Context Navigation

source: postlfs/security/linux-pam.xml@ a105c5c

Visit:

12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18

Last change on this file since a105c5c was a105c5c, checked in by Xi Ruoyao <xry111@…>, 6 months ago
linux-pam: Add a missed punctuation
Property mode set to `100644`
File size: 18.3 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "a913bd5fbf9edeafaacf3eb1eb86fd83">
10	<!ENTITY linux-pam-size "967 KB">
11	<!ENTITY linux-pam-buildsize "39 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "c3771fdc447be78b4c1756b875235965">
16	<!ENTITY linux-pam-docs-size "456 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25
26	<title>Linux-PAM-&linux-pam-version;</title>
27
28	<indexterm zone="linux-pam">
29	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to Linux PAM</title>
34
35	<para>
36	The <application>Linux PAM</application> package contains
37	Pluggable Authentication Modules used by the local
38	system administrator to control how application programs authenticate
39	users.
40	</para>
41
42	&lfs120_checked;
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>
48	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download MD5 sum: &linux-pam-md5sum;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Download size: &linux-pam-size;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated disk space required: &linux-pam-buildsize;
69	</para>
70	</listitem>
71	<listitem>
72	<para>
73	Estimated build time: &linux-pam-time;
74	</para>
75	</listitem>
76	</itemizedlist>
77
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<title>Optional Documentation</title>
81	<listitem>
82	<para>
83	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
84	</para>
85	</listitem>
86	<listitem>
87	<para>
88	Download MD5 sum: &linux-pam-docs-md5sum;
89	</para>
90	</listitem>
91	<listitem>
92	<para>
93	Download size &linux-pam-docs-size;
94	</para>
95	</listitem>
96	</itemizedlist>
97
98	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
99
100	<bridgehead renderas="sect4">Optional</bridgehead>
101	<para role="optional">
102	<xref linkend="libnsl"/>,
103	<xref linkend="libtirpc"/>,
104	&berkeley-db;,
105	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
106	<ulink url="https://www.prelude-siem.org">Prelude</ulink>
107	</para>
108	<!-- With 1.5.3, building the doc requires the namespaced version of
109	docbook-xsl, which is beyond BLFS.
110
111	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
112	<para role="optional">
113	<xref linkend="DocBook"/>,
114	<xref linkend="docbook-xsl"/>,
115	<xref linkend="fop"/>,
116	<xref linkend="libxslt"/> and either
117	<xref linkend="lynx"/> or
118	<ulink url="&w3m-url;">W3m</ulink>
119	</para>
120	-->
121	<note>
122	<para role="required">
123	<xref role="runtime" linkend="shadow"/>
124	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
125	must</phrase><phrase revision="sysv">must</phrase> be reinstalled
126	and reconfigured
127	after installing and configuring <application>Linux PAM</application>.
128	</para>
129
130	<para role="recommended">
131	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
132	installed by default. Use <xref role="runtime" linkend="libpwquality"/>
133	to enforce strong passwords.
134	</para>
135	</note>
136
137	</sect2>
138
139	<sect2 role="installation">
140	<title>Installation of Linux PAM</title>
141
142	<para revision="sysv">
143	First, prevent the installation of an unneeded systemd file:
144	</para>
145
146	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
147	-i modules/pam_namespace/Makefile.am &&
148	autoreconf</userinput></screen>
149
150	<para>
151	If you downloaded the documentation, unpack the tarball by issuing
152	the following command.
153	</para>
154
155	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
156	<!--
157	<para>
158	If you want to regenerate the documentation yourself, fix the
159	<command>configure</command> script so it will detect lynx:
160	</para>
161
162	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
163	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
164	-i configure</userinput></screen>
165	-->
166	<para>
167	Compile and link <application>Linux PAM</application> by
168	running the following commands:
169	</para>
170
171	<screen><userinput>./configure --prefix=/usr \
172	--sbindir=/usr/sbin \
173	--sysconfdir=/etc \
174	--libdir=/usr/lib \
175	--enable-securedir=/usr/lib/security \
176	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
177	make</userinput></screen>
178
179	<para>
180	To test the results, a suitable <filename>/etc/pam.d/other</filename>
181	configuration file must exist.
182	</para>
183
184	<caution>
185	<title>Reinstallation or Upgrade of Linux PAM</title>
186	<para>
187	If you have a system with Linux PAM installed and working, be careful
188	when modifying the files in
189	<filename class="directory">/etc/pam.d</filename>, since your system
190	may become totally unusable. If you want to run the tests, you do not
191	need to create another <filename>/etc/pam.d/other</filename> file. The
192	existing file can be used for the tests.
193	</para>
194
195	<para>
196	You should also be aware that <command>make install</command>
197	overwrites the configuration files in
198	<filename class="directory">/etc/security</filename> as well as
199	<filename>/etc/environment</filename>. If you
200	have modified those files, be sure to back them up.
201	</para>
202	</caution>
203
204	<para>
205	For a first-time installation, create a configuration file by issuing the
206	following commands as the <systemitem class="username">root</systemitem>
207	user:
208	</para>
209
210	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
211
212	cat > /etc/pam.d/other << "EOF"
213	<literal>auth required pam_deny.so
214	account required pam_deny.so
215	password required pam_deny.so
216	session required pam_deny.so</literal>
217	EOF</userinput></screen>
218
219	<para>
220	Now run the tests by issuing <command>make check</command>.
221	Be sure the tests produced no errors before continuing the
222	installation. Note that the tests are very long.
223	Redirect the output to a log file, so you can inspect it thoroughly.
224	</para>
225
226	<para>
227	For a first-time installation, remove the configuration file
228	created earlier by issuing the following command as the
229	<systemitem class="username">root</systemitem> user:
230	</para>
231
232	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
233
234	<para>
235	Now, as the <systemitem class="username">root</systemitem>
236	user:
237	</para>
238
239	<screen role="root"><userinput>make install &&
240	chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
241
242	</sect2>
243
244	<sect2 role="commands">
245	<title>Command Explanations</title>
246
247	<para>
248	<parameter>--enable-securedir=/usr/lib/security</parameter>:
249	This switch sets the installation location for the
250	<application>PAM</application> modules.
251	</para>
252	<!--
253	<para>
254	<option>- -disable-regenerate-docu</option> : If the needed dependencies
255	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
256	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
257	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
258	html and text documentation files, are generated and installed.
259	Furthermore, if <xref linkend="fop"/> is installed, the PDF
260	documentation is generated and installed. Use this switch if you do not
261	want to rebuild the documentation.
262	</para>
263	-->
264	<para>
265	<command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
266	The setuid bit for the <command>unix_chkpwd</command> helper program must be
267	turned on, so that non-<systemitem class="username">root</systemitem>
268	processes can access the shadow file.
269	</para>
270
271	</sect2>
272
273	<sect2 role="configuration">
274	<title>Configuring Linux-PAM</title>
275
276	<sect3 id="pam-config">
277	<title>Configuration Files</title>
278
279	<para>
280	<filename>/etc/security/*</filename> and
281	<filename>/etc/pam.d/*</filename>
282	</para>
283
284	<indexterm zone="linux-pam pam-config">
285	<primary sortas="e-etc-security">/etc/security/*</primary>
286	</indexterm>
287
288	<indexterm zone="linux-pam pam-config">
289	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
290	</indexterm>
291
292	</sect3>
293
294	<sect3>
295	<title>Configuration Information</title>
296
297	<para>
298	Configuration information is placed in
299	<filename class="directory">/etc/pam.d/</filename>.
300	Here is a sample file:
301	</para>
302
303	<screen><literal># Begin /etc/pam.d/other
304
305	auth required pam_unix.so nullok
306	account required pam_unix.so
307	session required pam_unix.so
308	password required pam_unix.so nullok
309
310	# End /etc/pam.d/other</literal></screen>
311
312	<para>
313	Now create some generic configuration files. As the
314	<systemitem class="username">root</systemitem> user:
315	</para>
316
317	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
318	cat > /etc/pam.d/system-account << "EOF" &&
319	<literal># Begin /etc/pam.d/system-account
320
321	account required pam_unix.so
322
323	# End /etc/pam.d/system-account</literal>
324	EOF
325
326	cat > /etc/pam.d/system-auth << "EOF" &&
327	<literal># Begin /etc/pam.d/system-auth
328
329	auth required pam_unix.so
330
331	# End /etc/pam.d/system-auth</literal>
332	EOF
333
334	cat > /etc/pam.d/system-session << "EOF" &&
335	<literal># Begin /etc/pam.d/system-session
336
337	session required pam_unix.so
338
339	# End /etc/pam.d/system-session</literal>
340	EOF
341
342	cat > /etc/pam.d/system-password << "EOF"
343	<literal># Begin /etc/pam.d/system-password
344
345	# use yescrypt hash for encryption, use shadow, and try to use any
346	# previously defined authentication token (chosen password) set by any
347	# prior module.
348	password required pam_unix.so yescrypt shadow try_first_pass
349
350	# End /etc/pam.d/system-password</literal>
351	EOF
352	</userinput></screen>
353
354	<para>
355	If you wish to enable strong password support, install
356	<xref linkend="libpwquality"/>, and follow the
357	instructions on that page to configure the pam_pwquality
358	PAM module with strong password support.
359	</para>
360
361	<para>
362	Next, add a restrictive <filename>/etc/pam.d/other</filename>
363	configuration file. With this file, programs that are PAM aware will
364	not run unless a configuration file specifically for that application
365	exists.
366	</para>
367
368	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
369	<literal># Begin /etc/pam.d/other
370
371	auth required pam_warn.so
372	auth required pam_deny.so
373	account required pam_warn.so
374	account required pam_deny.so
375	password required pam_warn.so
376	password required pam_deny.so
377	session required pam_warn.so
378	session required pam_deny.so
379
380	# End /etc/pam.d/other</literal>
381	EOF</userinput></screen>
382
383	<para>
384	The <application>PAM</application> man page (<command>man
385	pam</command>) provides a good starting point to learn
386	about the several fields, and allowable entries.
387	<!-- not accessible 2022-09-08 -->
388	<!-- it's available at a different address 2022-10-23-->
389	The
390	<ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
391	Linux-PAM System Administrators' Guide
392	</ulink> is recommended for additional information.
393	</para>
394
395	<important>
396	<para>
397	You should now reinstall the <xref linkend="shadow"/>
398	<phrase revision="sysv">package</phrase>
399	<phrase revision="systemd"> and <xref linkend="systemd"/>
400	packages</phrase>.
401	</para>
402	</important>
403
404	</sect3>
405
406	</sect2>
407
408	<sect2 role="content">
409	<title>Contents</title>
410
411	<segmentedlist>
412	<segtitle>Installed Program</segtitle>
413	<segtitle>Installed Libraries</segtitle>
414	<segtitle>Installed Directories</segtitle>
415
416	<seglistitem>
417	<seg>
418	faillock, mkhomedir_helper, pam_namespace_helper,
419	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
420	unix_update
421	</seg>
422	<seg>
423	libpam.so, libpamc.so and libpam_misc.so
424	</seg>
425	<seg>
426	/etc/security,
427	/usr/lib/security,
428	/usr/include/security and
429	/usr/share/doc/Linux-PAM-&linux-pam-version;
430	</seg>
431	</seglistitem>
432	</segmentedlist>
433
434	<variablelist>
435	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
436	<?dbfo list-presentation="list"?>
437	<?dbhtml list-presentation="table"?>
438
439	<varlistentry id="faillock">
440	<term><command>faillock</command></term>
441	<listitem>
442	<para>
443	displays and modifies the authentication failure record files
444	</para>
445	<indexterm zone="linux-pam faillock">
446	<primary sortas="b-faillock">faillock</primary>
447	</indexterm>
448	</listitem>
449	</varlistentry>
450
451	<varlistentry id="mkhomedir_helper">
452	<term><command>mkhomedir_helper</command></term>
453	<listitem>
454	<para>
455	is a helper binary that creates home directories
456	</para>
457	<indexterm zone="linux-pam mkhomedir_helper">
458	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
459	</indexterm>
460	</listitem>
461	</varlistentry>
462
463	<varlistentry id="pam_namespace_helper">
464	<term><command>pam_namespace_helper</command></term>
465	<listitem>
466	<para>
467	is a helper program used to configure a private namespace for a
468	user session
469	</para>
470	<indexterm zone="linux-pam pam_namespace_helper">
471	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
472	</indexterm>
473	</listitem>
474	</varlistentry>
475
476	<varlistentry id="pwhistory_helper">
477	<term><command>pwhistory_helper</command></term>
478	<listitem>
479	<para>
480	is a helper program that transfers password hashes from passwd or
481	shadow to opasswd
482	</para>
483	<indexterm zone="linux-pam pwhistory_helper">
484	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
485	</indexterm>
486	</listitem>
487	</varlistentry>
488	<!-- Removed with the removal of the pam_tally{,2} module
489	<varlistentry id="pam_tally">
490	<term><command>pam_tally</command></term>
491	<listitem>
492	<para>
493	is used to interrogate and manipulate the login counter file.
494	</para>
495	<indexterm zone="linux-pam pam_tally">
496	<primary sortas="b-pam_tally">pam_tally</primary>
497	</indexterm>
498	</listitem>
499	</varlistentry>
500
501	<varlistentry id="pam_tally2">
502	<term><command>pam_tally2</command></term>
503	<listitem>
504	<para>
505	is used to interrogate and manipulate the login counter file, but
506	does not have some limitations that <command>pam_tally</command>
507	does.
508	</para>
509	<indexterm zone="linux-pam pam_tally2">
510	<primary sortas="b-pam_tally2">pam_tally2</primary>
511	</indexterm>
512	</listitem>
513	</varlistentry>
514	-->
515
516	<varlistentry id="pam_timestamp_check">
517	<term><command>pam_timestamp_check</command></term>
518	<listitem>
519	<para>
520	is used to check if the default timestamp is valid
521	</para>
522	<indexterm zone="linux-pam pam_timestamp_check">
523	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
524	</indexterm>
525	</listitem>
526	</varlistentry>
527
528	<varlistentry id="unix_chkpwd">
529	<term><command>unix_chkpwd</command></term>
530	<listitem>
531	<para>
532	is a helper binary that verifies the password of the current user
533	</para>
534	<indexterm zone="linux-pam unix_chkpwd">
535	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
536	</indexterm>
537	</listitem>
538	</varlistentry>
539
540	<varlistentry id="unix_update">
541	<term><command>unix_update</command></term>
542	<listitem>
543	<para>
544	is a helper binary that updates the password of a given user
545	</para>
546	<indexterm zone="linux-pam unix_update">
547	<primary sortas="b-unix_update">unix_update</primary>
548	</indexterm>
549	</listitem>
550	</varlistentry>
551
552	<varlistentry id="libpam">
553	<term><filename class="libraryfile">libpam.so</filename></term>
554	<listitem>
555	<para>
556	provides the interfaces between applications and the
557	PAM modules
558	</para>
559	<indexterm zone="linux-pam libpam">
560	<primary sortas="c-libpam">libpam.so</primary>
561	</indexterm>
562	</listitem>
563	</varlistentry>
564
565	</variablelist>
566
567	</sect2>
568
569	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: