Context Navigation

linux-pam.xml@ 8558044

Visit:

11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 8558044 was 8558044, checked in by Pierre Labastie <pierre.labastie@…>, 3 years ago

Remove spaces at the end of lines

I know it is somewhat useless, but I don't like them for
two reasons: first they cannot be seen, and I do not like things I
cannot see. Second, git highlights them, and this is disturbing...

Property mode set to 100644

File size: 20.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "895e8adfa14af334f679bbeb28503f66">
10	<!ENTITY linux-pam-size "966 KB">
11	<!ENTITY linux-pam-buildsize "39 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "ceb3dc248cb2f49a40904b93cb91db1b">
16	<!ENTITY linux-pam-docs-size "433 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25	<sect1info>
26	<date>$Date$</date>
27	</sect1info>
28
29	<title>Linux-PAM-&linux-pam-version;</title>
30
31	<indexterm zone="linux-pam">
32	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
33	</indexterm>
34
35	<sect2 role="package">
36	<title>Introduction to Linux PAM</title>
37
38	<para>
39	The <application>Linux PAM</application> package contains
40	Pluggable Authentication Modules used to enable the local
41	system administrator to choose how applications authenticate
42	users.
43	</para>
44
45	&lfs110a_checked;
46
47	<bridgehead renderas="sect3">Package Information</bridgehead>
48	<itemizedlist spacing="compact">
49	<listitem>
50	<para>
51	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download MD5 sum: &linux-pam-md5sum;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Download size: &linux-pam-size;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated disk space required: &linux-pam-buildsize;
72	</para>
73	</listitem>
74	<listitem>
75	<para>
76	Estimated build time: &linux-pam-time;
77	</para>
78	</listitem>
79	</itemizedlist>
80
81	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
82	<itemizedlist spacing="compact">
83	<title>Optional Documentation</title>
84	<listitem>
85	<para>
86	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
87	</para>
88	</listitem>
89	<listitem>
90	<para>
91	Download MD5 sum: &linux-pam-docs-md5sum;
92	</para>
93	</listitem>
94	<listitem>
95	<para>
96	Download size &linux-pam-docs-size;
97	</para>
98	</listitem>
99	</itemizedlist>
100
101	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
102
103	<bridgehead renderas="sect4">Optional</bridgehead>
104	<para role="optional">
105	<xref linkend="db"/>,
106	<xref linkend="libnsl"/>,
107	<xref linkend="libtirpc"/>,
108	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
109	<ulink url="http://www.prelude-siem.org">Prelude</ulink>
110	</para>
111
112	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113	<para role="optional">
114	<xref linkend="DocBook"/>,
115	<xref linkend="docbook-xsl"/>,
116	<xref linkend="fop"/>,
117	<xref linkend="libxslt"/> and either
118	<xref linkend="lynx"/> or
119	<ulink url="&w3m-url;">W3m</ulink>
120	</para>
121
122	<note>
123	<para role="required">
124	<xref role="runtime" linkend="shadow"/>
125	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
126	need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
127	after installing and configuring <application>Linux PAM</application>.
128	</para>
129
130	<para role="recommended">
131	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
132	installed by default. To enforce strong passwords, it is recommended
133	to use <xref role="runtime" linkend="libpwquality"/>.
134	</para>
135	</note>
136
137	<para condition="html" role="usernotes">User Notes:
138	<ulink url="&blfs-wiki;/linux-pam"/>
139	</para>
140	</sect2>
141
142	<sect2 role="installation">
143	<title>Installation of Linux PAM</title>
144
145	<para revision="sysv">
146	First prevent the installation of an unneeded systemd file:
147	</para>
148
149	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
150	-i modules/pam_namespace/Makefile.am &&
151	autoreconf</userinput></screen>
152
153	<para>
154	If you downloaded the documentation, unpack the tarball by issuing
155	the following command.
156	</para>
157
158	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
159
160	<para>
161	If you instead want to regenerate the documentation, fix the
162	<command>configure</command> script so that it detects lynx if installed:
163	</para>
164
165	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
166	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
167	-i configure</userinput></screen>
168
169	<para>
170	Install <application>Linux PAM</application> by
171	running the following commands:
172	</para>
173
174	<screen><userinput>./configure --prefix=/usr \
175	--sysconfdir=/etc \
176	--libdir=/usr/lib \
177	--enable-securedir=/usr/lib/security \
178	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
179	make</userinput></screen>
180
181	<para>
182	To test the results, a suitable <filename>/etc/pam.d/other</filename>
183	configuration file must exist.
184	</para>
185
186	<caution>
187	<title>Reinstallation or upgrade of Linux PAM</title>
188	<para>
189	If you have a system with Linux PAM installed and working, be careful
190	when modifying the files in
191	<filename class="directory">/etc/pam.d</filename>, since your system
192	may become totally unusable. If you want to run the tests, you do not
193	need to create another <filename>/etc/pam.d/other</filename> file. The
194	installed one can be used for that purpose.
195	</para>
196
197	<para>
198	You should also be aware that <command>make install</command>
199	overwrites the configuration files in
200	<filename class="directory">/etc/security</filename> as well as
201	<filename>/etc/environment</filename>. In case you
202	have modified those files, be sure to back them up.
203	</para>
204	</caution>
205
206	<para>
207	For a first installation, create the configuration file by issuing the
208	following commands as the <systemitem class="username">root</systemitem>
209	user:
210	</para>
211
212	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
213
214	cat > /etc/pam.d/other << "EOF"
215	<literal>auth required pam_deny.so
216	account required pam_deny.so
217	password required pam_deny.so
218	session required pam_deny.so</literal>
219	EOF</userinput></screen>
220
221	<para>
222	Now run the tests by issuing <command>make check</command>.
223	Ensure there are no errors produced by the tests before continuing the
224	installation. Note that the checks are quite long. It may be useful to
225	redirect the output to a log file in order to inspect it thoroughly.
226	</para>
227
228	<para>
229	Only in case of a first installation, remove the configuration file
230	created earlier by issuing the following command as the
231	<systemitem class="username">root</systemitem> user:
232	</para>
233
234	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
235
236	<para>
237	Now, as the <systemitem class="username">root</systemitem>
238	user:
239	</para>
240
241	<screen role="root"><userinput>make install &&
242	chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
243
244	</sect2>
245
246	<sect2 role="commands">
247	<title>Command Explanations</title>
248
249	<para>
250	<parameter>--enable-securedir=/usr/lib/security</parameter>:
251	This switch sets the installation location for the
252	<application>PAM</application> modules.
253	</para>
254
255	<para>
256	<option>--disable-regenerate-docu</option> : If the needed dependencies
257	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
258	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
259	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
260	html and text documentations are (re)generated and installed.
261	Furthermore, if <xref linkend="fop"/> is installed, the PDF
262	documentation is generated and installed. Use this switch if you do not
263	want to rebuild the documentation.
264	</para>
265
266	<para>
267	<command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
268	The <command>unix_chkpwd</command> helper program must be setuid
269	so that non-<systemitem class="username">root</systemitem>
270	processes can access the shadow file.
271	</para>
272
273	</sect2>
274
275	<sect2 role="configuration">
276	<title>Configuring Linux-PAM</title>
277
278	<sect3 id="pam-config">
279	<title>Config Files</title>
280
281	<para>
282	<filename>/etc/security/*</filename> and
283	<filename>/etc/pam.d/*</filename>
284	</para>
285
286	<indexterm zone="linux-pam pam-config">
287	<primary sortas="e-etc-security">/etc/security/*</primary>
288	</indexterm>
289
290	<indexterm zone="linux-pam pam-config">
291	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
292	</indexterm>
293
294	</sect3>
295
296	<sect3>
297	<title>Configuration Information</title>
298
299	<para>
300	Configuration information is placed in
301	<filename class="directory">/etc/pam.d/</filename>.
302	Below is an example file:
303	</para>
304
305	<screen><literal># Begin /etc/pam.d/other
306
307	auth required pam_unix.so nullok
308	account required pam_unix.so
309	session required pam_unix.so
310	password required pam_unix.so nullok
311
312	# End /etc/pam.d/other</literal></screen>
313
314	<para>
315	Now set up some generic files. As the
316	<systemitem class="username">root</systemitem> user:
317	</para>
318
319	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
320	cat > /etc/pam.d/system-account << "EOF" &&
321	<literal># Begin /etc/pam.d/system-account
322
323	account required pam_unix.so
324
325	# End /etc/pam.d/system-account</literal>
326	EOF
327
328	cat > /etc/pam.d/system-auth << "EOF" &&
329	<literal># Begin /etc/pam.d/system-auth
330
331	auth required pam_unix.so
332
333	# End /etc/pam.d/system-auth</literal>
334	EOF
335
336	cat > /etc/pam.d/system-session << "EOF"
337	<literal># Begin /etc/pam.d/system-session
338
339	session required pam_unix.so
340
341	# End /etc/pam.d/system-session</literal>
342	EOF
343	cat > /etc/pam.d/system-password << "EOF"
344	<literal># Begin /etc/pam.d/system-password
345
346	# use sha512 hash for encryption, use shadow, and try to use any previously
347	# defined authentication token (chosen password) set by any prior module
348	password required pam_unix.so sha512 shadow try_first_pass
349
350	# End /etc/pam.d/system-password</literal>
351	EOF
352	</userinput></screen>
353
354	<para>
355	If you wish to enable strong password support, install
356	<xref linkend="libpwquality"/>, and follow the
357	instructions in that page to configure the pam_pwquality
358	PAM module with strong password support.
359	</para>
360
361	<!-- With the removal of the pam_cracklib module, we're supposed to be using
362	libpwquality. That already includes instructions in it's configuration
363	information page, so we'll use those instead.
364
365	Linux-PAM must be installed prior to libpwquality so that PAM support
366	is built in, and the PAM module is built.
367	-->
368	<!--
369	<para>
370	The remaining generic file depends on whether <xref
371	linkend="cracklib"/> is installed. If it is installed, use:
372	</para>
373
374	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
375	<literal># Begin /etc/pam.d/system-password
376
377	# check new passwords for strength (man pam_cracklib)
378	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
379	minlen=9 dcredit=1 ucredit=1 \
380	lcredit=1 ocredit=1 minclass=0 \
381	maxrepeat=0 maxsequence=0 \
382	maxclassrepeat=0 \
383	dictpath=/lib/cracklib/pw_dict
384	# use sha512 hash for encryption, use shadow, and use the
385	# authentication token (chosen password) set by pam_cracklib
386	# above (or any previous modules)
387	password required pam_unix.so sha512 shadow use_authtok
388
389	# End /etc/pam.d/system-password</literal>
390	EOF</userinput></screen>
391
392	<note>
393	<para>
394	In its default configuration, pam_cracklib will
395	allow multiple case passwords as short as 6 characters, even with
396	the <parameter>minlen</parameter> value set to 11. You should review
397	the pam_cracklib(8) man page and determine if these default values
398	are acceptable for the security of your system.
399	</para>
400	</note>
401
402	<para>
403	If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
404	use:
405	</para>
406
407	<screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"
408	<literal># Begin /etc/pam.d/system-password
409
410	# use sha512 hash for encryption, use shadow, and try to use any previously
411	# defined authentication token (chosen password) set by any prior module
412	password required pam_unix.so sha512 shadow try_first_pass
413
414	# End /etc/pam.d/system-password</literal>
415	EOF</userinput></screen>
416	-->
417	<para>
418	Now add a restrictive <filename>/etc/pam.d/other</filename>
419	configuration file. With this file, programs that are PAM aware will
420	not run unless a configuration file specifically for that application
421	is created.
422	</para>
423
424	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
425	<literal># Begin /etc/pam.d/other
426
427	auth required pam_warn.so
428	auth required pam_deny.so
429	account required pam_warn.so
430	account required pam_deny.so
431	password required pam_warn.so
432	password required pam_deny.so
433	session required pam_warn.so
434	session required pam_deny.so
435
436	# End /etc/pam.d/other</literal>
437	EOF</userinput></screen>
438
439	<para>
440	The <application>PAM</application> man page (<command>man
441	pam</command>) provides a good starting point for descriptions
442	of fields and allowable entries. The
443	<ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
444	Linux-PAM System Administrators' Guide
445	</ulink> is recommended for additional information.
446	</para>
447
448	<important>
449	<para>
450	You should now reinstall the <xref linkend="shadow"/>
451	<phrase revision="sysv">package.</phrase>
452	<phrase revision="systemd"> and <xref linkend="systemd"/>
453	packages.</phrase>
454	</para>
455	</important>
456
457	</sect3>
458
459	</sect2>
460
461	<sect2 role="content">
462	<title>Contents</title>
463
464	<segmentedlist>
465	<segtitle>Installed Program</segtitle>
466	<segtitle>Installed Libraries</segtitle>
467	<segtitle>Installed Directories</segtitle>
468
469	<seglistitem>
470	<seg>
471	faillock, mkhomedir_helper, pam_namespace_helper,
472	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
473	unix_update
474	</seg>
475	<seg>
476	libpam.so, libpamc.so and libpam_misc.so
477	</seg>
478	<seg>
479	/etc/security,
480	/usr/lib/security,
481	/usr/include/security and
482	/usr/share/doc/Linux-PAM-&linux-pam-version;
483	</seg>
484	</seglistitem>
485	</segmentedlist>
486
487	<variablelist>
488	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
489	<?dbfo list-presentation="list"?>
490	<?dbhtml list-presentation="table"?>
491
492	<varlistentry id="faillock">
493	<term><command>faillock</command></term>
494	<listitem>
495	<para>
496	displays and modifies the authentication failure record files
497	</para>
498	<indexterm zone="linux-pam faillock">
499	<primary sortas="b-faillock">faillock</primary>
500	</indexterm>
501	</listitem>
502	</varlistentry>
503
504	<varlistentry id="mkhomedir_helper">
505	<term><command>mkhomedir_helper</command></term>
506	<listitem>
507	<para>
508	is a helper binary that creates home directories
509	</para>
510	<indexterm zone="linux-pam mkhomedir_helper">
511	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
512	</indexterm>
513	</listitem>
514	</varlistentry>
515
516	<varlistentry id="pam_namespace_helper">
517	<term><command>pam_namespace_helper</command></term>
518	<listitem>
519	<para>
520	is a helper program used to configure a private namespace for a
521	user session
522	</para>
523	<indexterm zone="linux-pam pam_namespace_helper">
524	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
525	</indexterm>
526	</listitem>
527	</varlistentry>
528
529	<varlistentry id="pwhistory_helper">
530	<term><command>pwhistory_helper</command></term>
531	<listitem>
532	<para>
533	is a helper program that transfers password hashes from passwd or
534	shadow to opasswd
535	</para>
536	<indexterm zone="linux-pam pwhistory_helper">
537	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
538	</indexterm>
539	</listitem>
540	</varlistentry>
541	<!-- Removed with the removal of the pam_tally{,2} module
542	<varlistentry id="pam_tally">
543	<term><command>pam_tally</command></term>
544	<listitem>
545	<para>
546	is used to interrogate and manipulate the login counter file.
547	</para>
548	<indexterm zone="linux-pam pam_tally">
549	<primary sortas="b-pam_tally">pam_tally</primary>
550	</indexterm>
551	</listitem>
552	</varlistentry>
553
554	<varlistentry id="pam_tally2">
555	<term><command>pam_tally2</command></term>
556	<listitem>
557	<para>
558	is used to interrogate and manipulate the login counter file, but
559	does not have some limitations that <command>pam_tally</command>
560	does.
561	</para>
562	<indexterm zone="linux-pam pam_tally2">
563	<primary sortas="b-pam_tally2">pam_tally2</primary>
564	</indexterm>
565	</listitem>
566	</varlistentry>
567	-->
568
569	<varlistentry id="pam_timestamp_check">
570	<term><command>pam_timestamp_check</command></term>
571	<listitem>
572	<para>
573	is used to check if the default timestamp is valid
574	</para>
575	<indexterm zone="linux-pam pam_timestamp_check">
576	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
577	</indexterm>
578	</listitem>
579	</varlistentry>
580
581	<varlistentry id="unix_chkpwd">
582	<term><command>unix_chkpwd</command></term>
583	<listitem>
584	<para>
585	is a helper binary that verifies the password of the current user
586	</para>
587	<indexterm zone="linux-pam unix_chkpwd">
588	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
589	</indexterm>
590	</listitem>
591	</varlistentry>
592
593	<varlistentry id="unix_update">
594	<term><command>unix_update</command></term>
595	<listitem>
596	<para>
597	is a helper binary that updates the password of a given user
598	</para>
599	<indexterm zone="linux-pam unix_update">
600	<primary sortas="b-unix_update">unix_update</primary>
601	</indexterm>
602	</listitem>
603	</varlistentry>
604
605	<varlistentry id="libpam">
606	<term><filename class="libraryfile">libpam.so</filename></term>
607	<listitem>
608	<para>
609	provides the interfaces between applications and the
610	PAM modules
611	</para>
612	<indexterm zone="linux-pam libpam">
613	<primary sortas="c-libpam">libpam.so</primary>
614	</indexterm>
615	</listitem>
616	</varlistentry>
617
618	</variablelist>
619
620	</sect2>
621
622	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/linux-pam.xml@ 8558044

Download in other formats: