>
508 </indexterm>
509 </listitem>
510 </varlistentry>
511
512 <varlistentry id="mkhomedir_helper">
513 <term><command>mkhomedir_helper</command></term>
514 <listitem>
515 <para>
516 is a helper binary that creates home directories
517 </para>
518 <indexterm zone="linux-pam mkhomedir_helper">
519 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
520 </indexterm>
521 </listitem>
522 </varlistentry>
523
524 <varlistentry id="pam_namespace_helper">
525 <term><command>pam_namespace_helper</command></term>
526 <listitem>
527 <para>
528 is a helper program used to configure a private namespace for a
529 user session
530 </para>
531 <indexterm zone="linux-pam pam_namespace_helper">
532 <primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
533 </indexterm>
534 </listitem>
535 </varlistentry>
536
537 <varlistentry id="pwhistory_helper">
538 <term><command>pwhistory_helper</command></term>
539 <listitem>
540 <para>
541 is a helper program that transfers password hashes from passwd or
542 shadow to opasswd
543 </para>
544 <indexterm zone="linux-pam pwhistory_helper">
545 <primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
546 </indexterm>
547 </listitem>
548 </varlistentry>
549<!-- Removed with the removal of the pam_tally{,2} module
550 <varlistentry id="pam_tally">
551 <term><command>pam_tally</command></term>
552 <listitem>
553 <para>
554 is used to interrogate and manipulate the login counter file.
555 </para>
556 <indexterm zone="linux-pam pam_tally">
557 <primary sortas="b-pam_tally">pam_tally</primary>
558 </indexterm>
559 </listitem>
560 </varlistentry>
561
562 <varlistentry id="pam_tally2">
563 <term><command>pam_tally2</command></term>
564 <listitem>
565 <para>
566 is used to interrogate and manipulate the login counter file, but
567 does not have some limitations that <command>pam_tally</command>
568 does.
569 </para>
570 <indexterm zone="linux-pam pam_tally2">
571 <primary sortas="b-pam_tally2">pam_tally2</primary>
572 </indexterm>
573 </listitem>
574 </varlistentry>
575-->
576
577 <varlistentry id="pam_timestamp_check">
578 <term><command>pam_timestamp_check</command></term>
579 <listitem>
580 <para>
581 is used to check if the default timestamp is valid
582 </para>
583 <indexterm zone="linux-pam pam_timestamp_check">
584 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
585 </indexterm>
586 </listitem>
587 </varlistentry>
588
589 <varlistentry id="unix_chkpwd">
590 <term><command>unix_chkpwd</command></term>
591 <listitem>
592 <para>
593 is a helper binary that verifies the password of the current user
594 </para>
595 <indexterm zone="linux-pam unix_chkpwd">
596 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
597 </indexterm>
598 </listitem>
599 </varlistentry>
600
601 <varlistentry id="unix_update">
602 <term><command>unix_update</command></term>
603 <listitem>
604 <para>
605 is a helper binary that updates the password of a given user
606 </para>
607 <indexterm zone="linux-pam unix_update">
608 <primary sortas="b-unix_update">unix_update</primary>
609 </indexterm>
610 </listitem>
611 </varlistentry>
612
613 <varlistentry id="libpam">
614 <term><filename class="libraryfile">libpam.so</filename></term>
615 <listitem>
616 <para>
617 provides the interfaces between applications and the
618 PAM modules
619 </para>
620 <indexterm zone="linux-pam libpam">
621 <primary sortas="c-libpam">libpam.so</primary>
622 </indexterm>
623 </listitem>
624 </varlistentry>
625
626 </variablelist>
627
628 </sect2>
629
630</sect1>
Note: See TracBrowser for help on using the repository browser.