source: postlfs/security/linux-pam.xml@ a5660ad

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 12.2 8.4 9.0 9.1 bdubbs/svn gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since a5660ad was a5660ad, checked in by Douglas R. Reno <renodr@…>, 6 years ago

Fix a typo in Linux-PAM

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20875 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 16.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "http://linux-pam.org/library/Linux-PAM-&linux-pam-version;.tar.bz2">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "da4b2289b7cfb19583d54e9eaaef1c3a">
10 <!ENTITY linux-pam-size "1.3 MB">
11 <!ENTITY linux-pam-buildsize "28 MB (with tests)">
12 <!ENTITY linux-pam-time "0.5 SBU (with tests)">
13
14 <!ENTITY linux-pam-docs-download "http://linux-pam.org/documentation/Linux-PAM-&linux-pam-docs-version;-docs.tar.bz2">
15 <!ENTITY linux-pam-docs-md5sum "558378b8be9b8b5c987326f4529f2130">
16 <!ENTITY linux-pam-docs-size "480 KB">
17 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
18]>
19
20<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
21 <?dbhtml filename="linux-pam.html"?>
22
23 <sect1info>
24 <othername>$LastChangedBy$</othername>
25 <date>$Date$</date>
26 </sect1info>
27
28 <title>Linux-PAM-&linux-pam-version;</title>
29
30 <indexterm zone="linux-pam">
31 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
32 </indexterm>
33
34 <sect2 role="package">
35 <title>Introduction to Linux PAM</title>
36
37 <para>
38 The <application>Linux PAM</application> package contains
39 Pluggable Authentication Modules used to enable the local
40 system administrator to choose how applications authenticate
41 users.
42 </para>
43
44 &lfs83_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &linux-pam-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &linux-pam-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &linux-pam-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &linux-pam-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
81 <itemizedlist spacing="compact">
82 <title>Optional Documentation</title>
83 <listitem>
84 <para>
85 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
86 </para>
87 </listitem>
88 <listitem>
89 <para>
90 Download MD5 sum: &linux-pam-docs-md5sum;
91 </para>
92 </listitem>
93 <listitem>
94 <para>
95 Download size &linux-pam-docs-size;
96 </para>
97 </listitem>
98 </itemizedlist>
99
100 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
101
102 <bridgehead renderas="sect4">Optional</bridgehead>
103 <para role="optional">
104 <xref linkend="db"/>,
105 <xref linkend="cracklib"/>,
106 <xref linkend="libtirpc"/> and
107 <ulink url="http://www.prelude-siem.org">Prelude</ulink>
108 </para>
109
110 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
111 <para role="optional">
112 <xref linkend="DocBook"/>,
113 <xref linkend="docbook-xsl"/>,
114 <xref linkend="fop"/>,
115 <xref linkend="libxslt"/> and either
116 <xref linkend="w3m"/> or
117 <ulink url="&elinks-url;">elinks</ulink> (but with a link calling it
118 '<application>links</application>') and remove the documentation switch.
119 </para>
120
121 <para condition="html" role="usernotes">User Notes:
122 <ulink url="&blfs-wiki;/linux-pam"/>
123 </para>
124 </sect2>
125
126 <sect2 role="installation">
127 <title>Installation of Linux PAM</title>
128
129 <para>
130 If you downloaded the documentation, unpack the tarball by issuing
131 the following command.
132 </para>
133
134<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.bz2 --strip-components=1</userinput></screen>
135
136 <para>
137 Install <application>Linux PAM</application> by
138 running the following commands:
139 </para>
140
141<screen><userinput>./configure --prefix=/usr \
142 --sysconfdir=/etc \
143 --libdir=/usr/lib \
144 --disable-regenerate-docu \
145 --enable-securedir=/lib/security \
146 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &amp;&amp;
147make</userinput></screen>
148
149 <para>
150 To test the results, a suitable <filename>/etc/pam.d/other</filename>
151 configuration file must exist.
152 </para>
153
154 <caution>
155 <title>Reinstallation or upgrade of Linux PAM</title>
156 <para>
157 If you have a system with Linux PAM installed and working, be careful
158 when modifying the files in
159 <filename class="directory">/etc/pam.d</filename>, since your system
160 may become totally unusable. If you want to run the tests, you do not
161 need to create another <filename>/etc/pam.d/other</filename> file. The
162 installed one can be used for that purpose.
163 </para>
164
165 <para>
166 You should also be aware that <command>make install</command>
167 overwrites the configuration files in
168 <filename class="directory">/etc/security</filename> as well as
169 <filename>/etc/environment</filename>. In case you
170 have modified those files, be sure to back them up.
171 </para>
172 </caution>
173
174 <para>
175 For a first installation, create the configuration file by issuing the
176 following commands as the <systemitem class="username">root</systemitem>
177 user:
178 </para>
179
180<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
181
182cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
183auth required pam_deny.so
184account required pam_deny.so
185password required pam_deny.so
186session required pam_deny.so
187EOF</userinput></screen>
188
189 <para>
190 Now run the tests by issuing <command>make check</command>.
191 Ensure there are no errors produced by the tests before continuing the
192 installation. Note that the checks are quite long. It may be useful to
193 redirect the output to a log file in order to inspect it thoroughly.
194 </para>
195
196 <para>
197 Only in case of a first installation, remove the configuration file
198 created earlier by issuing the following command as the
199 <systemitem class="username">root</systemitem> user:
200 </para>
201
202<screen role="root"><userinput>rm -fv /etc/pam.d/*</userinput></screen>
203
204 <para>
205 Now, as the <systemitem class="username">root</systemitem>
206 user:
207 </para>
208
209<screen role="root"><userinput>make install &amp;&amp;
210chmod -v 4755 /sbin/unix_chkpwd &amp;&amp;
211
212for file in pam pam_misc pamc
213do
214 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
215 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
216done</userinput></screen>
217
218 </sect2>
219
220 <sect2 role="commands">
221 <title>Command Explanations</title>
222
223 <para>
224 <parameter>--enable-securedir=/lib/security</parameter>:
225 This switch sets install location for the
226 <application>PAM</application> modules.
227 </para>
228
229 <para>
230 <parameter>--disable-regenerate-docu</parameter> : This switch prevents
231 this version of the package trying to build its documentation, and failing,
232 if the required dependencies <emphasis>except</emphasis>
233 <xref linkend="w3m"/> are present, but <xref linkend="Links"/> is present.
234 Remove this switch if you have installed w3m (or elinks, with a link so it
235 can be invoked as 'links').
236 </para>
237
238 <para>
239 <command>chmod -v 4755 /sbin/unix_chkpwd</command>:
240 The <command>unix_chkpwd</command> helper program must be setuid
241 so that non-<systemitem class="username">root</systemitem>
242 processes can access the shadow file.
243 </para>
244
245 </sect2>
246
247 <sect2 role="configuration">
248 <title>Configuring Linux-PAM</title>
249
250 <sect3 id="pam-config">
251 <title>Config Files</title>
252
253 <para>
254 <filename>/etc/security/*</filename> and
255 <filename>/etc/pam.d/*</filename>
256 </para>
257
258 <indexterm zone="linux-pam pam-config">
259 <primary sortas="e-etc-security">/etc/security/*</primary>
260 </indexterm>
261
262 <indexterm zone="linux-pam pam-config">
263 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
264 </indexterm>
265
266 </sect3>
267
268 <sect3>
269 <title>Configuration Information</title>
270
271 <para>
272 Configuration information is placed in
273 <filename class="directory">/etc/pam.d/</filename>.
274 Below is an example file:
275 </para>
276
277<screen><literal># Begin /etc/pam.d/other
278
279auth required pam_unix.so nullok
280account required pam_unix.so
281session required pam_unix.so
282password required pam_unix.so nullok
283
284# End /etc/pam.d/other</literal></screen>
285
286 <para>Now set up some generic files. As root:</para>
287
288<screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
289cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF" &amp;&amp;
290<literal># Begin /etc/pam.d/system-account
291
292account required pam_unix.so
293
294# End /etc/pam.d/system-account</literal>
295EOF
296
297cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF" &amp;&amp;
298<literal># Begin /etc/pam.d/system-auth
299
300auth required pam_unix.so
301
302# End /etc/pam.d/system-auth</literal>
303EOF
304
305cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
306<literal># Begin /etc/pam.d/system-session
307
308session required pam_unix.so
309
310# End /etc/pam.d/system-session</literal>
311EOF</userinput></screen>
312
313 <para>The remaining generic file depends on whether <xref linkend="cracklib"/>
314 is installed. If it is installed, use:</para>
315
316<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
317<literal># Begin /etc/pam.d/system-password
318
319# check new passwords for strength (man pam_cracklib)
320password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
321 minlen=9 dcredit=1 ucredit=1 \
322 lcredit=1 ocredit=1 minclass=0 \
323 maxrepeat=0 maxsequence=0 \
324 maxclassrepeat=0 \
325 dictpath=/lib/cracklib/pw_dict
326# use sha512 hash for encryption, use shadow, and use the
327# authentication token (chosen password) set by pam_cracklib
328# above (or any previous modules)
329password required pam_unix.so sha512 shadow use_authtok
330
331# End /etc/pam.d/system-password</literal>
332EOF</userinput></screen>
333
334 <note>
335 <para>
336 In its default configuration, pam_cracklib will
337 allow multiple case passwords as short as 6 characters, even with
338 the <parameter>minlen</parameter> value set to 11. You should review
339 the pam_cracklib(8) man page and determine if these default values
340 are acceptable for the security of your system.
341 </para>
342 </note>
343
344 <para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
345 use:</para>
346
347<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
348<literal># Begin /etc/pam.d/system-password
349
350# use sha512 hash for encryption, use shadow, and try to use any previously
351# defined authentication token (chosen password) set by any prior module
352password required pam_unix.so sha512 shadow try_first_pass
353
354# End /etc/pam.d/system-password</literal>
355EOF</userinput></screen>
356
357 <para>Now add a restrictive <filename>/etc/pam.d/other</filename>
358 configuration file. With this file, programs that are PAM aware will not
359 run unless a configuration file specifically for that application is
360 created.</para>
361
362<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
363<literal># Begin /etc/pam.d/other
364
365auth required pam_warn.so
366auth required pam_deny.so
367account required pam_warn.so
368account required pam_deny.so
369password required pam_warn.so
370password required pam_deny.so
371session required pam_warn.so
372session required pam_deny.so
373
374# End /etc/pam.d/other</literal>
375EOF</userinput></screen>
376
377 <para>
378 The <application>PAM</application> man page (<command>man
379 pam</command>) provides a good starting point for descriptions
380 of fields and allowable entries. The <ulink
381 url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM
382 System Administrators' Guide</ulink> is recommended for additional
383 information.
384 </para>
385
386 <para>
387 Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
388 of various third-party modules available.
389 </para>
390
391 <important>
392 <para>
393 You should now reinstall the <xref linkend="shadow"/>
394 <phrase revision="sysv">package.</phrase>
395 <phrase revision="systemd"> and <xref linkend="systemd"/>
396 packages.</phrase>
397 </para>
398 </important>
399
400 </sect3>
401
402 </sect2>
403
404 <sect2 role="content">
405 <title>Contents</title>
406
407 <segmentedlist>
408 <segtitle>Installed Program</segtitle>
409 <segtitle>Installed Libraries</segtitle>
410 <segtitle>Installed Directories</segtitle>
411
412 <seglistitem>
413 <seg>
414 mkhomedir_helper, pam_tally, pam_tally2,
415 pam_timestamp_check, unix_chkpwd and
416 unix_update
417 </seg>
418 <seg>
419 libpam.so, libpamc.so and libpam_misc.so
420 </seg>
421 <seg>
422 /etc/security,
423 /lib/security,
424 /usr/include/security and
425 /usr/share/doc/Linux-PAM-&linux-pam-version;
426 </seg>
427 </seglistitem>
428 </segmentedlist>
429
430 <variablelist>
431 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
432 <?dbfo list-presentation="list"?>
433 <?dbhtml list-presentation="table"?>
434
435 <varlistentry id="mkhomedir_helper">
436 <term><command>mkhomedir_helper</command></term>
437 <listitem>
438 <para>
439 is a helper binary that creates home directories.
440 </para>
441 <indexterm zone="linux-pam mkhomedir_helper">
442 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
443 </indexterm>
444 </listitem>
445 </varlistentry>
446
447 <varlistentry id="pam_tally">
448 <term><command>pam_tally</command></term>
449 <listitem>
450 <para>
451 is used to interrogate and manipulate the login counter file.
452 </para>
453 <indexterm zone="linux-pam pam_tally">
454 <primary sortas="b-pam_tally">pam_tally</primary>
455 </indexterm>
456 </listitem>
457 </varlistentry>
458
459 <varlistentry id="pam_tally2">
460 <term><command>pam_tally2</command></term>
461 <listitem>
462 <para>
463 is used to interrogate and manipulate the login counter file, but
464 does not have some limitations that <command>pam_tally</command>
465 does.
466 </para>
467 <indexterm zone="linux-pam pam_tally2">
468 <primary sortas="b-pam_tally2">pam_tally2</primary>
469 </indexterm>
470 </listitem>
471 </varlistentry>
472
473 <varlistentry id="pam_timestamp_check">
474 <term><command>pam_timestamp_check</command></term>
475 <listitem>
476 <para>
477 is used to check if the default timestamp is valid
478 </para>
479 <indexterm zone="linux-pam pam_timestamp_check">
480 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
481 </indexterm>
482 </listitem>
483 </varlistentry>
484
485 <varlistentry id="unix_chkpwd">
486 <term><command>unix_chkpwd</command></term>
487 <listitem>
488 <para>
489 is a helper binary that verifies the password of the current user.
490 </para>
491 <indexterm zone="linux-pam unix_chkpwd">
492 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
493 </indexterm>
494 </listitem>
495 </varlistentry>
496
497 <varlistentry id="unix_update">
498 <term><command>unix_update</command></term>
499 <listitem>
500 <para>
501 is a helper binary that updates the password of a given user.
502 </para>
503 <indexterm zone="linux-pam unix_update">
504 <primary sortas="b-unix_update">unix_update</primary>
505 </indexterm>
506 </listitem>
507 </varlistentry>
508
509 <varlistentry id="libpam">
510 <term><filename class="libraryfile">libpam.so</filename></term>
511 <listitem>
512 <para>
513 provides the interfaces between applications and the
514 PAM modules.
515 </para>
516 <indexterm zone="linux-pam libpam">
517 <primary sortas="c-libpam">libpam.so</primary>
518 </indexterm>
519 </listitem>
520 </varlistentry>
521
522 </variablelist>
523
524 </sect2>
525
526</sect1>
Note: See TracBrowser for help on using the repository browser.