source: postlfs/security/linux-pam.xml@ ab9d46c

10.0 10.1 11.0 11.1 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind lazarus perl-modules qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since ab9d46c was ab9d46c, checked in by Douglas R. Reno <renodr@…>, 5 years ago

Fix typo in Linux-PAM. Finding a lot of these today

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18473 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 16.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "http://linux-pam.org/library/Linux-PAM-&linux-pam-version;.tar.bz2">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "da4b2289b7cfb19583d54e9eaaef1c3a">
10 <!ENTITY linux-pam-size "1.3 MB">
11 <!ENTITY linux-pam-buildsize "28 MB (with tests)">
12 <!ENTITY linux-pam-time "0.5 SBU (with tests)">
13
14 <!ENTITY linux-pam-docs-download "http://linux-pam.org/documentation/Linux-PAM-&linux-pam-docs-version;-docs.tar.bz2">
15 <!ENTITY linux-pam-docs-md5sum "558378b8be9b8b5c987326f4529f2130">
16 <!ENTITY linux-pam-docs-size "480 KB">
17 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
18]>
19
20<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
21 <?dbhtml filename="linux-pam.html"?>
22
23 <sect1info>
24 <othername>$LastChangedBy$</othername>
25 <date>$Date$</date>
26 </sect1info>
27
28 <title>Linux-PAM-&linux-pam-version;</title>
29
30 <indexterm zone="linux-pam">
31 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
32 </indexterm>
33
34 <sect2 role="package">
35 <title>Introduction to Linux PAM</title>
36
37 <para>
38 The <application>Linux PAM</application> package contains
39 Pluggable Authentication Modules used to enable the local
40 system administrator to choose how applications authenticate
41 users.
42 </para>
43
44 &lfs80_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &linux-pam-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &linux-pam-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &linux-pam-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &linux-pam-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
81 <itemizedlist spacing="compact">
82 <title>Optional Documentation</title>
83 <listitem>
84 <para>
85 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
86 </para>
87 </listitem>
88 <listitem>
89 <para>
90 Download MD5 sum: &linux-pam-docs-md5sum;
91 </para>
92 </listitem>
93 <listitem>
94 <para>
95 Download size &linux-pam-docs-size;
96 </para>
97 </listitem>
98 </itemizedlist>
99
100 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
101
102 <bridgehead renderas="sect4">Optional</bridgehead>
103 <para role="optional">
104 <xref linkend="db"/>,
105 <xref linkend="cracklib"/>,
106 <xref linkend="libtirpc"/> and
107 <ulink url="http://www.prelude-ids.org/">Prelude</ulink>
108 </para>
109
110 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
111 <para role="optional">
112 <xref linkend="DocBook"/>,
113 <xref linkend="docbook-xsl"/>,
114 <xref linkend="fop"/>,
115 <xref linkend="libxslt"/> and either
116 <xref linkend="w3m"/> or
117 <ulink url="http://elinks.or.cz/">elinks</ulink> (but with a link calling it
118 '<application>links</application>') and remove the documentation switch.
119 </para>
120
121 <para condition="html" role="usernotes">User Notes:
122 <ulink url="&blfs-wiki;/linux-pam"/>
123 </para>
124 </sect2>
125
126 <sect2 role="installation">
127 <title>Installation of Linux PAM</title>
128
129 <para>
130 If you downloaded the documentation, unpack the tarball by issuing
131 the following command.
132 </para>
133
134<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.bz2 --strip-components=1</userinput></screen>
135
136 <para>
137 Install <application>Linux PAM</application> by
138 running the following commands:
139 </para>
140
141<screen><userinput>./configure --prefix=/usr \
142 --sysconfdir=/etc \
143 --libdir=/usr/lib \
144 --disable-regenerate-docu \
145 --enable-securedir=/lib/security \
146 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &amp;&amp;
147make</userinput></screen>
148
149 <para>
150 To test the results, a suitable <filename>/etc/pam.d/other</filename>
151 configuration file must exist.
152 </para>
153
154 <caution>
155 <title>Reinstallation or upgrade of Linux PAM</title>
156 <para>
157 If you have a system with Linux PAM installed and working, be careful
158 when modifying the files in
159 <filename class="directory">/etc/pam.d</filename>, since your system
160 may become totally unusable. If you want to run the tests, you do not
161 need to create another <filename>/etc/pam.d/other</filename> file. The
162 installed one can be used for that purpose.
163 </para>
164
165 <para>
166 You should also be aware that <command>make install</command>
167 overwrites the configuration files in
168 <filename class="directory">/etc/security</filename> as well as
169 <filename>/etc/environment</filename>. In case you
170 have modified those files, be sure to back them up.
171 </para>
172 </caution>
173
174 <para>
175 For a first installation, create the configuration file by issuing the
176 following commands as the <systemitem class="username">root</systemitem>
177 user:
178 </para>
179
180<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
181
182cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
183auth required pam_deny.so
184account required pam_deny.so
185password required pam_deny.so
186session required pam_deny.so
187EOF</userinput></screen>
188
189 <para>
190 Now run the tests by issuing <command>make check</command>.
191 Ensure there are no errors produced by the tests before continuing the
192 installation. Note that the checks are quite long. It may be useful to
193 redirect the output to a log file in order to inspect it thoroughly.
194 </para>
195
196 <para>
197 Only in case of a first installation, remove the configuration file
198 created earlier by issuing the following command as the
199 <systemitem class="username">root</systemitem> user:
200 </para>
201
202<screen role="root"><userinput>rm -fv /etc/pam.d/*</userinput></screen>
203
204 <para>
205 Now, as the <systemitem class="username">root</systemitem>
206 user:
207 </para>
208
209<screen role="root"><userinput>make install &amp;&amp;
210chmod -v 4755 /sbin/unix_chkpwd &amp;&amp;
211
212for file in pam pam_misc pamc
213do
214 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
215 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
216done</userinput></screen>
217
218 </sect2>
219
220 <sect2 role="commands">
221 <title>Command Explanations</title>
222
223 <para>
224 <parameter>--enable-securedir=/lib/security</parameter>:
225 This switch sets install location for the
226 <application>PAM</application> modules.
227 </para>
228
229 <para>
230 <parameter>--disable-regenerate-docu</parameter> : This switch prevents
231 this version of the package trying to build its documentation, and failing,
232 if the required dependencies <emphasis>except</emphasis>
233 <xref linkend="w3m"/> are present, but <xref linkend="Links"/> is present.
234 Remove this switch if you have installed w3m (or elinks, with a link so it
235 can be invoked as 'links').
236 </para>
237
238 <para>
239 <command>chmod -v 4755 /sbin/unix_chkpwd</command>:
240 The <command>unix_chkpwd</command> helper program must be setuid
241 so that non-<systemitem class="username">root</systemitem>
242 processes can access the shadow file.
243 </para>
244
245 </sect2>
246
247 <sect2 role="configuration">
248 <title>Configuring Linux-PAM</title>
249
250 <sect3 id="pam-config">
251 <title>Config Files</title>
252
253 <para>
254 <filename>/etc/security/*</filename> and
255 <filename>/etc/pam.d/*</filename>
256 </para>
257
258 <indexterm zone="linux-pam pam-config">
259 <primary sortas="e-etc-security">/etc/security/*</primary>
260 </indexterm>
261
262 <indexterm zone="linux-pam pam-config">
263 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
264 </indexterm>
265
266 </sect3>
267
268 <sect3>
269 <title>Configuration Information</title>
270
271 <para>
272 Configuration information is placed in
273 <filename class="directory">/etc/pam.d/</filename>.
274 Below is an example file:
275 </para>
276
277<screen><literal># Begin /etc/pam.d/other
278
279auth required pam_unix.so nullok
280account required pam_unix.so
281session required pam_unix.so
282password required pam_unix.so nullok
283
284# End /etc/pam.d/other</literal></screen>
285
286 <para>Now set up some generic files. As root:</para>
287
288<screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
289cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF" &amp;&amp;
290<literal># Begin /etc/pam.d/system-account
291
292account required pam_unix.so
293
294# End /etc/pam.d/system-account</literal>
295EOF
296
297cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF" &amp;&amp;
298<literal># Begin /etc/pam.d/system-auth
299
300auth required pam_unix.so
301
302# End /etc/pam.d/system-auth</literal>
303EOF
304
305cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
306<literal># Begin /etc/pam.d/system-session
307
308session required pam_unix.so
309
310# End /etc/pam.d/system-session</literal>
311EOF</userinput></screen>
312
313 <para>The remaining generic file depends on whether <xref linkend="cracklib"/>
314 is installed. If it is installed, use:</para>
315
316<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
317<literal># Begin /etc/pam.d/system-password
318
319# check new passwords for strength (man pam_cracklib)
320password required pam_cracklib.so type=Linux retry=3 difok=5 \
321 difignore=23 minlen=9 dcredit=1 \
322 ucredit=1 lcredit=1 ocredit=1 \
323 dictpath=/lib/cracklib/pw_dict
324# use sha512 hash for encryption, use shadow, and use the
325# authentication token (chosen password) set by pam_cracklib
326# above (or any previous modules)
327password required pam_unix.so sha512 shadow use_authtok
328
329# End /etc/pam.d/system-password</literal>
330EOF</userinput></screen>
331
332 <note>
333 <para>
334 In its default configuration, pam_cracklib will
335 allow multiple case passwords as short as 6 characters, even with
336 the <parameter>minlen</parameter> value set to 11. You should review
337 the pam_cracklib(8) man page and determine if these default values
338 are acceptable for the security of your system.
339 </para>
340 </note>
341
342 <para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
343 use:</para>
344
345<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
346<literal># Begin /etc/pam.d/system-password
347
348# use sha512 hash for encryption, use shadow, and try to use any previously
349# defined authentication token (chosen password) set by any prior module
350password required pam_unix.so sha512 shadow try_first_pass
351
352# End /etc/pam.d/system-password</literal>
353EOF</userinput></screen>
354
355 <para>Now add a restrictive <filename>/etc/pam.d/other</filename>
356 configuration file. With this file, programs that are PAM aware will not
357 run unless a configuration file specifically for that application is
358 created.</para>
359
360<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
361<literal># Begin /etc/pam.d/other
362
363auth required pam_warn.so
364auth required pam_deny.so
365account required pam_warn.so
366account required pam_deny.so
367password required pam_warn.so
368password required pam_deny.so
369session required pam_warn.so
370session required pam_deny.so
371
372# End /etc/pam.d/other</literal>
373EOF</userinput></screen>
374
375 <para>
376 The <application>PAM</application> man page (<command>man
377 pam</command>) provides a good starting point for descriptions
378 of fields and allowable entries. The <ulink
379 url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM
380 System Administrators' Guide</ulink> is recommended for additional
381 information.
382 </para>
383
384 <para>
385 Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
386 of various third-party modules available.
387 </para>
388
389 <important>
390 <para>
391 You should now reinstall the <xref linkend="shadow"/>
392 <phrase revision="sysv">package.</phrase>
393 <phrase revision="systemd"> and <xref linkend="systemd"/>
394 packages.</phrase>
395 </para>
396 </important>
397
398 </sect3>
399
400 </sect2>
401
402 <sect2 role="content">
403 <title>Contents</title>
404
405 <segmentedlist>
406 <segtitle>Installed Program</segtitle>
407 <segtitle>Installed Libraries</segtitle>
408 <segtitle>Installed Directories</segtitle>
409
410 <seglistitem>
411 <seg>
412 mkhomedir_helper, pam_tally, pam_tally2,
413 pam_timestamp_check, unix_chkpwd and
414 unix_update
415 </seg>
416 <seg>
417 libpam.so, libpamc.so and libpam_misc.so
418 </seg>
419 <seg>
420 /etc/security,
421 /lib/security,
422 /usr/include/security and
423 /usr/share/doc/Linux-PAM-&linux-pam-version;
424 </seg>
425 </seglistitem>
426 </segmentedlist>
427
428 <variablelist>
429 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
430 <?dbfo list-presentation="list"?>
431 <?dbhtml list-presentation="table"?>
432
433 <varlistentry id="mkhomedir_helper">
434 <term><command>mkhomedir_helper</command></term>
435 <listitem>
436 <para>
437 is a helper binary that creates home directories.
438 </para>
439 <indexterm zone="linux-pam mkhomedir_helper">
440 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
441 </indexterm>
442 </listitem>
443 </varlistentry>
444
445 <varlistentry id="pam_tally">
446 <term><command>pam_tally</command></term>
447 <listitem>
448 <para>
449 is used to interrogate and manipulate the login counter file.
450 </para>
451 <indexterm zone="linux-pam pam_tally">
452 <primary sortas="b-pam_tally">pam_tally</primary>
453 </indexterm>
454 </listitem>
455 </varlistentry>
456
457 <varlistentry id="pam_tally2">
458 <term><command>pam_tally2</command></term>
459 <listitem>
460 <para>
461 is used to interrogate and manipulate the login counter file, but
462 does not have some limitations that <command>pam_tally</command>
463 does.
464 </para>
465 <indexterm zone="linux-pam pam_tally2">
466 <primary sortas="b-pam_tally2">pam_tally2</primary>
467 </indexterm>
468 </listitem>
469 </varlistentry>
470
471 <varlistentry id="pam_timestamp_check">
472 <term><command>pam_timestamp_check</command></term>
473 <listitem>
474 <para>
475 is used to check if the default timestamp is valid
476 </para>
477 <indexterm zone="linux-pam pam_timestamp_check">
478 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
479 </indexterm>
480 </listitem>
481 </varlistentry>
482
483 <varlistentry id="unix_chkpwd">
484 <term><command>unix_chkpwd</command></term>
485 <listitem>
486 <para>
487 is a helper binary that verifies the password of the current user.
488 </para>
489 <indexterm zone="linux-pam unix_chkpwd">
490 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
491 </indexterm>
492 </listitem>
493 </varlistentry>
494
495 <varlistentry id="unix_update">
496 <term><command>unix_update</command></term>
497 <listitem>
498 <para>
499 is a helper binary that updates the password of a given user.
500 </para>
501 <indexterm zone="linux-pam unix_update">
502 <primary sortas="b-unix_update">unix_update</primary>
503 </indexterm>
504 </listitem>
505 </varlistentry>
506
507 <varlistentry id="libpam">
508 <term><filename class="libraryfile">libpam.so</filename></term>
509 <listitem>
510 <para>
511 provides the interfaces between applications and the
512 PAM modules.
513 </para>
514 <indexterm zone="linux-pam libpam">
515 <primary sortas="c-libpam">libpam.so</primary>
516 </indexterm>
517 </listitem>
518 </varlistentry>
519
520 </variablelist>
521
522 </sect2>
523
524</sect1>
Note: See TracBrowser for help on using the repository browser.