source: postlfs/security/linux-pam.xml@ 1b51238

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 1b51238 was 1b51238, checked in by Fernando de Oliveira <fernando@…>, 9 years ago

Update to Linux-PAM-1.2.1.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@16181 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 15.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "http://linux-pam.org/library/Linux-PAM-&linux-pam-version;.tar.bz2">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "9dc53067556d2dd567808fd509519dd6">
10 <!ENTITY linux-pam-size "1.3 MB">
11 <!ENTITY linux-pam-buildsize "33 MB (with tests)">
12 <!ENTITY linux-pam-time "0.3 SBU (with tests)">
13
14 <!ENTITY linux-pam-docs-download "http://linux-pam.org/documentation/Linux-PAM-&linux-pam-docs-version;-docs.tar.bz2">
15 <!ENTITY linux-pam-docs-md5sum "558378b8be9b8b5c987326f4529f2130">
16 <!ENTITY linux-pam-docs-size "480 KB">
17 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
18]>
19
20<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
21 <?dbhtml filename="linux-pam.html"?>
22
23 <sect1info>
24 <othername>$LastChangedBy$</othername>
25 <date>$Date$</date>
26 </sect1info>
27
28 <title>Linux-PAM-&linux-pam-version;</title>
29
30 <indexterm zone="linux-pam">
31 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
32 </indexterm>
33
34 <sect2 role="package">
35 <title>Introduction to Linux PAM</title>
36
37 <para>
38 The <application>Linux PAM</application> package contains
39 Pluggable Authentication Modules used to enable the local
40 system administrator to choose how applications authenticate
41 users.
42 </para>
43
44 &lfs77_checked; &gcc5_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &linux-pam-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &linux-pam-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &linux-pam-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &linux-pam-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
81 <itemizedlist spacing="compact">
82 <title>Optional Documentation</title>
83 <listitem>
84 <para>
85 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
86 </para>
87 </listitem>
88 <listitem>
89 <para>
90 Download MD5 sum: &linux-pam-docs-md5sum;
91 </para>
92 </listitem>
93 <listitem>
94 <para>
95 Download size &linux-pam-docs-size;
96 </para>
97 </listitem>
98 </itemizedlist>
99
100 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
101
102 <bridgehead renderas="sect4">Optional</bridgehead>
103 <para role="optional">
104 <xref linkend="db"/>,
105 <xref linkend="cracklib"/>,
106 <xref linkend="libtirpc"/> and
107 <ulink url="http://www.prelude-ids.org/">Prelude</ulink>
108 </para>
109
110 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
111 <para role="optional">
112 <xref linkend="DocBook"/>,
113 <xref linkend="docbook-xsl"/>,
114 <xref linkend="fop"/>,
115 <xref linkend="libxslt"/> and
116 <xref linkend="w3m"/>
117 </para>
118
119 <para condition="html" role="usernotes">User Notes:
120 <ulink url="&blfs-wiki;/linux-pam"/>
121 </para>
122 </sect2>
123
124 <sect2 role="installation">
125 <title>Installation of Linux PAM</title>
126
127 <para>
128 If you downloaded the documentation, unpack the tarball by issuing
129 the following command.
130 </para>
131
132<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.bz2 --strip-components=1</userinput></screen>
133
134 <para>
135 Install <application>Linux PAM</application> by
136 running the following commands:
137 </para>
138
139<screen><userinput>./configure --prefix=/usr \
140 --sysconfdir=/etc \
141 --libdir=/usr/lib \
142 --enable-securedir=/lib/security \
143 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &amp;&amp;
144make</userinput></screen>
145
146 <para>
147 To test the results, a suitable <filename>/etc/pam.d/other</filename>
148 configuration file must exist.
149 </para>
150
151 <caution>
152 <title>Reinstallation or upgrade of Linux PAM</title>
153 <para>
154 If you have a system with Linux PAM installed and working, be careful
155 when modifying the files in
156 <filename class="directory">/etc/pam.d</filename>, since your system
157 may become totally unusable. If you want to run the tests, you do not
158 need to create another <filename>/etc/pam.d/other</filename> file. The
159 installed one can be used for that purpose.
160 </para>
161
162 <para>
163 You should also be aware that <command>make install</command>
164 overwrites the configuration files in
165 <filename class="directory">/etc/security</filename> as well as
166 <filename>/etc/environment</filename>. In case you
167 have modified those files, be sure to backup them.
168 </para>
169 </caution>
170
171 <para>
172 For a first installation, create the configuration file by issuing the
173 following commands as the <systemitem class="username">root</systemitem>
174 user:
175 </para>
176
177<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
178
179cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
180auth required pam_deny.so
181account required pam_deny.so
182password required pam_deny.so
183session required pam_deny.so
184EOF</userinput></screen>
185
186 <para>
187 Now run the tests by issuing <command>make check</command>.
188 Ensure there are no errors produced by the tests before continuing the
189 installation.
190 </para>
191
192 <para>
193 Only in case of a first installation, remove the configuration file
194 created earlier by issuing the following command as the
195 <systemitem class="username">root</systemitem> user:
196 </para>
197
198<screen role="root"><userinput>rm -fv /etc/pam.d/*</userinput></screen>
199
200 <para>
201 Now, as the <systemitem class="username">root</systemitem>
202 user:
203 </para>
204
205<screen role="root"><userinput>make install &amp;&amp;
206chmod -v 4755 /sbin/unix_chkpwd &amp;&amp;
207
208for file in pam pam_misc pamc
209do
210 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
211 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
212done</userinput></screen>
213
214 </sect2>
215
216 <sect2 role="commands">
217 <title>Command Explanations</title>
218
219 <para>
220 <parameter>--enable-securedir=/lib/security</parameter>:
221 This switch sets install location for the
222 <application>PAM</application> modules.
223 </para>
224
225 <para>
226 <command>chmod -v 4755 /sbin/unix_chkpwd</command>:
227 The <command>unix_chkpwd</command> helper program must be setuid
228 so that non-<systemitem class="username">root</systemitem>
229 processes can access the shadow file.
230 </para>
231
232 </sect2>
233
234 <sect2 role="configuration">
235 <title>Configuring Linux-PAM</title>
236
237 <sect3 id="pam-config">
238 <title>Config Files</title>
239
240 <para>
241 <filename>/etc/security/*</filename> and
242 <filename>/etc/pam.d/*</filename>
243 </para>
244
245 <indexterm zone="linux-pam pam-config">
246 <primary sortas="e-etc-security">/etc/security/*</primary>
247 </indexterm>
248
249 <indexterm zone="linux-pam pam-config">
250 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
251 </indexterm>
252
253 </sect3>
254
255 <sect3>
256 <title>Configuration Information</title>
257
258 <para>
259 Configuration information is placed in
260 <filename class="directory">/etc/pam.d/</filename>.
261 Below is an example file:
262 </para>
263
264<screen><literal># Begin /etc/pam.d/other
265
266auth required pam_unix.so nullok
267account required pam_unix.so
268session required pam_unix.so
269password required pam_unix.so nullok
270
271# End /etc/pam.d/other</literal></screen>
272
273 <para>Now set up some generic files. As root:</para>
274
275<screen role="root"><userinput>cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF"
276<literal># Begin /etc/pam.d/system-account
277
278account required pam_unix.so
279
280# End /etc/pam.d/system-account</literal>
281EOF
282
283cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF"
284<literal># Begin /etc/pam.d/system-auth
285
286auth required pam_unix.so
287
288# End /etc/pam.d/system-auth</literal>
289EOF
290
291cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
292<literal># Begin /etc/pam.d/system-session
293
294session required pam_unix.so
295
296# End /etc/pam.d/system-session</literal>
297EOF</userinput></screen>
298
299 <para>The remaining generic file depends on wheather <xref linkend="cracklib"/>
300 is installed. If it is installed, use:</para>
301
302<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
303<literal># Begin /etc/pam.d/system-password
304
305# check new passwords for strength (man pam_cracklib)
306password required pam_cracklib.so type=Linux retry=3 difok=5 \
307 difignore=23 minlen=9 dcredit=1 \
308 ucredit=1 lcredit=1 ocredit=1 \
309 dictpath=/lib/cracklib/pw_dict
310# use sha512 hash for encryption, use shadow, and use the
311# authentication token (chosen password) set by pam_cracklib
312# above (or any previous modules)
313password required pam_unix.so sha512 shadow use_authtok
314
315# End /etc/pam.d/system-password</literal>
316EOF</userinput></screen>
317
318 <note>
319 <para>
320 In its default configuration, pam_cracklib will
321 allow multiple case passwords as short as 6 characters, even with
322 the <parameter>minlen</parameter> value set to 11. You should review
323 the pam_cracklib(8) man page and determine if these default values
324 are acceptable for the security of your system.
325 </para>
326 </note>
327
328 <para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
329 use:</para>
330
331<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
332<literal># Begin /etc/pam.d/system-password
333
334# use sha512 hash for encryption, use shadow, and try to use any previously
335# defined authentication token (chosen password) set by any prior module
336password required pam_unix.so sha512 shadow try_first_pass
337
338# End /etc/pam.d/system-password</literal>
339EOF</userinput></screen>
340
341 <para>Now add a restrictive <filename>/etc/pam.d/other</filename>
342 configuration file. With this file, programs that are PAM aware will not
343 run unless a configuration file specifically for that application is
344 created.</para>
345
346<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
347<literal># Begin /etc/pam.d/other
348
349auth required pam_warn.so
350auth required pam_deny.so
351account required pam_warn.so
352account required pam_deny.so
353password required pam_warn.so
354password required pam_deny.so
355session required pam_warn.so
356session required pam_deny.so
357
358# End /etc/pam.d/other</literal>
359EOF</userinput></screen>
360
361 <para>
362 The <application>PAM</application> man page (<command>man
363 pam</command>) provides a good starting point for descriptions
364 of fields and allowable entries. The <ulink
365 url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM
366 System Administrators' Guide</ulink> is recommended for additional
367 information.
368 </para>
369
370 <para>
371 Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
372 of various third-party modules available.
373 </para>
374
375 <important>
376 <para>
377 You should now reinstall the <xref linkend="shadow"/>
378 package.
379 </para>
380 </important>
381
382 </sect3>
383
384 </sect2>
385
386 <sect2 role="content">
387 <title>Contents</title>
388
389 <segmentedlist>
390 <segtitle>Installed Program</segtitle>
391 <segtitle>Installed Libraries</segtitle>
392 <segtitle>Installed Directories</segtitle>
393
394 <seglistitem>
395 <seg>
396 mkhomedir_helper, pam_tally, pam_tally2,
397 pam_timestamp_check, unix_chkpwd and
398 unix_update
399 </seg>
400 <seg>
401 libpam.so, libpamc.so and libpam_misc.so
402 </seg>
403 <seg>
404 /etc/security,
405 /lib/security,
406 /usr/include/security and
407 /usr/share/doc/Linux-PAM-&linux-pam-version;
408 </seg>
409 </seglistitem>
410 </segmentedlist>
411
412 <variablelist>
413 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
414 <?dbfo list-presentation="list"?>
415 <?dbhtml list-presentation="table"?>
416
417 <varlistentry id="mkhomedir_helper">
418 <term><command>mkhomedir_helper</command></term>
419 <listitem>
420 <para>
421 is a helper binary that creates home directories.
422 </para>
423 <indexterm zone="linux-pam mkhomedir_helper">
424 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
425 </indexterm>
426 </listitem>
427 </varlistentry>
428
429 <varlistentry id="pam_tally">
430 <term><command>pam_tally</command></term>
431 <listitem>
432 <para>
433 is used to interrogate and manipulate the login counter file.
434 </para>
435 <indexterm zone="linux-pam pam_tally">
436 <primary sortas="b-pam_tally">pam_tally</primary>
437 </indexterm>
438 </listitem>
439 </varlistentry>
440
441 <varlistentry id="pam_tally2">
442 <term><command>pam_tally2</command></term>
443 <listitem>
444 <para>
445 is used to interrogate and manipulate the login counter file, but
446 does not have some limitations that <command>pam_tally</command>
447 does.
448 </para>
449 <indexterm zone="linux-pam pam_tally2">
450 <primary sortas="b-pam_tally2">pam_tally2</primary>
451 </indexterm>
452 </listitem>
453 </varlistentry>
454
455 <varlistentry id="pam_timestamp_check">
456 <term><command>pam_timestamp_check</command></term>
457 <listitem>
458 <para>
459 is used to check if the default timestamp is valid
460 </para>
461 <indexterm zone="linux-pam pam_timestamp_check">
462 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
463 </indexterm>
464 </listitem>
465 </varlistentry>
466
467 <varlistentry id="unix_chkpwd">
468 <term><command>unix_chkpwd</command></term>
469 <listitem>
470 <para>
471 is a helper binary that verifies the password of the current user.
472 </para>
473 <indexterm zone="linux-pam unix_chkpwd">
474 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
475 </indexterm>
476 </listitem>
477 </varlistentry>
478
479 <varlistentry id="unix_update">
480 <term><command>unix_update</command></term>
481 <listitem>
482 <para>
483 is a helper binary that updates the password of a given user.
484 </para>
485 <indexterm zone="linux-pam unix_update">
486 <primary sortas="b-unix_update">unix_update</primary>
487 </indexterm>
488 </listitem>
489 </varlistentry>
490
491 <varlistentry id="libpam">
492 <term><filename class="libraryfile">libpam.so</filename></term>
493 <listitem>
494 <para>
495 provides the interfaces between applications and the
496 PAM modules.
497 </para>
498 <indexterm zone="linux-pam libpam">
499 <primary sortas="c-libpam">libpam.so</primary>
500 </indexterm>
501 </listitem>
502 </varlistentry>
503
504 </variablelist>
505
506 </sect2>
507
508</sect1>
Note: See TracBrowser for help on using the repository browser.