source: postlfs/security/linux-pam.xml@ 47274444

10.0 10.1 11.0 ken/refactor-virt lazarus qt5new trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 47274444 was 47274444, checked in by Pierre Labastie <pieere@…>, 22 months ago

Format postlfs/security and misc/forgotten

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22884 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "558ff53b0fc0563ca97f79e911822165">
10 <!ENTITY linux-pam-size "892 MB">
11 <!ENTITY linux-pam-buildsize "26 MB (with tests)">
12 <!ENTITY linux-pam-time "0.3 SBU (with tests)">
13
14 <!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15 <!ENTITY linux-pam-docs-md5sum "1885fae049acd1b699a5459d7c4a0130">
16 <!ENTITY linux-pam-docs-size "449 KB">
17 <!--
18 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19 -->
20]>
21
22<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23 <?dbhtml filename="linux-pam.html"?>
24
25 <sect1info>
26 <othername>$LastChangedBy$</othername>
27 <date>$Date$</date>
28 </sect1info>
29
30 <title>Linux-PAM-&linux-pam-version;</title>
31
32 <indexterm zone="linux-pam">
33 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
34 </indexterm>
35
36 <sect2 role="package">
37 <title>Introduction to Linux PAM</title>
38
39 <para>
40 The <application>Linux PAM</application> package contains
41 Pluggable Authentication Modules used to enable the local
42 system administrator to choose how applications authenticate
43 users.
44 </para>
45
46 &lfs91_checked;
47
48 <bridgehead renderas="sect3">Package Information</bridgehead>
49 <itemizedlist spacing="compact">
50 <listitem>
51 <para>
52 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
53 </para>
54 </listitem>
55 <listitem>
56 <para>
57 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
58 </para>
59 </listitem>
60 <listitem>
61 <para>
62 Download MD5 sum: &linux-pam-md5sum;
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 Download size: &linux-pam-size;
68 </para>
69 </listitem>
70 <listitem>
71 <para>
72 Estimated disk space required: &linux-pam-buildsize;
73 </para>
74 </listitem>
75 <listitem>
76 <para>
77 Estimated build time: &linux-pam-time;
78 </para>
79 </listitem>
80 </itemizedlist>
81
82 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
83 <itemizedlist spacing="compact">
84 <title>Optional Documentation</title>
85 <listitem>
86 <para>
87 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
88 </para>
89 </listitem>
90 <listitem>
91 <para>
92 Download MD5 sum: &linux-pam-docs-md5sum;
93 </para>
94 </listitem>
95 <listitem>
96 <para>
97 Download size &linux-pam-docs-size;
98 </para>
99 </listitem>
100 </itemizedlist>
101
102 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
103
104 <bridgehead renderas="sect4">Optional</bridgehead>
105 <para role="optional">
106 <xref linkend="db"/>,
107 <xref linkend="cracklib"/>,
108 <xref linkend="libtirpc"/> and
109 <ulink url="http://www.prelude-siem.org">Prelude</ulink>
110 </para>
111
112 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113 <para role="optional">
114 <xref linkend="DocBook"/>,
115 <xref linkend="docbook-xsl"/>,
116 <xref linkend="fop"/>,
117 <xref linkend="libxslt"/> and either
118 <xref linkend="lynx"/> or
119 <ulink url="&w3m-url;">W3m</ulink>
120 </para>
121
122 <note>
123 <para role="required">
124 <xref role="runtime" linkend="shadow"/>
125 <phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
126 need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
127 after installing and configuring <application>Linux PAM</application>.
128 </para>
129 </note>
130
131 <para condition="html" role="usernotes">User Notes:
132 <ulink url="&blfs-wiki;/linux-pam"/>
133 </para>
134 </sect2>
135
136 <sect2 role="installation">
137 <title>Installation of Linux PAM</title>
138
139 <para>
140 If you downloaded the documentation, unpack the tarball by issuing
141 the following command.
142 </para>
143
144<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
145
146 <para>
147 If you instead want to regenerate the documentation, fix the
148 <command>configure</command> script so that it detects lynx if installed:
149 </para>
150
151<screen><userinput>sed -e 's/dummy links/dummy lynx/' \
152 -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
153 -i configure</userinput></screen>
154
155 <para>
156 Install <application>Linux PAM</application> by
157 running the following commands:
158 </para>
159
160<screen><userinput>./configure --prefix=/usr \
161 --sysconfdir=/etc \
162 --libdir=/usr/lib \
163 --enable-securedir=/lib/security \
164 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &amp;&amp;
165make</userinput></screen>
166
167 <para>
168 To test the results, a suitable <filename>/etc/pam.d/other</filename>
169 configuration file must exist.
170 </para>
171
172 <caution>
173 <title>Reinstallation or upgrade of Linux PAM</title>
174 <para>
175 If you have a system with Linux PAM installed and working, be careful
176 when modifying the files in
177 <filename class="directory">/etc/pam.d</filename>, since your system
178 may become totally unusable. If you want to run the tests, you do not
179 need to create another <filename>/etc/pam.d/other</filename> file. The
180 installed one can be used for that purpose.
181 </para>
182
183 <para>
184 You should also be aware that <command>make install</command>
185 overwrites the configuration files in
186 <filename class="directory">/etc/security</filename> as well as
187 <filename>/etc/environment</filename>. In case you
188 have modified those files, be sure to back them up.
189 </para>
190 </caution>
191
192 <para>
193 For a first installation, create the configuration file by issuing the
194 following commands as the <systemitem class="username">root</systemitem>
195 user:
196 </para>
197
198<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
199
200cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
201<literal>auth required pam_deny.so
202account required pam_deny.so
203password required pam_deny.so
204session required pam_deny.so</literal>
205EOF</userinput></screen>
206
207 <para>
208 Now run the tests by issuing <command>make check</command>.
209 Ensure there are no errors produced by the tests before continuing the
210 installation. Note that the checks are quite long. It may be useful to
211 redirect the output to a log file in order to inspect it thoroughly.
212 </para>
213
214 <para>
215 Only in case of a first installation, remove the configuration file
216 created earlier by issuing the following command as the
217 <systemitem class="username">root</systemitem> user:
218 </para>
219
220<screen role="root"><userinput>rm -fv /etc/pam.d/*</userinput></screen>
221
222 <para>
223 Now, as the <systemitem class="username">root</systemitem>
224 user:
225 </para>
226
227<screen role="root"><userinput>make install &amp;&amp;
228chmod -v 4755 /sbin/unix_chkpwd &amp;&amp;
229
230for file in pam pam_misc pamc
231do
232 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
233 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
234done</userinput></screen>
235
236 </sect2>
237
238 <sect2 role="commands">
239 <title>Command Explanations</title>
240
241 <para>
242 <parameter>--enable-securedir=/lib/security</parameter>:
243 This switch sets install location for the
244 <application>PAM</application> modules.
245 </para>
246
247 <para>
248 <option>--disable-regenerate-docu</option> : If the needed dependencies
249 (<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
250 linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
251 url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
252 html and text documentations are (re)generated and installed.
253 Furthermore, if <xref linkend="fop"/> is installed, the PDF
254 documentation is generated and installed. Use this switch if you do not
255 want to rebuild the documentation.
256 </para>
257
258 <para>
259 <command>chmod -v 4755 /sbin/unix_chkpwd</command>:
260 The <command>unix_chkpwd</command> helper program must be setuid
261 so that non-<systemitem class="username">root</systemitem>
262 processes can access the shadow file.
263 </para>
264
265 </sect2>
266
267 <sect2 role="configuration">
268 <title>Configuring Linux-PAM</title>
269
270 <sect3 id="pam-config">
271 <title>Config Files</title>
272
273 <para>
274 <filename>/etc/security/*</filename> and
275 <filename>/etc/pam.d/*</filename>
276 </para>
277
278 <indexterm zone="linux-pam pam-config">
279 <primary sortas="e-etc-security">/etc/security/*</primary>
280 </indexterm>
281
282 <indexterm zone="linux-pam pam-config">
283 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
284 </indexterm>
285
286 </sect3>
287
288 <sect3>
289 <title>Configuration Information</title>
290
291 <para>
292 Configuration information is placed in
293 <filename class="directory">/etc/pam.d/</filename>.
294 Below is an example file:
295 </para>
296
297<screen><literal># Begin /etc/pam.d/other
298
299auth required pam_unix.so nullok
300account required pam_unix.so
301session required pam_unix.so
302password required pam_unix.so nullok
303
304# End /etc/pam.d/other</literal></screen>
305
306 <para>
307 Now set up some generic files. As root:
308 </para>
309
310<screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
311cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF" &amp;&amp;
312<literal># Begin /etc/pam.d/system-account
313
314account required pam_unix.so
315
316# End /etc/pam.d/system-account</literal>
317EOF
318
319cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF" &amp;&amp;
320<literal># Begin /etc/pam.d/system-auth
321
322auth required pam_unix.so
323
324# End /etc/pam.d/system-auth</literal>
325EOF
326
327cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
328<literal># Begin /etc/pam.d/system-session
329
330session required pam_unix.so
331
332# End /etc/pam.d/system-session</literal>
333EOF</userinput></screen>
334
335 <para>
336 The remaining generic file depends on whether <xref
337 linkend="cracklib"/> is installed. If it is installed, use:
338 </para>
339
340<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
341<literal># Begin /etc/pam.d/system-password
342
343# check new passwords for strength (man pam_cracklib)
344password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
345 minlen=9 dcredit=1 ucredit=1 \
346 lcredit=1 ocredit=1 minclass=0 \
347 maxrepeat=0 maxsequence=0 \
348 maxclassrepeat=0 \
349 dictpath=/lib/cracklib/pw_dict
350# use sha512 hash for encryption, use shadow, and use the
351# authentication token (chosen password) set by pam_cracklib
352# above (or any previous modules)
353password required pam_unix.so sha512 shadow use_authtok
354
355# End /etc/pam.d/system-password</literal>
356EOF</userinput></screen>
357
358 <note>
359 <para>
360 In its default configuration, pam_cracklib will
361 allow multiple case passwords as short as 6 characters, even with
362 the <parameter>minlen</parameter> value set to 11. You should review
363 the pam_cracklib(8) man page and determine if these default values
364 are acceptable for the security of your system.
365 </para>
366 </note>
367
368 <para>
369 If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
370 use:
371 </para>
372
373<screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
374<literal># Begin /etc/pam.d/system-password
375
376# use sha512 hash for encryption, use shadow, and try to use any previously
377# defined authentication token (chosen password) set by any prior module
378password required pam_unix.so sha512 shadow try_first_pass
379
380# End /etc/pam.d/system-password</literal>
381EOF</userinput></screen>
382
383 <para>
384 Now add a restrictive <filename>/etc/pam.d/other</filename>
385 configuration file. With this file, programs that are PAM aware will
386 not run unless a configuration file specifically for that application
387 is created.
388 </para>
389
390<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
391<literal># Begin /etc/pam.d/other
392
393auth required pam_warn.so
394auth required pam_deny.so
395account required pam_warn.so
396account required pam_deny.so
397password required pam_warn.so
398password required pam_deny.so
399session required pam_warn.so
400session required pam_deny.so
401
402# End /etc/pam.d/other</literal>
403EOF</userinput></screen>
404
405 <para>
406 The <application>PAM</application> man page (<command>man
407 pam</command>) provides a good starting point for descriptions
408 of fields and allowable entries. The
409 <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
410 Linux-PAM System Administrators' Guide
411 </ulink> is recommended for additional information.
412 </para>
413
414 <important>
415 <para>
416 You should now reinstall the <xref linkend="shadow"/>
417 <phrase revision="sysv">package.</phrase>
418 <phrase revision="systemd"> and <xref linkend="systemd"/>
419 packages.</phrase>
420 </para>
421 </important>
422
423 </sect3>
424
425 </sect2>
426
427 <sect2 role="content">
428 <title>Contents</title>
429
430 <segmentedlist>
431 <segtitle>Installed Program</segtitle>
432 <segtitle>Installed Libraries</segtitle>
433 <segtitle>Installed Directories</segtitle>
434
435 <seglistitem>
436 <seg>
437 mkhomedir_helper, pam_tally, pam_tally2,
438 pam_timestamp_check, unix_chkpwd and
439 unix_update
440 </seg>
441 <seg>
442 libpam.so, libpamc.so and libpam_misc.so
443 </seg>
444 <seg>
445 /etc/security,
446 /lib/security,
447 /usr/include/security and
448 /usr/share/doc/Linux-PAM-&linux-pam-version;
449 </seg>
450 </seglistitem>
451 </segmentedlist>
452
453 <variablelist>
454 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
455 <?dbfo list-presentation="list"?>
456 <?dbhtml list-presentation="table"?>
457
458 <varlistentry id="mkhomedir_helper">
459 <term><command>mkhomedir_helper</command></term>
460 <listitem>
461 <para>
462 is a helper binary that creates home directories.
463 </para>
464 <indexterm zone="linux-pam mkhomedir_helper">
465 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
466 </indexterm>
467 </listitem>
468 </varlistentry>
469
470 <varlistentry id="pam_tally">
471 <term><command>pam_tally</command></term>
472 <listitem>
473 <para>
474 is used to interrogate and manipulate the login counter file.
475 </para>
476 <indexterm zone="linux-pam pam_tally">
477 <primary sortas="b-pam_tally">pam_tally</primary>
478 </indexterm>
479 </listitem>
480 </varlistentry>
481
482 <varlistentry id="pam_tally2">
483 <term><command>pam_tally2</command></term>
484 <listitem>
485 <para>
486 is used to interrogate and manipulate the login counter file, but
487 does not have some limitations that <command>pam_tally</command>
488 does.
489 </para>
490 <indexterm zone="linux-pam pam_tally2">
491 <primary sortas="b-pam_tally2">pam_tally2</primary>
492 </indexterm>
493 </listitem>
494 </varlistentry>
495
496 <varlistentry id="pam_timestamp_check">
497 <term><command>pam_timestamp_check</command></term>
498 <listitem>
499 <para>
500 is used to check if the default timestamp is valid
501 </para>
502 <indexterm zone="linux-pam pam_timestamp_check">
503 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
504 </indexterm>
505 </listitem>
506 </varlistentry>
507
508 <varlistentry id="unix_chkpwd">
509 <term><command>unix_chkpwd</command></term>
510 <listitem>
511 <para>
512 is a helper binary that verifies the password of the current user.
513 </para>
514 <indexterm zone="linux-pam unix_chkpwd">
515 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
516 </indexterm>
517 </listitem>
518 </varlistentry>
519
520 <varlistentry id="unix_update">
521 <term><command>unix_update</command></term>
522 <listitem>
523 <para>
524 is a helper binary that updates the password of a given user.
525 </para>
526 <indexterm zone="linux-pam unix_update">
527 <primary sortas="b-unix_update">unix_update</primary>
528 </indexterm>
529 </listitem>
530 </varlistentry>
531
532 <varlistentry id="libpam">
533 <term><filename class="libraryfile">libpam.so</filename></term>
534 <listitem>
535 <para>
536 provides the interfaces between applications and the
537 PAM modules.
538 </para>
539 <indexterm zone="linux-pam libpam">
540 <primary sortas="c-libpam">libpam.so</primary>
541 </indexterm>
542 </listitem>
543 </varlistentry>
544
545 </variablelist>
546
547 </sect2>
548
549</sect1>
Note: See TracBrowser for help on using the repository browser.