Context Navigation

linux-pam.xml@ 3619a5b9

Visit:

11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/xf86-video-removal

Last change on this file since 3619a5b9 was 3619a5b9, checked in by Pierre Labastie <pierre.labastie@…>, 18 months ago

Adjust the number of crypt rounds in PAM files

To match shadow's one.

Property mode set to 100644

File size: 20.8 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "895e8adfa14af334f679bbeb28503f66">
10	<!ENTITY linux-pam-size "966 KB">
11	<!ENTITY linux-pam-buildsize "39 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "ceb3dc248cb2f49a40904b93cb91db1b">
16	<!ENTITY linux-pam-docs-size "433 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25	<sect1info>
26	<date>$Date$</date>
27	</sect1info>
28
29	<title>Linux-PAM-&linux-pam-version;</title>
30
31	<indexterm zone="linux-pam">
32	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
33	</indexterm>
34
35	<sect2 role="package">
36	<title>Introduction to Linux PAM</title>
37
38	<para>
39	The <application>Linux PAM</application> package contains
40	Pluggable Authentication Modules used by the local
41	system administrator to control how application programs authenticate
42	users.
43	</para>
44
45	&lfs112_checked;
46
47	<bridgehead renderas="sect3">Package Information</bridgehead>
48	<itemizedlist spacing="compact">
49	<listitem>
50	<para>
51	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download MD5 sum: &linux-pam-md5sum;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Download size: &linux-pam-size;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated disk space required: &linux-pam-buildsize;
72	</para>
73	</listitem>
74	<listitem>
75	<para>
76	Estimated build time: &linux-pam-time;
77	</para>
78	</listitem>
79	</itemizedlist>
80
81	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
82	<itemizedlist spacing="compact">
83	<title>Optional Documentation</title>
84	<listitem>
85	<para>
86	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
87	</para>
88	</listitem>
89	<listitem>
90	<para>
91	Download MD5 sum: &linux-pam-docs-md5sum;
92	</para>
93	</listitem>
94	<listitem>
95	<para>
96	Download size &linux-pam-docs-size;
97	</para>
98	</listitem>
99	</itemizedlist>
100
101	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
102
103	<bridgehead renderas="sect4">Optional</bridgehead>
104	<para role="optional">
105	<xref linkend="db"/>,
106	<xref linkend="libnsl"/>,
107	<xref linkend="libtirpc"/>,
108	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
109	<ulink url="https://www.prelude-siem.org">Prelude</ulink>
110	</para>
111
112	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113	<para role="optional">
114	<xref linkend="DocBook"/>,
115	<xref linkend="docbook-xsl"/>,
116	<xref linkend="fop"/>,
117	<xref linkend="libxslt"/> and either
118	<xref linkend="lynx"/> or
119	<ulink url="&w3m-url;">W3m</ulink>
120	</para>
121
122	<note>
123	<para role="required">
124	<xref role="runtime" linkend="shadow"/>
125	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
126	must</phrase><phrase revision="sysv">must</phrase> be reinstalled
127	and reconfigured
128	after installing and configuring <application>Linux PAM</application>.
129	</para>
130
131	<para role="recommended">
132	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
133	installed by default. Use <xref role="runtime" linkend="libpwquality"/>
134	to enforce strong passwords.
135	</para>
136	</note>
137
138	<para condition="html" role="usernotes">User Notes:
139	<ulink url="&blfs-wiki;/linux-pam"/>
140	</para>
141	</sect2>
142
143	<sect2 role="installation">
144	<title>Installation of Linux PAM</title>
145
146	<para revision="sysv">
147	First, prevent the installation of an unneeded systemd file:
148	</para>
149
150	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
151	-i modules/pam_namespace/Makefile.am &&
152	autoreconf</userinput></screen>
153
154	<para>
155	If you downloaded the documentation, unpack the tarball by issuing
156	the following command.
157	</para>
158
159	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
160
161	<para>
162	If you want to regenerate the documentation yourself, fix the
163	<command>configure</command> script so it will detect lynx:
164	</para>
165
166	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
167	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
168	-i configure</userinput></screen>
169
170	<para>
171	Compile and link <application>Linux PAM</application> by
172	running the following commands:
173	</para>
174
175	<screen><userinput>./configure --prefix=/usr \
176	--sbindir=/usr/sbin \
177	--sysconfdir=/etc \
178	--libdir=/usr/lib \
179	--enable-securedir=/usr/lib/security \
180	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
181	make</userinput></screen>
182
183	<para>
184	To test the results, a suitable <filename>/etc/pam.d/other</filename>
185	configuration file must exist.
186	</para>
187
188	<caution>
189	<title>Reinstallation or Upgrade of Linux PAM</title>
190	<para>
191	If you have a system with Linux PAM installed and working, be careful
192	when modifying the files in
193	<filename class="directory">/etc/pam.d</filename>, since your system
194	may become totally unusable. If you want to run the tests, you do not
195	need to create another <filename>/etc/pam.d/other</filename> file. The
196	existing file can be used for the tests.
197	</para>
198
199	<para>
200	You should also be aware that <command>make install</command>
201	overwrites the configuration files in
202	<filename class="directory">/etc/security</filename> as well as
203	<filename>/etc/environment</filename>. If you
204	have modified those files, be sure to back them up.
205	</para>
206	</caution>
207
208	<para>
209	For a first-time installation, create a configuration file by issuing the
210	following commands as the <systemitem class="username">root</systemitem>
211	user:
212	</para>
213
214	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
215
216	cat > /etc/pam.d/other << "EOF"
217	<literal>auth required pam_deny.so
218	account required pam_deny.so
219	password required pam_deny.so
220	session required pam_deny.so</literal>
221	EOF</userinput></screen>
222
223	<para>
224	Now run the tests by issuing <command>make check</command>.
225	Be sure the tests produced no errors before continuing the
226	installation. Note that the tests are very long.
227	Redirect the output to a log file, so you can inspect it thoroughly.
228	</para>
229
230	<para>
231	For a first-time installation, remove the configuration file
232	created earlier by issuing the following command as the
233	<systemitem class="username">root</systemitem> user:
234	</para>
235
236	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
237
238	<para>
239	Now, as the <systemitem class="username">root</systemitem>
240	user:
241	</para>
242
243	<screen role="root"><userinput>make install &&
244	chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
245
246	</sect2>
247
248	<sect2 role="commands">
249	<title>Command Explanations</title>
250
251	<para>
252	<parameter>--enable-securedir=/usr/lib/security</parameter>:
253	This switch sets the installation location for the
254	<application>PAM</application> modules.
255	</para>
256
257	<para>
258	<option>--disable-regenerate-docu</option> : If the needed dependencies
259	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
260	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
261	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
262	html and text documentation files, are generated and installed.
263	Furthermore, if <xref linkend="fop"/> is installed, the PDF
264	documentation is generated and installed. Use this switch if you do not
265	want to rebuild the documentation.
266	</para>
267
268	<para>
269	<command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
270	The setuid bit for the <command>unix_chkpwd</command> helper program must be
271	turned on, so that non-<systemitem class="username">root</systemitem>
272	processes can access the shadow file.
273	</para>
274
275	</sect2>
276
277	<sect2 role="configuration">
278	<title>Configuring Linux-PAM</title>
279
280	<sect3 id="pam-config">
281	<title>Configuration Files</title>
282
283	<para>
284	<filename>/etc/security/*</filename> and
285	<filename>/etc/pam.d/*</filename>
286	</para>
287
288	<indexterm zone="linux-pam pam-config">
289	<primary sortas="e-etc-security">/etc/security/*</primary>
290	</indexterm>
291
292	<indexterm zone="linux-pam pam-config">
293	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
294	</indexterm>
295
296	</sect3>
297
298	<sect3>
299	<title>Configuration Information</title>
300
301	<para>
302	Configuration information is placed in
303	<filename class="directory">/etc/pam.d/</filename>.
304	Here is a sample file:
305	</para>
306
307	<screen><literal># Begin /etc/pam.d/other
308
309	auth required pam_unix.so nullok
310	account required pam_unix.so
311	session required pam_unix.so
312	password required pam_unix.so nullok
313
314	# End /etc/pam.d/other</literal></screen>
315
316	<para>
317	Now create some generic configuration files. As the
318	<systemitem class="username">root</systemitem> user:
319	</para>
320
321	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
322	cat > /etc/pam.d/system-account << "EOF" &&
323	<literal># Begin /etc/pam.d/system-account
324
325	account required pam_unix.so
326
327	# End /etc/pam.d/system-account</literal>
328	EOF
329
330	cat > /etc/pam.d/system-auth << "EOF" &&
331	<literal># Begin /etc/pam.d/system-auth
332
333	auth required pam_unix.so
334
335	# End /etc/pam.d/system-auth</literal>
336	EOF
337
338	cat > /etc/pam.d/system-session << "EOF"
339	<literal># Begin /etc/pam.d/system-session
340
341	session required pam_unix.so
342
343	# End /etc/pam.d/system-session</literal>
344	EOF
345	cat > /etc/pam.d/system-password << "EOF"
346	<literal># Begin /etc/pam.d/system-password
347
348	# use sha512 hash for encryption, use shadow, and try to use any previously
349	# defined authentication token (chosen password) set by any prior module
350	# Use the same number of rounds as shadow.
351	password required pam_unix.so sha512 shadow try_first_pass \
352	rounds=5000000
353
354	# End /etc/pam.d/system-password</literal>
355	EOF
356	</userinput></screen>
357
358	<para>
359	If you wish to enable strong password support, install
360	<xref linkend="libpwquality"/>, and follow the
361	instructions on that page to configure the pam_pwquality
362	PAM module with strong password support.
363	</para>
364
365	<!-- With the removal of the pam_cracklib module, we're supposed to be using
366	libpwquality. That already includes instructions in its configuration
367	information page, so we'll use those instead.
368
369	Linux-PAM must be installed prior to libpwquality so that PAM support
370	is built in, and the PAM module is built.
371	-->
372	<!-- WARNING: If for any reason the instructions below are reinstated be
373	careful with the number of rounds, which should match the one in shadow.
374	<para>
375	The remaining generic file depends on whether <xref
376	linkend="cracklib"/> is installed. If it is installed, use:
377	</para>
378
379	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
380	<literal># Begin /etc/pam.d/system-password
381
382	# check new passwords for strength (man pam_cracklib)
383	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
384	minlen=9 dcredit=1 ucredit=1 \
385	lcredit=1 ocredit=1 minclass=0 \
386	maxrepeat=0 maxsequence=0 \
387	maxclassrepeat=0 \
388	dictpath=/lib/cracklib/pw_dict
389	# use sha512 hash for encryption, use shadow, and use the
390	# authentication token (chosen password) set by pam_cracklib
391	# above (or any previous modules)
392	password required pam_unix.so sha512 shadow use_authtok
393
394	# End /etc/pam.d/system-password</literal>
395	EOF</userinput></screen>
396
397	<note>
398	<para>
399	In its default configuration, pam_cracklib will
400	allow multiple case passwords as short as 6 characters, even with
401	the <parameter>minlen</parameter> value set to 11. You should review
402	the pam_cracklib(8) man page and determine if these default values
403	are acceptable for the security of your system.
404	</para>
405	</note>
406
407	<para>
408	If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
409	use:
410	</para>
411
412	<screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"
413	<literal># Begin /etc/pam.d/system-password
414
415	# use sha512 hash for encryption, use shadow, and try to use any previously
416	# defined authentication token (chosen password) set by any prior module
417	password required pam_unix.so sha512 shadow try_first_pass
418
419	# End /etc/pam.d/system-password</literal>
420	EOF</userinput></screen>
421	-->
422	<para>
423	Next, add a restrictive <filename>/etc/pam.d/other</filename>
424	configuration file. With this file, programs that are PAM aware will
425	not run unless a configuration file specifically for that application
426	exists.
427	</para>
428
429	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
430	<literal># Begin /etc/pam.d/other
431
432	auth required pam_warn.so
433	auth required pam_deny.so
434	account required pam_warn.so
435	account required pam_deny.so
436	password required pam_warn.so
437	password required pam_deny.so
438	session required pam_warn.so
439	session required pam_deny.so
440
441	# End /etc/pam.d/other</literal>
442	EOF</userinput></screen>
443
444	<para>
445	The <application>PAM</application> man page (<command>man
446	pam</command>) provides a good starting point to learn
447	about the several fields, and allowable entries.
448	<!-- not accessible 2022-09-08 -->
449	<!-- it's available at a different address 2022-10-23-->
450	The
451	<ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
452	Linux-PAM System Administrators' Guide
453	</ulink> is recommended for additional information.
454	</para>
455
456	<important>
457	<para>
458	You should now reinstall the <xref linkend="shadow"/>
459	<phrase revision="sysv">package</phrase>
460	<phrase revision="systemd"> and <xref linkend="systemd"/>
461	packages</phrase>.
462	</para>
463	</important>
464
465	</sect3>
466
467	</sect2>
468
469	<sect2 role="content">
470	<title>Contents</title>
471
472	<segmentedlist>
473	<segtitle>Installed Program</segtitle>
474	<segtitle>Installed Libraries</segtitle>
475	<segtitle>Installed Directories</segtitle>
476
477	<seglistitem>
478	<seg>
479	faillock, mkhomedir_helper, pam_namespace_helper,
480	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
481	unix_update
482	</seg>
483	<seg>
484	libpam.so, libpamc.so and libpam_misc.so
485	</seg>
486	<seg>
487	/etc/security,
488	/usr/lib/security,
489	/usr/include/security and
490	/usr/share/doc/Linux-PAM-&linux-pam-version;
491	</seg>
492	</seglistitem>
493	</segmentedlist>
494
495	<variablelist>
496	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
497	<?dbfo list-presentation="list"?>
498	<?dbhtml list-presentation="table"?>
499
500	<varlistentry id="faillock">
501	<term><command>faillock</command></term>
502	<listitem>
503	<para>
504	displays and modifies the authentication failure record files
505	</para>
506	<indexterm zone="linux-pam faillock">
507	<primary sortas="b-faillock">faillock</primary>
508	</indexterm>
509	</listitem>
510	</varlistentry>
511
512	<varlistentry id="mkhomedir_helper">
513	<term><command>mkhomedir_helper</command></term>
514	<listitem>
515	<para>
516	is a helper binary that creates home directories
517	</para>
518	<indexterm zone="linux-pam mkhomedir_helper">
519	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
520	</indexterm>
521	</listitem>
522	</varlistentry>
523
524	<varlistentry id="pam_namespace_helper">
525	<term><command>pam_namespace_helper</command></term>
526	<listitem>
527	<para>
528	is a helper program used to configure a private namespace for a
529	user session
530	</para>
531	<indexterm zone="linux-pam pam_namespace_helper">
532	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
533	</indexterm>
534	</listitem>
535	</varlistentry>
536
537	<varlistentry id="pwhistory_helper">
538	<term><command>pwhistory_helper</command></term>
539	<listitem>
540	<para>
541	is a helper program that transfers password hashes from passwd or
542	shadow to opasswd
543	</para>
544	<indexterm zone="linux-pam pwhistory_helper">
545	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
546	</indexterm>
547	</listitem>
548	</varlistentry>
549	<!-- Removed with the removal of the pam_tally{,2} module
550	<varlistentry id="pam_tally">
551	<term><command>pam_tally</command></term>
552	<listitem>
553	<para>
554	is used to interrogate and manipulate the login counter file.
555	</para>
556	<indexterm zone="linux-pam pam_tally">
557	<primary sortas="b-pam_tally">pam_tally</primary>
558	</indexterm>
559	</listitem>
560	</varlistentry>
561
562	<varlistentry id="pam_tally2">
563	<term><command>pam_tally2</command></term>
564	<listitem>
565	<para>
566	is used to interrogate and manipulate the login counter file, but
567	does not have some limitations that <command>pam_tally</command>
568	does.
569	</para>
570	<indexterm zone="linux-pam pam_tally2">
571	<primary sortas="b-pam_tally2">pam_tally2</primary>
572	</indexterm>
573	</listitem>
574	</varlistentry>
575	-->
576
577	<varlistentry id="pam_timestamp_check">
578	<term><command>pam_timestamp_check</command></term>
579	<listitem>
580	<para>
581	is used to check if the default timestamp is valid
582	</para>
583	<indexterm zone="linux-pam pam_timestamp_check">
584	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
585	</indexterm>
586	</listitem>
587	</varlistentry>
588
589	<varlistentry id="unix_chkpwd">
590	<term><command>unix_chkpwd</command></term>
591	<listitem>
592	<para>
593	is a helper binary that verifies the password of the current user
594	</para>
595	<indexterm zone="linux-pam unix_chkpwd">
596	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
597	</indexterm>
598	</listitem>
599	</varlistentry>
600
601	<varlistentry id="unix_update">
602	<term><command>unix_update</command></term>
603	<listitem>
604	<para>
605	is a helper binary that updates the password of a given user
606	</para>
607	<indexterm zone="linux-pam unix_update">
608	<primary sortas="b-unix_update">unix_update</primary>
609	</indexterm>
610	</listitem>
611	</varlistentry>
612
613	<varlistentry id="libpam">
614	<term><filename class="libraryfile">libpam.so</filename></term>
615	<listitem>
616	<para>
617	provides the interfaces between applications and the
618	PAM modules
619	</para>
620	<indexterm zone="linux-pam libpam">
621	<primary sortas="c-libpam">libpam.so</primary>
622	</indexterm>
623	</listitem>
624	</varlistentry>
625
626	</variablelist>
627
628	</sect2>
629
630	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/linux-pam.xml@ 3619a5b9

Download in other formats: