Context Navigation

linux-pam.xml@ 51dfb3e

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 9.0 9.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 51dfb3e was 51dfb3e, checked in by Bruce Dubbs <bdubbs@…>, 5 years ago

Move BLFS/trunk/BOOK and BLFS/trunk/bootscripts to
BLFS/branches/old-trunk-20190627 and BLFS/branches/old-bootscripts-20190627.

Move BLFS/branches/elogind-book and BLFS/branches/elogind-bootscripts
to trunk.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21754 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 17.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "558ff53b0fc0563ca97f79e911822165">
10	<!ENTITY linux-pam-size "892 MB">
11	<!ENTITY linux-pam-buildsize "26 MB (with tests)">
12	<!ENTITY linux-pam-time "0.3 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "1885fae049acd1b699a5459d7c4a0130">
16	<!ENTITY linux-pam-docs-size "449 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25	<sect1info>
26	<othername>$LastChangedBy$</othername>
27	<date>$Date$</date>
28	</sect1info>
29
30	<title>Linux-PAM-&linux-pam-version;</title>
31
32	<indexterm zone="linux-pam">
33	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
34	</indexterm>
35
36	<sect2 role="package">
37	<title>Introduction to Linux PAM</title>
38
39	<para>
40	The <application>Linux PAM</application> package contains
41	Pluggable Authentication Modules used to enable the local
42	system administrator to choose how applications authenticate
43	users.
44	</para>
45
46	&lfs84_checked;
47
48	<bridgehead renderas="sect3">Package Information</bridgehead>
49	<itemizedlist spacing="compact">
50	<listitem>
51	<para>
52	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download MD5 sum: &linux-pam-md5sum;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download size: &linux-pam-size;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated disk space required: &linux-pam-buildsize;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated build time: &linux-pam-time;
78	</para>
79	</listitem>
80	</itemizedlist>
81
82	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
83	<itemizedlist spacing="compact">
84	<title>Optional Documentation</title>
85	<listitem>
86	<para>
87	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
88	</para>
89	</listitem>
90	<listitem>
91	<para>
92	Download MD5 sum: &linux-pam-docs-md5sum;
93	</para>
94	</listitem>
95	<listitem>
96	<para>
97	Download size &linux-pam-docs-size;
98	</para>
99	</listitem>
100	</itemizedlist>
101
102	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
103
104	<bridgehead renderas="sect4">Optional</bridgehead>
105	<para role="optional">
106	<xref linkend="db"/>,
107	<xref linkend="cracklib"/>,
108	<xref linkend="libtirpc"/> and
109	<ulink url="http://www.prelude-siem.org">Prelude</ulink>
110	</para>
111
112	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113	<para role="optional">
114	<xref linkend="DocBook"/>,
115	<xref linkend="docbook-xsl"/>,
116	<xref linkend="fop"/>,
117	<xref linkend="libxslt"/> and either
118	<xref linkend="lynx"/> or
119	<ulink url="&w3m-url;">W3m</ulink>
120	</para>
121
122	<para condition="html" role="usernotes">User Notes:
123	<ulink url="&blfs-wiki;/linux-pam"/>
124	</para>
125	</sect2>
126
127	<sect2 role="installation">
128	<title>Installation of Linux PAM</title>
129
130	<para>
131	If you downloaded the documentation, unpack the tarball by issuing
132	the following command.
133	</para>
134
135	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
136
137	<para>
138	If you instead want to regenerate the documentation, fix the
139	<command>configure</command> script so that it detects lynx if installed:
140	</para>
141
142	<screen><userinput>sed -e 's/dummy links/dummy lynx/' \
143	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
144	-i configure</userinput></screen>
145
146	<para>
147	Install <application>Linux PAM</application> by
148	running the following commands:
149	</para>
150
151	<screen><userinput>./configure --prefix=/usr \
152	--sysconfdir=/etc \
153	--libdir=/usr/lib \
154	--enable-securedir=/lib/security \
155	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
156	make</userinput></screen>
157
158	<para>
159	To test the results, a suitable <filename>/etc/pam.d/other</filename>
160	configuration file must exist.
161	</para>
162
163	<caution>
164	<title>Reinstallation or upgrade of Linux PAM</title>
165	<para>
166	If you have a system with Linux PAM installed and working, be careful
167	when modifying the files in
168	<filename class="directory">/etc/pam.d</filename>, since your system
169	may become totally unusable. If you want to run the tests, you do not
170	need to create another <filename>/etc/pam.d/other</filename> file. The
171	installed one can be used for that purpose.
172	</para>
173
174	<para>
175	You should also be aware that <command>make install</command>
176	overwrites the configuration files in
177	<filename class="directory">/etc/security</filename> as well as
178	<filename>/etc/environment</filename>. In case you
179	have modified those files, be sure to back them up.
180	</para>
181	</caution>
182
183	<para>
184	For a first installation, create the configuration file by issuing the
185	following commands as the <systemitem class="username">root</systemitem>
186	user:
187	</para>
188
189	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
190
191	cat > /etc/pam.d/other << "EOF"
192	<literal>auth required pam_deny.so
193	account required pam_deny.so
194	password required pam_deny.so
195	session required pam_deny.so</literal>
196	EOF</userinput></screen>
197
198	<para>
199	Now run the tests by issuing <command>make check</command>.
200	Ensure there are no errors produced by the tests before continuing the
201	installation. Note that the checks are quite long. It may be useful to
202	redirect the output to a log file in order to inspect it thoroughly.
203	</para>
204
205	<para>
206	Only in case of a first installation, remove the configuration file
207	created earlier by issuing the following command as the
208	<systemitem class="username">root</systemitem> user:
209	</para>
210
211	<screen role="root"><userinput>rm -fv /etc/pam.d/*</userinput></screen>
212
213	<para>
214	Now, as the <systemitem class="username">root</systemitem>
215	user:
216	</para>
217
218	<screen role="root"><userinput>make install &&
219	chmod -v 4755 /sbin/unix_chkpwd &&
220
221	for file in pam pam_misc pamc
222	do
223	mv -v /usr/lib/lib${file}.so.* /lib &&
224	ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
225	done</userinput></screen>
226
227	</sect2>
228
229	<sect2 role="commands">
230	<title>Command Explanations</title>
231
232	<para>
233	<parameter>--enable-securedir=/lib/security</parameter>:
234	This switch sets install location for the
235	<application>PAM</application> modules.
236	</para>
237
238	<para>
239	<option>--disable-regenerate-docu</option> : If the needed dependencies
240	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
241	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
242	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
243	html and text documentations are (re)generated and installed.
244	Furthermore, if <xref linkend="fop"/> is installed, the PDF
245	documentation is generated and installed. Use this switch if you do not
246	want to rebuild the documentation.
247	</para>
248
249	<para>
250	<command>chmod -v 4755 /sbin/unix_chkpwd</command>:
251	The <command>unix_chkpwd</command> helper program must be setuid
252	so that non-<systemitem class="username">root</systemitem>
253	processes can access the shadow file.
254	</para>
255
256	</sect2>
257
258	<sect2 role="configuration">
259	<title>Configuring Linux-PAM</title>
260
261	<sect3 id="pam-config">
262	<title>Config Files</title>
263
264	<para>
265	<filename>/etc/security/*</filename> and
266	<filename>/etc/pam.d/*</filename>
267	</para>
268
269	<indexterm zone="linux-pam pam-config">
270	<primary sortas="e-etc-security">/etc/security/*</primary>
271	</indexterm>
272
273	<indexterm zone="linux-pam pam-config">
274	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
275	</indexterm>
276
277	</sect3>
278
279	<sect3>
280	<title>Configuration Information</title>
281
282	<para>
283	Configuration information is placed in
284	<filename class="directory">/etc/pam.d/</filename>.
285	Below is an example file:
286	</para>
287
288	<screen><literal># Begin /etc/pam.d/other
289
290	auth required pam_unix.so nullok
291	account required pam_unix.so
292	session required pam_unix.so
293	password required pam_unix.so nullok
294
295	# End /etc/pam.d/other</literal></screen>
296
297	<para>Now set up some generic files. As root:</para>
298
299	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
300	cat > /etc/pam.d/system-account << "EOF" &&
301	<literal># Begin /etc/pam.d/system-account
302
303	account required pam_unix.so
304
305	# End /etc/pam.d/system-account</literal>
306	EOF
307
308	cat > /etc/pam.d/system-auth << "EOF" &&
309	<literal># Begin /etc/pam.d/system-auth
310
311	auth required pam_unix.so
312
313	# End /etc/pam.d/system-auth</literal>
314	EOF
315
316	cat > /etc/pam.d/system-session << "EOF"
317	<literal># Begin /etc/pam.d/system-session
318
319	session required pam_unix.so
320
321	# End /etc/pam.d/system-session</literal>
322	EOF</userinput></screen>
323
324	<para>The remaining generic file depends on whether <xref linkend="cracklib"/>
325	is installed. If it is installed, use:</para>
326
327	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
328	<literal># Begin /etc/pam.d/system-password
329
330	# check new passwords for strength (man pam_cracklib)
331	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
332	minlen=9 dcredit=1 ucredit=1 \
333	lcredit=1 ocredit=1 minclass=0 \
334	maxrepeat=0 maxsequence=0 \
335	maxclassrepeat=0 \
336	dictpath=/lib/cracklib/pw_dict
337	# use sha512 hash for encryption, use shadow, and use the
338	# authentication token (chosen password) set by pam_cracklib
339	# above (or any previous modules)
340	password required pam_unix.so sha512 shadow use_authtok
341
342	# End /etc/pam.d/system-password</literal>
343	EOF</userinput></screen>
344
345	<note>
346	<para>
347	In its default configuration, pam_cracklib will
348	allow multiple case passwords as short as 6 characters, even with
349	the <parameter>minlen</parameter> value set to 11. You should review
350	the pam_cracklib(8) man page and determine if these default values
351	are acceptable for the security of your system.
352	</para>
353	</note>
354
355	<para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
356	use:</para>
357
358	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
359	<literal># Begin /etc/pam.d/system-password
360
361	# use sha512 hash for encryption, use shadow, and try to use any previously
362	# defined authentication token (chosen password) set by any prior module
363	password required pam_unix.so sha512 shadow try_first_pass
364
365	# End /etc/pam.d/system-password</literal>
366	EOF</userinput></screen>
367
368	<para>Now add a restrictive <filename>/etc/pam.d/other</filename>
369	configuration file. With this file, programs that are PAM aware will not
370	run unless a configuration file specifically for that application is
371	created.</para>
372
373	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
374	<literal># Begin /etc/pam.d/other
375
376	auth required pam_warn.so
377	auth required pam_deny.so
378	account required pam_warn.so
379	account required pam_deny.so
380	password required pam_warn.so
381	password required pam_deny.so
382	session required pam_warn.so
383	session required pam_deny.so
384
385	# End /etc/pam.d/other</literal>
386	EOF</userinput></screen>
387
388	<para>
389	The <application>PAM</application> man page (<command>man
390	pam</command>) provides a good starting point for descriptions
391	of fields and allowable entries. The <ulink
392	url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM
393	System Administrators' Guide</ulink> is recommended for additional
394	information.
395	</para>
396	<!-- No longer there
397	<para>
398	Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
399	of various third-party modules available.
400	</para>
401	-->
402	<important>
403	<para>
404	You should now reinstall the <xref linkend="shadow"/>
405	<phrase revision="sysv">package.</phrase>
406	<phrase revision="systemd"> and <xref linkend="systemd"/>
407	packages.</phrase>
408	</para>
409	</important>
410
411	</sect3>
412
413	</sect2>
414
415	<sect2 role="content">
416	<title>Contents</title>
417
418	<segmentedlist>
419	<segtitle>Installed Program</segtitle>
420	<segtitle>Installed Libraries</segtitle>
421	<segtitle>Installed Directories</segtitle>
422
423	<seglistitem>
424	<seg>
425	mkhomedir_helper, pam_tally, pam_tally2,
426	pam_timestamp_check, unix_chkpwd and
427	unix_update
428	</seg>
429	<seg>
430	libpam.so, libpamc.so and libpam_misc.so
431	</seg>
432	<seg>
433	/etc/security,
434	/lib/security,
435	/usr/include/security and
436	/usr/share/doc/Linux-PAM-&linux-pam-version;
437	</seg>
438	</seglistitem>
439	</segmentedlist>
440
441	<variablelist>
442	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
443	<?dbfo list-presentation="list"?>
444	<?dbhtml list-presentation="table"?>
445
446	<varlistentry id="mkhomedir_helper">
447	<term><command>mkhomedir_helper</command></term>
448	<listitem>
449	<para>
450	is a helper binary that creates home directories.
451	</para>
452	<indexterm zone="linux-pam mkhomedir_helper">
453	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
454	</indexterm>
455	</listitem>
456	</varlistentry>
457
458	<varlistentry id="pam_tally">
459	<term><command>pam_tally</command></term>
460	<listitem>
461	<para>
462	is used to interrogate and manipulate the login counter file.
463	</para>
464	<indexterm zone="linux-pam pam_tally">
465	<primary sortas="b-pam_tally">pam_tally</primary>
466	</indexterm>
467	</listitem>
468	</varlistentry>
469
470	<varlistentry id="pam_tally2">
471	<term><command>pam_tally2</command></term>
472	<listitem>
473	<para>
474	is used to interrogate and manipulate the login counter file, but
475	does not have some limitations that <command>pam_tally</command>
476	does.
477	</para>
478	<indexterm zone="linux-pam pam_tally2">
479	<primary sortas="b-pam_tally2">pam_tally2</primary>
480	</indexterm>
481	</listitem>
482	</varlistentry>
483
484	<varlistentry id="pam_timestamp_check">
485	<term><command>pam_timestamp_check</command></term>
486	<listitem>
487	<para>
488	is used to check if the default timestamp is valid
489	</para>
490	<indexterm zone="linux-pam pam_timestamp_check">
491	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
492	</indexterm>
493	</listitem>
494	</varlistentry>
495
496	<varlistentry id="unix_chkpwd">
497	<term><command>unix_chkpwd</command></term>
498	<listitem>
499	<para>
500	is a helper binary that verifies the password of the current user.
501	</para>
502	<indexterm zone="linux-pam unix_chkpwd">
503	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
504	</indexterm>
505	</listitem>
506	</varlistentry>
507
508	<varlistentry id="unix_update">
509	<term><command>unix_update</command></term>
510	<listitem>
511	<para>
512	is a helper binary that updates the password of a given user.
513	</para>
514	<indexterm zone="linux-pam unix_update">
515	<primary sortas="b-unix_update">unix_update</primary>
516	</indexterm>
517	</listitem>
518	</varlistentry>
519
520	<varlistentry id="libpam">
521	<term><filename class="libraryfile">libpam.so</filename></term>
522	<listitem>
523	<para>
524	provides the interfaces between applications and the
525	PAM modules.
526	</para>
527	<indexterm zone="linux-pam libpam">
528	<primary sortas="c-libpam">libpam.so</primary>
529	</indexterm>
530	</listitem>
531	</varlistentry>
532
533	</variablelist>
534
535	</sect2>
536
537	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/linux-pam.xml@ 51dfb3e

Download in other formats: