Context Navigation

linux-pam.xml@ 45ab6c7

Visit:

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 45ab6c7 was 45ab6c7, checked in by Xi Ruoyao <xry111@…>, 3 years ago

more SVN prop clean up

Remove "$LastChanged$" everywhere, and also some unused $Date$

Property mode set to 100644

File size: 20.5 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "155f2a31d07077b2c63a1f135876c31b">
10	<!ENTITY linux-pam-size "952 KB">
11	<!ENTITY linux-pam-buildsize "37 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "eb03b8191fc886780411054115866ee2">
16	<!ENTITY linux-pam-docs-size "432 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25	<sect1info>
26	<date>$Date$</date>
27	</sect1info>
28
29	<title>Linux-PAM-&linux-pam-version;</title>
30
31	<indexterm zone="linux-pam">
32	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
33	</indexterm>
34
35	<sect2 role="package">
36	<title>Introduction to Linux PAM</title>
37
38	<para>
39	The <application>Linux PAM</application> package contains
40	Pluggable Authentication Modules used to enable the local
41	system administrator to choose how applications authenticate
42	users.
43	</para>
44
45	&lfs101_checked;
46
47	<bridgehead renderas="sect3">Package Information</bridgehead>
48	<itemizedlist spacing="compact">
49	<listitem>
50	<para>
51	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download MD5 sum: &linux-pam-md5sum;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Download size: &linux-pam-size;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated disk space required: &linux-pam-buildsize;
72	</para>
73	</listitem>
74	<listitem>
75	<para>
76	Estimated build time: &linux-pam-time;
77	</para>
78	</listitem>
79	</itemizedlist>
80
81	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
82	<itemizedlist spacing="compact">
83	<title>Optional Documentation</title>
84	<listitem>
85	<para>
86	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
87	</para>
88	</listitem>
89	<listitem>
90	<para>
91	Download MD5 sum: &linux-pam-docs-md5sum;
92	</para>
93	</listitem>
94	<listitem>
95	<para>
96	Download size &linux-pam-docs-size;
97	</para>
98	</listitem>
99	</itemizedlist>
100
101	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
102
103	<bridgehead renderas="sect4">Optional</bridgehead>
104	<para role="optional">
105	<xref linkend="db"/>,
106	<xref linkend="libnsl"/>,
107	<xref linkend="libtirpc"/>,
108	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
109	<ulink url="http://www.prelude-siem.org">Prelude</ulink>
110	</para>
111
112	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113	<para role="optional">
114	<xref linkend="DocBook"/>,
115	<xref linkend="docbook-xsl"/>,
116	<xref linkend="fop"/>,
117	<xref linkend="libxslt"/> and either
118	<xref linkend="lynx"/> or
119	<ulink url="&w3m-url;">W3m</ulink>
120	</para>
121
122	<note>
123	<para role="required">
124	<xref role="runtime" linkend="shadow"/>
125	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
126	need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
127	after installing and configuring <application>Linux PAM</application>.
128	</para>
129
130	<para role="recommended">
131	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
132	installed by default. To enforce strong passwords, it is recommended
133	to use <xref role="runtime" linkend="libpwquality"/>.
134	</para>
135	</note>
136
137	<para condition="html" role="usernotes">User Notes:
138	<ulink url="&blfs-wiki;/linux-pam"/>
139	</para>
140	</sect2>
141
142	<sect2 role="installation">
143	<title>Installation of Linux PAM</title>
144
145	<para revision="sysv">
146	First prevent the installation of an unneeded systemd file:
147	</para>
148
149	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
150	-i modules/pam_namespace/Makefile.am &&
151	autoreconf</userinput></screen>
152
153	<para>
154	If you downloaded the documentation, unpack the tarball by issuing
155	the following command.
156	</para>
157
158	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
159
160	<para>
161	If you instead want to regenerate the documentation, fix the
162	<command>configure</command> script so that it detects lynx if installed:
163	</para>
164
165	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
166	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
167	-i configure</userinput></screen>
168
169	<para>
170	Install <application>Linux PAM</application> by
171	running the following commands:
172	</para>
173
174	<screen><userinput>./configure --prefix=/usr \
175	--sysconfdir=/etc \
176	--libdir=/usr/lib \
177	--enable-securedir=/lib/security \
178	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
179	make</userinput></screen>
180
181	<para>
182	To test the results, a suitable <filename>/etc/pam.d/other</filename>
183	configuration file must exist.
184	</para>
185
186	<caution>
187	<title>Reinstallation or upgrade of Linux PAM</title>
188	<para>
189	If you have a system with Linux PAM installed and working, be careful
190	when modifying the files in
191	<filename class="directory">/etc/pam.d</filename>, since your system
192	may become totally unusable. If you want to run the tests, you do not
193	need to create another <filename>/etc/pam.d/other</filename> file. The
194	installed one can be used for that purpose.
195	</para>
196
197	<para>
198	You should also be aware that <command>make install</command>
199	overwrites the configuration files in
200	<filename class="directory">/etc/security</filename> as well as
201	<filename>/etc/environment</filename>. In case you
202	have modified those files, be sure to back them up.
203	</para>
204	</caution>
205
206	<para>
207	For a first installation, create the configuration file by issuing the
208	following commands as the <systemitem class="username">root</systemitem>
209	user:
210	</para>
211
212	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
213
214	cat > /etc/pam.d/other << "EOF"
215	<literal>auth required pam_deny.so
216	account required pam_deny.so
217	password required pam_deny.so
218	session required pam_deny.so</literal>
219	EOF</userinput></screen>
220
221	<para>
222	Now run the tests by issuing <command>make check</command>.
223	Ensure there are no errors produced by the tests before continuing the
224	installation. Note that the checks are quite long. It may be useful to
225	redirect the output to a log file in order to inspect it thoroughly.
226	</para>
227
228	<para>
229	Only in case of a first installation, remove the configuration file
230	created earlier by issuing the following command as the
231	<systemitem class="username">root</systemitem> user:
232	</para>
233
234	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
235
236	<para>
237	Now, as the <systemitem class="username">root</systemitem>
238	user:
239	</para>
240
241	<screen role="root"><userinput>make install &&
242	chmod -v 4755 /sbin/unix_chkpwd &&
243
244	for file in pam pam_misc pamc
245	do
246	mv -v /usr/lib/lib${file}.so.* /lib &&
247	ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
248	done</userinput></screen>
249
250	</sect2>
251
252	<sect2 role="commands">
253	<title>Command Explanations</title>
254
255	<para>
256	<parameter>--enable-securedir=/lib/security</parameter>:
257	This switch sets the installation location for the
258	<application>PAM</application> modules.
259	</para>
260
261	<para>
262	<option>--disable-regenerate-docu</option> : If the needed dependencies
263	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
264	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
265	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
266	html and text documentations are (re)generated and installed.
267	Furthermore, if <xref linkend="fop"/> is installed, the PDF
268	documentation is generated and installed. Use this switch if you do not
269	want to rebuild the documentation.
270	</para>
271
272	<para>
273	<command>chmod -v 4755 /sbin/unix_chkpwd</command>:
274	The <command>unix_chkpwd</command> helper program must be setuid
275	so that non-<systemitem class="username">root</systemitem>
276	processes can access the shadow file.
277	</para>
278
279	</sect2>
280
281	<sect2 role="configuration">
282	<title>Configuring Linux-PAM</title>
283
284	<sect3 id="pam-config">
285	<title>Config Files</title>
286
287	<para>
288	<filename>/etc/security/*</filename> and
289	<filename>/etc/pam.d/*</filename>
290	</para>
291
292	<indexterm zone="linux-pam pam-config">
293	<primary sortas="e-etc-security">/etc/security/*</primary>
294	</indexterm>
295
296	<indexterm zone="linux-pam pam-config">
297	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
298	</indexterm>
299
300	</sect3>
301
302	<sect3>
303	<title>Configuration Information</title>
304
305	<para>
306	Configuration information is placed in
307	<filename class="directory">/etc/pam.d/</filename>.
308	Below is an example file:
309	</para>
310
311	<screen><literal># Begin /etc/pam.d/other
312
313	auth required pam_unix.so nullok
314	account required pam_unix.so
315	session required pam_unix.so
316	password required pam_unix.so nullok
317
318	# End /etc/pam.d/other</literal></screen>
319
320	<para>
321	Now set up some generic files. As the
322	<systemitem class="username">root:</systemitem> user
323	</para>
324
325	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
326	cat > /etc/pam.d/system-account << "EOF" &&
327	<literal># Begin /etc/pam.d/system-account
328
329	account required pam_unix.so
330
331	# End /etc/pam.d/system-account</literal>
332	EOF
333
334	cat > /etc/pam.d/system-auth << "EOF" &&
335	<literal># Begin /etc/pam.d/system-auth
336
337	auth required pam_unix.so
338
339	# End /etc/pam.d/system-auth</literal>
340	EOF
341
342	cat > /etc/pam.d/system-session << "EOF"
343	<literal># Begin /etc/pam.d/system-session
344
345	session required pam_unix.so
346
347	# End /etc/pam.d/system-session</literal>
348	EOF
349	cat > /etc/pam.d/system-password << "EOF"
350	<literal># Begin /etc/pam.d/system-password
351
352	# use sha512 hash for encryption, use shadow, and try to use any previously
353	# defined authentication token (chosen password) set by any prior module
354	password required pam_unix.so sha512 shadow try_first_pass
355
356	# End /etc/pam.d/system-password</literal>
357	EOF
358	</userinput></screen>
359
360	<para>
361	If you wish to enable strong password support, install
362	<xref linkend="libpwquality"/>, and follow the
363	instructions in that page to configure the pam_pwquality
364	PAM module with strong password support.
365	</para>
366
367	<!-- With the removal of the pam_cracklib module, we're supposed to be using
368	libpwquality. That already includes instructions in it's configuration
369	information page, so we'll use those instead.
370
371	Linux-PAM must be installed prior to libpwquality so that PAM support
372	is built in, and the PAM module is built.
373	-->
374	<!--
375	<para>
376	The remaining generic file depends on whether <xref
377	linkend="cracklib"/> is installed. If it is installed, use:
378	</para>
379
380	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
381	<literal># Begin /etc/pam.d/system-password
382
383	# check new passwords for strength (man pam_cracklib)
384	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
385	minlen=9 dcredit=1 ucredit=1 \
386	lcredit=1 ocredit=1 minclass=0 \
387	maxrepeat=0 maxsequence=0 \
388	maxclassrepeat=0 \
389	dictpath=/lib/cracklib/pw_dict
390	# use sha512 hash for encryption, use shadow, and use the
391	# authentication token (chosen password) set by pam_cracklib
392	# above (or any previous modules)
393	password required pam_unix.so sha512 shadow use_authtok
394
395	# End /etc/pam.d/system-password</literal>
396	EOF</userinput></screen>
397
398	<note>
399	<para>
400	In its default configuration, pam_cracklib will
401	allow multiple case passwords as short as 6 characters, even with
402	the <parameter>minlen</parameter> value set to 11. You should review
403	the pam_cracklib(8) man page and determine if these default values
404	are acceptable for the security of your system.
405	</para>
406	</note>
407
408	<para>
409	If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
410	use:
411	</para>
412
413	<screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"
414	<literal># Begin /etc/pam.d/system-password
415
416	# use sha512 hash for encryption, use shadow, and try to use any previously
417	# defined authentication token (chosen password) set by any prior module
418	password required pam_unix.so sha512 shadow try_first_pass
419
420	# End /etc/pam.d/system-password</literal>
421	EOF</userinput></screen>
422	-->
423	<para>
424	Now add a restrictive <filename>/etc/pam.d/other</filename>
425	configuration file. With this file, programs that are PAM aware will
426	not run unless a configuration file specifically for that application
427	is created.
428	</para>
429
430	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
431	<literal># Begin /etc/pam.d/other
432
433	auth required pam_warn.so
434	auth required pam_deny.so
435	account required pam_warn.so
436	account required pam_deny.so
437	password required pam_warn.so
438	password required pam_deny.so
439	session required pam_warn.so
440	session required pam_deny.so
441
442	# End /etc/pam.d/other</literal>
443	EOF</userinput></screen>
444
445	<para>
446	The <application>PAM</application> man page (<command>man
447	pam</command>) provides a good starting point for descriptions
448	of fields and allowable entries. The
449	<ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
450	Linux-PAM System Administrators' Guide
451	</ulink> is recommended for additional information.
452	</para>
453
454	<important>
455	<para>
456	You should now reinstall the <xref linkend="shadow"/>
457	<phrase revision="sysv">package.</phrase>
458	<phrase revision="systemd"> and <xref linkend="systemd"/>
459	packages.</phrase>
460	</para>
461	</important>
462
463	</sect3>
464
465	</sect2>
466
467	<sect2 role="content">
468	<title>Contents</title>
469
470	<segmentedlist>
471	<segtitle>Installed Program</segtitle>
472	<segtitle>Installed Libraries</segtitle>
473	<segtitle>Installed Directories</segtitle>
474
475	<seglistitem>
476	<seg>
477	faillock, mkhomedir_helper, pam_namespace_helper,
478	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
479	unix_update
480	</seg>
481	<seg>
482	libpam.so, libpamc.so and libpam_misc.so
483	</seg>
484	<seg>
485	/etc/security,
486	/lib/security,
487	/usr/include/security and
488	/usr/share/doc/Linux-PAM-&linux-pam-version;
489	</seg>
490	</seglistitem>
491	</segmentedlist>
492
493	<variablelist>
494	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
495	<?dbfo list-presentation="list"?>
496	<?dbhtml list-presentation="table"?>
497
498	<varlistentry id="faillock">
499	<term><command>faillock</command></term>
500	<listitem>
501	<para>
502	displays and modifies the authentication failure record files
503	</para>
504	<indexterm zone="linux-pam faillock">
505	<primary sortas="b-faillock">faillock</primary>
506	</indexterm>
507	</listitem>
508	</varlistentry>
509
510	<varlistentry id="mkhomedir_helper">
511	<term><command>mkhomedir_helper</command></term>
512	<listitem>
513	<para>
514	is a helper binary that creates home directories
515	</para>
516	<indexterm zone="linux-pam mkhomedir_helper">
517	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
518	</indexterm>
519	</listitem>
520	</varlistentry>
521
522	<varlistentry id="pam_namespace_helper">
523	<term><command>pam_namespace_helper</command></term>
524	<listitem>
525	<para>
526	is a helper program used to configure a private namespace for a
527	user session
528	</para>
529	<indexterm zone="linux-pam pam_namespace_helper">
530	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
531	</indexterm>
532	</listitem>
533	</varlistentry>
534
535	<varlistentry id="pwhistory_helper">
536	<term><command>pwhistory_helper</command></term>
537	<listitem>
538	<para>
539	is a helper program that transfers password hashes from passwd or
540	shadow to opasswd
541	</para>
542	<indexterm zone="linux-pam pwhistory_helper">
543	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
544	</indexterm>
545	</listitem>
546	</varlistentry>
547	<!-- Removed with the removal of the pam_tally{,2} module
548	<varlistentry id="pam_tally">
549	<term><command>pam_tally</command></term>
550	<listitem>
551	<para>
552	is used to interrogate and manipulate the login counter file.
553	</para>
554	<indexterm zone="linux-pam pam_tally">
555	<primary sortas="b-pam_tally">pam_tally</primary>
556	</indexterm>
557	</listitem>
558	</varlistentry>
559
560	<varlistentry id="pam_tally2">
561	<term><command>pam_tally2</command></term>
562	<listitem>
563	<para>
564	is used to interrogate and manipulate the login counter file, but
565	does not have some limitations that <command>pam_tally</command>
566	does.
567	</para>
568	<indexterm zone="linux-pam pam_tally2">
569	<primary sortas="b-pam_tally2">pam_tally2</primary>
570	</indexterm>
571	</listitem>
572	</varlistentry>
573	-->
574
575	<varlistentry id="pam_timestamp_check">
576	<term><command>pam_timestamp_check</command></term>
577	<listitem>
578	<para>
579	is used to check if the default timestamp is valid
580	</para>
581	<indexterm zone="linux-pam pam_timestamp_check">
582	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
583	</indexterm>
584	</listitem>
585	</varlistentry>
586
587	<varlistentry id="unix_chkpwd">
588	<term><command>unix_chkpwd</command></term>
589	<listitem>
590	<para>
591	is a helper binary that verifies the password of the current user
592	</para>
593	<indexterm zone="linux-pam unix_chkpwd">
594	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
595	</indexterm>
596	</listitem>
597	</varlistentry>
598
599	<varlistentry id="unix_update">
600	<term><command>unix_update</command></term>
601	<listitem>
602	<para>
603	is a helper binary that updates the password of a given user
604	</para>
605	<indexterm zone="linux-pam unix_update">
606	<primary sortas="b-unix_update">unix_update</primary>
607	</indexterm>
608	</listitem>
609	</varlistentry>
610
611	<varlistentry id="libpam">
612	<term><filename class="libraryfile">libpam.so</filename></term>
613	<listitem>
614	<para>
615	provides the interfaces between applications and the
616	PAM modules
617	</para>
618	<indexterm zone="linux-pam libpam">
619	<primary sortas="c-libpam">libpam.so</primary>
620	</indexterm>
621	</listitem>
622	</varlistentry>
623
624	</variablelist>
625
626	</sect2>
627
628	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/linux-pam.xml@ 45ab6c7

Download in other formats: