source: postlfs/security/linux-pam.xml@ b3867c5

12.0 12.1 ken/TL2024 ken/tuningfonts lazarus lxqt plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18
Last change on this file since b3867c5 was b9567b04, checked in by Xi Ruoyao <xry111@…>, 12 months ago

postlfs: Remove non-exist User Notes link

Part of User Notes removal by
https://www.linuxfromscratch.org/~xry111/remove-nonexist-usernote.sh

  • Property mode set to 100644
File size: 20.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "a913bd5fbf9edeafaacf3eb1eb86fd83">
10 <!ENTITY linux-pam-size "967 KB">
11 <!ENTITY linux-pam-buildsize "39 MB (with tests)">
12 <!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14 <!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15 <!ENTITY linux-pam-docs-md5sum "c3771fdc447be78b4c1756b875235965">
16 <!ENTITY linux-pam-docs-size "456 KB">
17 <!--
18 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19 -->
20]>
21
22<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23 <?dbhtml filename="linux-pam.html"?>
24
25
26 <title>Linux-PAM-&linux-pam-version;</title>
27
28 <indexterm zone="linux-pam">
29 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
30 </indexterm>
31
32 <sect2 role="package">
33 <title>Introduction to Linux PAM</title>
34
35 <para>
36 The <application>Linux PAM</application> package contains
37 Pluggable Authentication Modules used by the local
38 system administrator to control how application programs authenticate
39 users.
40 </para>
41
42 &lfs113_checked;
43
44 <bridgehead renderas="sect3">Package Information</bridgehead>
45 <itemizedlist spacing="compact">
46 <listitem>
47 <para>
48 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 Download MD5 sum: &linux-pam-md5sum;
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Download size: &linux-pam-size;
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Estimated disk space required: &linux-pam-buildsize;
69 </para>
70 </listitem>
71 <listitem>
72 <para>
73 Estimated build time: &linux-pam-time;
74 </para>
75 </listitem>
76 </itemizedlist>
77
78 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
79 <itemizedlist spacing="compact">
80 <title>Optional Documentation</title>
81 <listitem>
82 <para>
83 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
84 </para>
85 </listitem>
86 <listitem>
87 <para>
88 Download MD5 sum: &linux-pam-docs-md5sum;
89 </para>
90 </listitem>
91 <listitem>
92 <para>
93 Download size &linux-pam-docs-size;
94 </para>
95 </listitem>
96 </itemizedlist>
97
98 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
99
100 <bridgehead renderas="sect4">Optional</bridgehead>
101 <para role="optional">
102 <xref linkend="db"/>,
103 <xref linkend="libnsl"/>,
104 <xref linkend="libtirpc"/>,
105 <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
106 <ulink url="https://www.prelude-siem.org">Prelude</ulink>
107 </para>
108<!-- With 1.5.3, building the doc requires the namespaced version of
109 docbook-xsl, which is beyond BLFS.
110
111 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
112 <para role="optional">
113 <xref linkend="DocBook"/>,
114 <xref linkend="docbook-xsl"/>,
115 <xref linkend="fop"/>,
116 <xref linkend="libxslt"/> and either
117 <xref linkend="lynx"/> or
118 <ulink url="&w3m-url;">W3m</ulink>
119 </para>
120-->
121 <note>
122 <para role="required">
123 <xref role="runtime" linkend="shadow"/>
124 <phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
125 must</phrase><phrase revision="sysv">must</phrase> be reinstalled
126 and reconfigured
127 after installing and configuring <application>Linux PAM</application>.
128 </para>
129
130 <para role="recommended">
131 With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
132 installed by default. Use <xref role="runtime" linkend="libpwquality"/>
133 to enforce strong passwords.
134 </para>
135 </note>
136
137 </sect2>
138
139 <sect2 role="installation">
140 <title>Installation of Linux PAM</title>
141
142 <para revision="sysv">
143 First, prevent the installation of an unneeded systemd file:
144 </para>
145
146<screen revision="sysv"><userinput>sed -e /service_DATA/d \
147 -i modules/pam_namespace/Makefile.am &amp;&amp;
148autoreconf</userinput></screen>
149
150 <para>
151 If you downloaded the documentation, unpack the tarball by issuing
152 the following command.
153 </para>
154
155<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
156<!--
157 <para>
158 If you want to regenerate the documentation yourself, fix the
159 <command>configure</command> script so it will detect lynx:
160 </para>
161
162<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
163 -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
164 -i configure</userinput></screen>
165-->
166 <para>
167 Compile and link <application>Linux PAM</application> by
168 running the following commands:
169 </para>
170
171<screen><userinput>./configure --prefix=/usr \
172 --sbindir=/usr/sbin \
173 --sysconfdir=/etc \
174 --libdir=/usr/lib \
175 --enable-securedir=/usr/lib/security \
176 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &amp;&amp;
177make</userinput></screen>
178
179 <para>
180 To test the results, a suitable <filename>/etc/pam.d/other</filename>
181 configuration file must exist.
182 </para>
183
184 <caution>
185 <title>Reinstallation or Upgrade of Linux PAM</title>
186 <para>
187 If you have a system with Linux PAM installed and working, be careful
188 when modifying the files in
189 <filename class="directory">/etc/pam.d</filename>, since your system
190 may become totally unusable. If you want to run the tests, you do not
191 need to create another <filename>/etc/pam.d/other</filename> file. The
192 existing file can be used for the tests.
193 </para>
194
195 <para>
196 You should also be aware that <command>make install</command>
197 overwrites the configuration files in
198 <filename class="directory">/etc/security</filename> as well as
199 <filename>/etc/environment</filename>. If you
200 have modified those files, be sure to back them up.
201 </para>
202 </caution>
203
204 <para>
205 For a first-time installation, create a configuration file by issuing the
206 following commands as the <systemitem class="username">root</systemitem>
207 user:
208 </para>
209
210<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
211
212cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
213<literal>auth required pam_deny.so
214account required pam_deny.so
215password required pam_deny.so
216session required pam_deny.so</literal>
217EOF</userinput></screen>
218
219 <para>
220 Now run the tests by issuing <command>make check</command>.
221 Be sure the tests produced no errors before continuing the
222 installation. Note that the tests are very long.
223 Redirect the output to a log file, so you can inspect it thoroughly.
224 </para>
225
226 <para>
227 For a first-time installation, remove the configuration file
228 created earlier by issuing the following command as the
229 <systemitem class="username">root</systemitem> user:
230 </para>
231
232<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
233
234 <para>
235 Now, as the <systemitem class="username">root</systemitem>
236 user:
237 </para>
238
239<screen role="root"><userinput>make install &amp;&amp;
240chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
241
242 </sect2>
243
244 <sect2 role="commands">
245 <title>Command Explanations</title>
246
247 <para>
248 <parameter>--enable-securedir=/usr/lib/security</parameter>:
249 This switch sets the installation location for the
250 <application>PAM</application> modules.
251 </para>
252<!--
253 <para>
254 <option>- -disable-regenerate-docu</option> : If the needed dependencies
255 (<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
256 linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
257 url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
258 html and text documentation files, are generated and installed.
259 Furthermore, if <xref linkend="fop"/> is installed, the PDF
260 documentation is generated and installed. Use this switch if you do not
261 want to rebuild the documentation.
262 </para>
263-->
264 <para>
265 <command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
266 The setuid bit for the <command>unix_chkpwd</command> helper program must be
267 turned on, so that non-<systemitem class="username">root</systemitem>
268 processes can access the shadow file.
269 </para>
270
271 </sect2>
272
273 <sect2 role="configuration">
274 <title>Configuring Linux-PAM</title>
275
276 <sect3 id="pam-config">
277 <title>Configuration Files</title>
278
279 <para>
280 <filename>/etc/security/*</filename> and
281 <filename>/etc/pam.d/*</filename>
282 </para>
283
284 <indexterm zone="linux-pam pam-config">
285 <primary sortas="e-etc-security">/etc/security/*</primary>
286 </indexterm>
287
288 <indexterm zone="linux-pam pam-config">
289 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
290 </indexterm>
291
292 </sect3>
293
294 <sect3>
295 <title>Configuration Information</title>
296
297 <para>
298 Configuration information is placed in
299 <filename class="directory">/etc/pam.d/</filename>.
300 Here is a sample file:
301 </para>
302
303<screen><literal># Begin /etc/pam.d/other
304
305auth required pam_unix.so nullok
306account required pam_unix.so
307session required pam_unix.so
308password required pam_unix.so nullok
309
310# End /etc/pam.d/other</literal></screen>
311
312 <para>
313 Now create some generic configuration files. As the
314 <systemitem class="username">root</systemitem> user:
315 </para>
316
317<screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
318cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF" &amp;&amp;
319<literal># Begin /etc/pam.d/system-account
320
321account required pam_unix.so
322
323# End /etc/pam.d/system-account</literal>
324EOF
325
326cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF" &amp;&amp;
327<literal># Begin /etc/pam.d/system-auth
328
329auth required pam_unix.so
330
331# End /etc/pam.d/system-auth</literal>
332EOF
333
334cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF" &amp;&amp;
335<literal># Begin /etc/pam.d/system-session
336
337session required pam_unix.so
338
339# End /etc/pam.d/system-session</literal>
340EOF
341
342cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
343<literal># Begin /etc/pam.d/system-password
344
345# use sha512 hash for encryption, use shadow, and try to use any previously
346# defined authentication token (chosen password) set by any prior module.
347# Use the same number of rounds as shadow.
348password required pam_unix.so sha512 shadow try_first_pass \
349 rounds=500000
350
351# End /etc/pam.d/system-password</literal>
352EOF
353</userinput></screen>
354
355 <para>
356 If you wish to enable strong password support, install
357 <xref linkend="libpwquality"/>, and follow the
358 instructions on that page to configure the pam_pwquality
359 PAM module with strong password support.
360 </para>
361
362<!-- With the removal of the pam_cracklib module, we're supposed to be using
363 libpwquality. That already includes instructions in its configuration
364 information page, so we'll use those instead.
365
366 Linux-PAM must be installed prior to libpwquality so that PAM support
367 is built in, and the PAM module is built.
368-->
369<!-- WARNING: If for any reason the instructions below are reinstated be
370 careful with the number of rounds, which should match the one in shadow.
371 <para>
372 The remaining generic file depends on whether <xref
373 linkend="cracklib"/> is installed. If it is installed, use:
374 </para>
375
376<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
377<literal># Begin /etc/pam.d/system-password
378
379# check new passwords for strength (man pam_cracklib)
380password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
381 minlen=9 dcredit=1 ucredit=1 \
382 lcredit=1 ocredit=1 minclass=0 \
383 maxrepeat=0 maxsequence=0 \
384 maxclassrepeat=0 \
385 dictpath=/lib/cracklib/pw_dict
386# use sha512 hash for encryption, use shadow, and use the
387# authentication token (chosen password) set by pam_cracklib
388# above (or any previous modules)
389password required pam_unix.so sha512 shadow use_authtok
390
391# End /etc/pam.d/system-password</literal>
392EOF</userinput></screen>
393
394 <note>
395 <para>
396 In its default configuration, pam_cracklib will
397 allow multiple case passwords as short as 6 characters, even with
398 the <parameter>minlen</parameter> value set to 11. You should review
399 the pam_cracklib(8) man page and determine if these default values
400 are acceptable for the security of your system.
401 </para>
402 </note>
403
404 <para>
405 If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
406 use:
407 </para>
408
409<screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
410<literal># Begin /etc/pam.d/system-password
411
412# use sha512 hash for encryption, use shadow, and try to use any previously
413# defined authentication token (chosen password) set by any prior module
414password required pam_unix.so sha512 shadow try_first_pass
415
416# End /etc/pam.d/system-password</literal>
417EOF</userinput></screen>
418-->
419 <para>
420 Next, add a restrictive <filename>/etc/pam.d/other</filename>
421 configuration file. With this file, programs that are PAM aware will
422 not run unless a configuration file specifically for that application
423 exists.
424 </para>
425
426<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
427<literal># Begin /etc/pam.d/other
428
429auth required pam_warn.so
430auth required pam_deny.so
431account required pam_warn.so
432account required pam_deny.so
433password required pam_warn.so
434password required pam_deny.so
435session required pam_warn.so
436session required pam_deny.so
437
438# End /etc/pam.d/other</literal>
439EOF</userinput></screen>
440
441 <para>
442 The <application>PAM</application> man page (<command>man
443 pam</command>) provides a good starting point to learn
444 about the several fields, and allowable entries.
445 <!-- not accessible 2022-09-08 -->
446 <!-- it's available at a different address 2022-10-23-->
447 The
448 <ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
449 Linux-PAM System Administrators' Guide
450 </ulink> is recommended for additional information.
451 </para>
452
453 <important>
454 <para>
455 You should now reinstall the <xref linkend="shadow"/>
456 <phrase revision="sysv">package</phrase>
457 <phrase revision="systemd"> and <xref linkend="systemd"/>
458 packages</phrase>.
459 </para>
460 </important>
461
462 </sect3>
463
464 </sect2>
465
466 <sect2 role="content">
467 <title>Contents</title>
468
469 <segmentedlist>
470 <segtitle>Installed Program</segtitle>
471 <segtitle>Installed Libraries</segtitle>
472 <segtitle>Installed Directories</segtitle>
473
474 <seglistitem>
475 <seg>
476 faillock, mkhomedir_helper, pam_namespace_helper,
477 pam_timestamp_check, pwhistory_helper, unix_chkpwd and
478 unix_update
479 </seg>
480 <seg>
481 libpam.so, libpamc.so and libpam_misc.so
482 </seg>
483 <seg>
484 /etc/security,
485 /usr/lib/security,
486 /usr/include/security and
487 /usr/share/doc/Linux-PAM-&linux-pam-version;
488 </seg>
489 </seglistitem>
490 </segmentedlist>
491
492 <variablelist>
493 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
494 <?dbfo list-presentation="list"?>
495 <?dbhtml list-presentation="table"?>
496
497 <varlistentry id="faillock">
498 <term><command>faillock</command></term>
499 <listitem>
500 <para>
501 displays and modifies the authentication failure record files
502 </para>
503 <indexterm zone="linux-pam faillock">
504 <primary sortas="b-faillock">faillock</primary>
505 </indexterm>
506 </listitem>
507 </varlistentry>
508
509 <varlistentry id="mkhomedir_helper">
510 <term><command>mkhomedir_helper</command></term>
511 <listitem>
512 <para>
513 is a helper binary that creates home directories
514 </para>
515 <indexterm zone="linux-pam mkhomedir_helper">
516 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
517 </indexterm>
518 </listitem>
519 </varlistentry>
520
521 <varlistentry id="pam_namespace_helper">
522 <term><command>pam_namespace_helper</command></term>
523 <listitem>
524 <para>
525 is a helper program used to configure a private namespace for a
526 user session
527 </para>
528 <indexterm zone="linux-pam pam_namespace_helper">
529 <primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
530 </indexterm>
531 </listitem>
532 </varlistentry>
533
534 <varlistentry id="pwhistory_helper">
535 <term><command>pwhistory_helper</command></term>
536 <listitem>
537 <para>
538 is a helper program that transfers password hashes from passwd or
539 shadow to opasswd
540 </para>
541 <indexterm zone="linux-pam pwhistory_helper">
542 <primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
543 </indexterm>
544 </listitem>
545 </varlistentry>
546<!-- Removed with the removal of the pam_tally{,2} module
547 <varlistentry id="pam_tally">
548 <term><command>pam_tally</command></term>
549 <listitem>
550 <para>
551 is used to interrogate and manipulate the login counter file.
552 </para>
553 <indexterm zone="linux-pam pam_tally">
554 <primary sortas="b-pam_tally">pam_tally</primary>
555 </indexterm>
556 </listitem>
557 </varlistentry>
558
559 <varlistentry id="pam_tally2">
560 <term><command>pam_tally2</command></term>
561 <listitem>
562 <para>
563 is used to interrogate and manipulate the login counter file, but
564 does not have some limitations that <command>pam_tally</command>
565 does.
566 </para>
567 <indexterm zone="linux-pam pam_tally2">
568 <primary sortas="b-pam_tally2">pam_tally2</primary>
569 </indexterm>
570 </listitem>
571 </varlistentry>
572-->
573
574 <varlistentry id="pam_timestamp_check">
575 <term><command>pam_timestamp_check</command></term>
576 <listitem>
577 <para>
578 is used to check if the default timestamp is valid
579 </para>
580 <indexterm zone="linux-pam pam_timestamp_check">
581 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
582 </indexterm>
583 </listitem>
584 </varlistentry>
585
586 <varlistentry id="unix_chkpwd">
587 <term><command>unix_chkpwd</command></term>
588 <listitem>
589 <para>
590 is a helper binary that verifies the password of the current user
591 </para>
592 <indexterm zone="linux-pam unix_chkpwd">
593 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
594 </indexterm>
595 </listitem>
596 </varlistentry>
597
598 <varlistentry id="unix_update">
599 <term><command>unix_update</command></term>
600 <listitem>
601 <para>
602 is a helper binary that updates the password of a given user
603 </para>
604 <indexterm zone="linux-pam unix_update">
605 <primary sortas="b-unix_update">unix_update</primary>
606 </indexterm>
607 </listitem>
608 </varlistentry>
609
610 <varlistentry id="libpam">
611 <term><filename class="libraryfile">libpam.so</filename></term>
612 <listitem>
613 <para>
614 provides the interfaces between applications and the
615 PAM modules
616 </para>
617 <indexterm zone="linux-pam libpam">
618 <primary sortas="c-libpam">libpam.so</primary>
619 </indexterm>
620 </listitem>
621 </varlistentry>
622
623 </variablelist>
624
625 </sect2>
626
627</sect1>
Note: See TracBrowser for help on using the repository browser.