source: postlfs/security/linux-pam.xml@ 3d8d0049

11.0 11.1 11.2 11.3 12.0 12.1 12.2 gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 3d8d0049 was 3d8d0049, checked in by Thomas Trepl (Moody) <thomas@…>, 3 years ago

Tags

  • Property mode set to 100644
File size: 20.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "155f2a31d07077b2c63a1f135876c31b">
10 <!ENTITY linux-pam-size "952 KB">
11 <!ENTITY linux-pam-buildsize "37 MB (with tests)">
12 <!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14 <!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15 <!ENTITY linux-pam-docs-md5sum "eb03b8191fc886780411054115866ee2">
16 <!ENTITY linux-pam-docs-size "432 KB">
17 <!--
18 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19 -->
20]>
21
22<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23 <?dbhtml filename="linux-pam.html"?>
24
25 <sect1info>
26 <date>$Date$</date>
27 </sect1info>
28
29 <title>Linux-PAM-&linux-pam-version;</title>
30
31 <indexterm zone="linux-pam">
32 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
33 </indexterm>
34
35 <sect2 role="package">
36 <title>Introduction to Linux PAM</title>
37
38 <para>
39 The <application>Linux PAM</application> package contains
40 Pluggable Authentication Modules used to enable the local
41 system administrator to choose how applications authenticate
42 users.
43 </para>
44
45 &lfs110a_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &linux-pam-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &linux-pam-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &linux-pam-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &linux-pam-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <title>Optional Documentation</title>
84 <listitem>
85 <para>
86 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
87 </para>
88 </listitem>
89 <listitem>
90 <para>
91 Download MD5 sum: &linux-pam-docs-md5sum;
92 </para>
93 </listitem>
94 <listitem>
95 <para>
96 Download size &linux-pam-docs-size;
97 </para>
98 </listitem>
99 </itemizedlist>
100
101 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
102
103 <bridgehead renderas="sect4">Optional</bridgehead>
104 <para role="optional">
105 <xref linkend="db"/>,
106 <xref linkend="libnsl"/>,
107 <xref linkend="libtirpc"/>,
108 <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
109 <ulink url="http://www.prelude-siem.org">Prelude</ulink>
110 </para>
111
112 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113 <para role="optional">
114 <xref linkend="DocBook"/>,
115 <xref linkend="docbook-xsl"/>,
116 <xref linkend="fop"/>,
117 <xref linkend="libxslt"/> and either
118 <xref linkend="lynx"/> or
119 <ulink url="&w3m-url;">W3m</ulink>
120 </para>
121
122 <note>
123 <para role="required">
124 <xref role="runtime" linkend="shadow"/>
125 <phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
126 need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
127 after installing and configuring <application>Linux PAM</application>.
128 </para>
129
130 <para role="recommended">
131 With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
132 installed by default. To enforce strong passwords, it is recommended
133 to use <xref role="runtime" linkend="libpwquality"/>.
134 </para>
135 </note>
136
137 <para condition="html" role="usernotes">User Notes:
138 <ulink url="&blfs-wiki;/linux-pam"/>
139 </para>
140 </sect2>
141
142 <sect2 role="installation">
143 <title>Installation of Linux PAM</title>
144
145 <para revision="sysv">
146 First prevent the installation of an unneeded systemd file:
147 </para>
148
149<screen revision="sysv"><userinput>sed -e /service_DATA/d \
150 -i modules/pam_namespace/Makefile.am &amp;&amp;
151autoreconf</userinput></screen>
152
153 <para>
154 If you downloaded the documentation, unpack the tarball by issuing
155 the following command.
156 </para>
157
158<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
159
160 <para>
161 If you instead want to regenerate the documentation, fix the
162 <command>configure</command> script so that it detects lynx if installed:
163 </para>
164
165<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
166 -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
167 -i configure</userinput></screen>
168
169 <para>
170 Install <application>Linux PAM</application> by
171 running the following commands:
172 </para>
173
174<screen><userinput>./configure --prefix=/usr \
175 --sysconfdir=/etc \
176 --libdir=/usr/lib \
177 --enable-securedir=/usr/lib/security \
178 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &amp;&amp;
179make</userinput></screen>
180
181 <para>
182 To test the results, a suitable <filename>/etc/pam.d/other</filename>
183 configuration file must exist.
184 </para>
185
186 <caution>
187 <title>Reinstallation or upgrade of Linux PAM</title>
188 <para>
189 If you have a system with Linux PAM installed and working, be careful
190 when modifying the files in
191 <filename class="directory">/etc/pam.d</filename>, since your system
192 may become totally unusable. If you want to run the tests, you do not
193 need to create another <filename>/etc/pam.d/other</filename> file. The
194 installed one can be used for that purpose.
195 </para>
196
197 <para>
198 You should also be aware that <command>make install</command>
199 overwrites the configuration files in
200 <filename class="directory">/etc/security</filename> as well as
201 <filename>/etc/environment</filename>. In case you
202 have modified those files, be sure to back them up.
203 </para>
204 </caution>
205
206 <para>
207 For a first installation, create the configuration file by issuing the
208 following commands as the <systemitem class="username">root</systemitem>
209 user:
210 </para>
211
212<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
213
214cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
215<literal>auth required pam_deny.so
216account required pam_deny.so
217password required pam_deny.so
218session required pam_deny.so</literal>
219EOF</userinput></screen>
220
221 <para>
222 Now run the tests by issuing <command>make check</command>.
223 Ensure there are no errors produced by the tests before continuing the
224 installation. Note that the checks are quite long. It may be useful to
225 redirect the output to a log file in order to inspect it thoroughly.
226 </para>
227
228 <para>
229 Only in case of a first installation, remove the configuration file
230 created earlier by issuing the following command as the
231 <systemitem class="username">root</systemitem> user:
232 </para>
233
234<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
235
236 <para>
237 Now, as the <systemitem class="username">root</systemitem>
238 user:
239 </para>
240
241<screen role="root"><userinput>make install &amp;&amp;
242chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
243
244 </sect2>
245
246 <sect2 role="commands">
247 <title>Command Explanations</title>
248
249 <para>
250 <parameter>--enable-securedir=/usr/lib/security</parameter>:
251 This switch sets the installation location for the
252 <application>PAM</application> modules.
253 </para>
254
255 <para>
256 <option>--disable-regenerate-docu</option> : If the needed dependencies
257 (<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
258 linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
259 url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
260 html and text documentations are (re)generated and installed.
261 Furthermore, if <xref linkend="fop"/> is installed, the PDF
262 documentation is generated and installed. Use this switch if you do not
263 want to rebuild the documentation.
264 </para>
265
266 <para>
267 <command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
268 The <command>unix_chkpwd</command> helper program must be setuid
269 so that non-<systemitem class="username">root</systemitem>
270 processes can access the shadow file.
271 </para>
272
273 </sect2>
274
275 <sect2 role="configuration">
276 <title>Configuring Linux-PAM</title>
277
278 <sect3 id="pam-config">
279 <title>Config Files</title>
280
281 <para>
282 <filename>/etc/security/*</filename> and
283 <filename>/etc/pam.d/*</filename>
284 </para>
285
286 <indexterm zone="linux-pam pam-config">
287 <primary sortas="e-etc-security">/etc/security/*</primary>
288 </indexterm>
289
290 <indexterm zone="linux-pam pam-config">
291 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
292 </indexterm>
293
294 </sect3>
295
296 <sect3>
297 <title>Configuration Information</title>
298
299 <para>
300 Configuration information is placed in
301 <filename class="directory">/etc/pam.d/</filename>.
302 Below is an example file:
303 </para>
304
305<screen><literal># Begin /etc/pam.d/other
306
307auth required pam_unix.so nullok
308account required pam_unix.so
309session required pam_unix.so
310password required pam_unix.so nullok
311
312# End /etc/pam.d/other</literal></screen>
313
314 <para>
315 Now set up some generic files. As the
316 <systemitem class="username">root</systemitem> user:
317 </para>
318
319<screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
320cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF" &amp;&amp;
321<literal># Begin /etc/pam.d/system-account
322
323account required pam_unix.so
324
325# End /etc/pam.d/system-account</literal>
326EOF
327
328cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF" &amp;&amp;
329<literal># Begin /etc/pam.d/system-auth
330
331auth required pam_unix.so
332
333# End /etc/pam.d/system-auth</literal>
334EOF
335
336cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
337<literal># Begin /etc/pam.d/system-session
338
339session required pam_unix.so
340
341# End /etc/pam.d/system-session</literal>
342EOF
343cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
344<literal># Begin /etc/pam.d/system-password
345
346# use sha512 hash for encryption, use shadow, and try to use any previously
347# defined authentication token (chosen password) set by any prior module
348password required pam_unix.so sha512 shadow try_first_pass
349
350# End /etc/pam.d/system-password</literal>
351EOF
352</userinput></screen>
353
354 <para>
355 If you wish to enable strong password support, install
356 <xref linkend="libpwquality"/>, and follow the
357 instructions in that page to configure the pam_pwquality
358 PAM module with strong password support.
359 </para>
360
361<!-- With the removal of the pam_cracklib module, we're supposed to be using
362 libpwquality. That already includes instructions in it's configuration
363 information page, so we'll use those instead.
364
365 Linux-PAM must be installed prior to libpwquality so that PAM support
366 is built in, and the PAM module is built.
367-->
368<!--
369 <para>
370 The remaining generic file depends on whether <xref
371 linkend="cracklib"/> is installed. If it is installed, use:
372 </para>
373
374<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
375<literal># Begin /etc/pam.d/system-password
376
377# check new passwords for strength (man pam_cracklib)
378password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
379 minlen=9 dcredit=1 ucredit=1 \
380 lcredit=1 ocredit=1 minclass=0 \
381 maxrepeat=0 maxsequence=0 \
382 maxclassrepeat=0 \
383 dictpath=/lib/cracklib/pw_dict
384# use sha512 hash for encryption, use shadow, and use the
385# authentication token (chosen password) set by pam_cracklib
386# above (or any previous modules)
387password required pam_unix.so sha512 shadow use_authtok
388
389# End /etc/pam.d/system-password</literal>
390EOF</userinput></screen>
391
392 <note>
393 <para>
394 In its default configuration, pam_cracklib will
395 allow multiple case passwords as short as 6 characters, even with
396 the <parameter>minlen</parameter> value set to 11. You should review
397 the pam_cracklib(8) man page and determine if these default values
398 are acceptable for the security of your system.
399 </para>
400 </note>
401
402 <para>
403 If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
404 use:
405 </para>
406
407<screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
408<literal># Begin /etc/pam.d/system-password
409
410# use sha512 hash for encryption, use shadow, and try to use any previously
411# defined authentication token (chosen password) set by any prior module
412password required pam_unix.so sha512 shadow try_first_pass
413
414# End /etc/pam.d/system-password</literal>
415EOF</userinput></screen>
416-->
417 <para>
418 Now add a restrictive <filename>/etc/pam.d/other</filename>
419 configuration file. With this file, programs that are PAM aware will
420 not run unless a configuration file specifically for that application
421 is created.
422 </para>
423
424<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
425<literal># Begin /etc/pam.d/other
426
427auth required pam_warn.so
428auth required pam_deny.so
429account required pam_warn.so
430account required pam_deny.so
431password required pam_warn.so
432password required pam_deny.so
433session required pam_warn.so
434session required pam_deny.so
435
436# End /etc/pam.d/other</literal>
437EOF</userinput></screen>
438
439 <para>
440 The <application>PAM</application> man page (<command>man
441 pam</command>) provides a good starting point for descriptions
442 of fields and allowable entries. The
443 <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
444 Linux-PAM System Administrators' Guide
445 </ulink> is recommended for additional information.
446 </para>
447
448 <important>
449 <para>
450 You should now reinstall the <xref linkend="shadow"/>
451 <phrase revision="sysv">package.</phrase>
452 <phrase revision="systemd"> and <xref linkend="systemd"/>
453 packages.</phrase>
454 </para>
455 </important>
456
457 </sect3>
458
459 </sect2>
460
461 <sect2 role="content">
462 <title>Contents</title>
463
464 <segmentedlist>
465 <segtitle>Installed Program</segtitle>
466 <segtitle>Installed Libraries</segtitle>
467 <segtitle>Installed Directories</segtitle>
468
469 <seglistitem>
470 <seg>
471 faillock, mkhomedir_helper, pam_namespace_helper,
472 pam_timestamp_check, pwhistory_helper, unix_chkpwd and
473 unix_update
474 </seg>
475 <seg>
476 libpam.so, libpamc.so and libpam_misc.so
477 </seg>
478 <seg>
479 /etc/security,
480 /lib/security,
481 /usr/include/security and
482 /usr/share/doc/Linux-PAM-&linux-pam-version;
483 </seg>
484 </seglistitem>
485 </segmentedlist>
486
487 <variablelist>
488 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
489 <?dbfo list-presentation="list"?>
490 <?dbhtml list-presentation="table"?>
491
492 <varlistentry id="faillock">
493 <term><command>faillock</command></term>
494 <listitem>
495 <para>
496 displays and modifies the authentication failure record files
497 </para>
498 <indexterm zone="linux-pam faillock">
499 <primary sortas="b-faillock">faillock</primary>
500 </indexterm>
501 </listitem>
502 </varlistentry>
503
504 <varlistentry id="mkhomedir_helper">
505 <term><command>mkhomedir_helper</command></term>
506 <listitem>
507 <para>
508 is a helper binary that creates home directories
509 </para>
510 <indexterm zone="linux-pam mkhomedir_helper">
511 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
512 </indexterm>
513 </listitem>
514 </varlistentry>
515
516 <varlistentry id="pam_namespace_helper">
517 <term><command>pam_namespace_helper</command></term>
518 <listitem>
519 <para>
520 is a helper program used to configure a private namespace for a
521 user session
522 </para>
523 <indexterm zone="linux-pam pam_namespace_helper">
524 <primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
525 </indexterm>
526 </listitem>
527 </varlistentry>
528
529 <varlistentry id="pwhistory_helper">
530 <term><command>pwhistory_helper</command></term>
531 <listitem>
532 <para>
533 is a helper program that transfers password hashes from passwd or
534 shadow to opasswd
535 </para>
536 <indexterm zone="linux-pam pwhistory_helper">
537 <primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
538 </indexterm>
539 </listitem>
540 </varlistentry>
541<!-- Removed with the removal of the pam_tally{,2} module
542 <varlistentry id="pam_tally">
543 <term><command>pam_tally</command></term>
544 <listitem>
545 <para>
546 is used to interrogate and manipulate the login counter file.
547 </para>
548 <indexterm zone="linux-pam pam_tally">
549 <primary sortas="b-pam_tally">pam_tally</primary>
550 </indexterm>
551 </listitem>
552 </varlistentry>
553
554 <varlistentry id="pam_tally2">
555 <term><command>pam_tally2</command></term>
556 <listitem>
557 <para>
558 is used to interrogate and manipulate the login counter file, but
559 does not have some limitations that <command>pam_tally</command>
560 does.
561 </para>
562 <indexterm zone="linux-pam pam_tally2">
563 <primary sortas="b-pam_tally2">pam_tally2</primary>
564 </indexterm>
565 </listitem>
566 </varlistentry>
567-->
568
569 <varlistentry id="pam_timestamp_check">
570 <term><command>pam_timestamp_check</command></term>
571 <listitem>
572 <para>
573 is used to check if the default timestamp is valid
574 </para>
575 <indexterm zone="linux-pam pam_timestamp_check">
576 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
577 </indexterm>
578 </listitem>
579 </varlistentry>
580
581 <varlistentry id="unix_chkpwd">
582 <term><command>unix_chkpwd</command></term>
583 <listitem>
584 <para>
585 is a helper binary that verifies the password of the current user
586 </para>
587 <indexterm zone="linux-pam unix_chkpwd">
588 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
589 </indexterm>
590 </listitem>
591 </varlistentry>
592
593 <varlistentry id="unix_update">
594 <term><command>unix_update</command></term>
595 <listitem>
596 <para>
597 is a helper binary that updates the password of a given user
598 </para>
599 <indexterm zone="linux-pam unix_update">
600 <primary sortas="b-unix_update">unix_update</primary>
601 </indexterm>
602 </listitem>
603 </varlistentry>
604
605 <varlistentry id="libpam">
606 <term><filename class="libraryfile">libpam.so</filename></term>
607 <listitem>
608 <para>
609 provides the interfaces between applications and the
610 PAM modules
611 </para>
612 <indexterm zone="linux-pam libpam">
613 <primary sortas="c-libpam">libpam.so</primary>
614 </indexterm>
615 </listitem>
616 </varlistentry>
617
618 </variablelist>
619
620 </sect2>
621
622</sect1>
Note: See TracBrowser for help on using the repository browser.