Context Navigation

source: postlfs/security/linux-pam.xml@ c176fc7

Visit:

11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since c176fc7 was bf1e213, checked in by DJ Lucas <dj@…>, 3 years ago
Add --sbindir to Linux-PAM instruction to aid in packaging.
Property mode set to `100644`
File size: 20.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "895e8adfa14af334f679bbeb28503f66">
10	<!ENTITY linux-pam-size "966 KB">
11	<!ENTITY linux-pam-buildsize "39 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "ceb3dc248cb2f49a40904b93cb91db1b">
16	<!ENTITY linux-pam-docs-size "433 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25	<sect1info>
26	<date>$Date$</date>
27	</sect1info>
28
29	<title>Linux-PAM-&linux-pam-version;</title>
30
31	<indexterm zone="linux-pam">
32	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
33	</indexterm>
34
35	<sect2 role="package">
36	<title>Introduction to Linux PAM</title>
37
38	<para>
39	The <application>Linux PAM</application> package contains
40	Pluggable Authentication Modules used to enable the local
41	system administrator to choose how applications authenticate
42	users.
43	</para>
44
45	&lfs110a_checked;
46
47	<bridgehead renderas="sect3">Package Information</bridgehead>
48	<itemizedlist spacing="compact">
49	<listitem>
50	<para>
51	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download MD5 sum: &linux-pam-md5sum;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Download size: &linux-pam-size;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated disk space required: &linux-pam-buildsize;
72	</para>
73	</listitem>
74	<listitem>
75	<para>
76	Estimated build time: &linux-pam-time;
77	</para>
78	</listitem>
79	</itemizedlist>
80
81	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
82	<itemizedlist spacing="compact">
83	<title>Optional Documentation</title>
84	<listitem>
85	<para>
86	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
87	</para>
88	</listitem>
89	<listitem>
90	<para>
91	Download MD5 sum: &linux-pam-docs-md5sum;
92	</para>
93	</listitem>
94	<listitem>
95	<para>
96	Download size &linux-pam-docs-size;
97	</para>
98	</listitem>
99	</itemizedlist>
100
101	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
102
103	<bridgehead renderas="sect4">Optional</bridgehead>
104	<para role="optional">
105	<xref linkend="db"/>,
106	<xref linkend="libnsl"/>,
107	<xref linkend="libtirpc"/>,
108	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
109	<ulink url="http://www.prelude-siem.org">Prelude</ulink>
110	</para>
111
112	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
113	<para role="optional">
114	<xref linkend="DocBook"/>,
115	<xref linkend="docbook-xsl"/>,
116	<xref linkend="fop"/>,
117	<xref linkend="libxslt"/> and either
118	<xref linkend="lynx"/> or
119	<ulink url="&w3m-url;">W3m</ulink>
120	</para>
121
122	<note>
123	<para role="required">
124	<xref role="runtime" linkend="shadow"/>
125	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
126	need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
127	after installing and configuring <application>Linux PAM</application>.
128	</para>
129
130	<para role="recommended">
131	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
132	installed by default. To enforce strong passwords, it is recommended
133	to use <xref role="runtime" linkend="libpwquality"/>.
134	</para>
135	</note>
136
137	<para condition="html" role="usernotes">User Notes:
138	<ulink url="&blfs-wiki;/linux-pam"/>
139	</para>
140	</sect2>
141
142	<sect2 role="installation">
143	<title>Installation of Linux PAM</title>
144
145	<para revision="sysv">
146	First prevent the installation of an unneeded systemd file:
147	</para>
148
149	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
150	-i modules/pam_namespace/Makefile.am &&
151	autoreconf</userinput></screen>
152
153	<para>
154	If you downloaded the documentation, unpack the tarball by issuing
155	the following command.
156	</para>
157
158	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
159
160	<para>
161	If you instead want to regenerate the documentation, fix the
162	<command>configure</command> script so that it detects lynx if installed:
163	</para>
164
165	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
166	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
167	-i configure</userinput></screen>
168
169	<para>
170	Install <application>Linux PAM</application> by
171	running the following commands:
172	</para>
173
174	<screen><userinput>./configure --prefix=/usr \
175	--sbindir=/usr/sbin \
176	--sysconfdir=/etc \
177	--libdir=/usr/lib \
178	--enable-securedir=/usr/lib/security \
179	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
180	make</userinput></screen>
181
182	<para>
183	To test the results, a suitable <filename>/etc/pam.d/other</filename>
184	configuration file must exist.
185	</para>
186
187	<caution>
188	<title>Reinstallation or upgrade of Linux PAM</title>
189	<para>
190	If you have a system with Linux PAM installed and working, be careful
191	when modifying the files in
192	<filename class="directory">/etc/pam.d</filename>, since your system
193	may become totally unusable. If you want to run the tests, you do not
194	need to create another <filename>/etc/pam.d/other</filename> file. The
195	installed one can be used for that purpose.
196	</para>
197
198	<para>
199	You should also be aware that <command>make install</command>
200	overwrites the configuration files in
201	<filename class="directory">/etc/security</filename> as well as
202	<filename>/etc/environment</filename>. In case you
203	have modified those files, be sure to back them up.
204	</para>
205	</caution>
206
207	<para>
208	For a first installation, create the configuration file by issuing the
209	following commands as the <systemitem class="username">root</systemitem>
210	user:
211	</para>
212
213	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
214
215	cat > /etc/pam.d/other << "EOF"
216	<literal>auth required pam_deny.so
217	account required pam_deny.so
218	password required pam_deny.so
219	session required pam_deny.so</literal>
220	EOF</userinput></screen>
221
222	<para>
223	Now run the tests by issuing <command>make check</command>.
224	Ensure there are no errors produced by the tests before continuing the
225	installation. Note that the checks are quite long. It may be useful to
226	redirect the output to a log file in order to inspect it thoroughly.
227	</para>
228
229	<para>
230	Only in case of a first installation, remove the configuration file
231	created earlier by issuing the following command as the
232	<systemitem class="username">root</systemitem> user:
233	</para>
234
235	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
236
237	<para>
238	Now, as the <systemitem class="username">root</systemitem>
239	user:
240	</para>
241
242	<screen role="root"><userinput>make install &&
243	chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
244
245	</sect2>
246
247	<sect2 role="commands">
248	<title>Command Explanations</title>
249
250	<para>
251	<parameter>--enable-securedir=/usr/lib/security</parameter>:
252	This switch sets the installation location for the
253	<application>PAM</application> modules.
254	</para>
255
256	<para>
257	<option>--disable-regenerate-docu</option> : If the needed dependencies
258	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
259	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
260	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
261	html and text documentations are (re)generated and installed.
262	Furthermore, if <xref linkend="fop"/> is installed, the PDF
263	documentation is generated and installed. Use this switch if you do not
264	want to rebuild the documentation.
265	</para>
266
267	<para>
268	<command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
269	The <command>unix_chkpwd</command> helper program must be setuid
270	so that non-<systemitem class="username">root</systemitem>
271	processes can access the shadow file.
272	</para>
273
274	</sect2>
275
276	<sect2 role="configuration">
277	<title>Configuring Linux-PAM</title>
278
279	<sect3 id="pam-config">
280	<title>Config Files</title>
281
282	<para>
283	<filename>/etc/security/*</filename> and
284	<filename>/etc/pam.d/*</filename>
285	</para>
286
287	<indexterm zone="linux-pam pam-config">
288	<primary sortas="e-etc-security">/etc/security/*</primary>
289	</indexterm>
290
291	<indexterm zone="linux-pam pam-config">
292	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
293	</indexterm>
294
295	</sect3>
296
297	<sect3>
298	<title>Configuration Information</title>
299
300	<para>
301	Configuration information is placed in
302	<filename class="directory">/etc/pam.d/</filename>.
303	Below is an example file:
304	</para>
305
306	<screen><literal># Begin /etc/pam.d/other
307
308	auth required pam_unix.so nullok
309	account required pam_unix.so
310	session required pam_unix.so
311	password required pam_unix.so nullok
312
313	# End /etc/pam.d/other</literal></screen>
314
315	<para>
316	Now set up some generic files. As the
317	<systemitem class="username">root</systemitem> user:
318	</para>
319
320	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
321	cat > /etc/pam.d/system-account << "EOF" &&
322	<literal># Begin /etc/pam.d/system-account
323
324	account required pam_unix.so
325
326	# End /etc/pam.d/system-account</literal>
327	EOF
328
329	cat > /etc/pam.d/system-auth << "EOF" &&
330	<literal># Begin /etc/pam.d/system-auth
331
332	auth required pam_unix.so
333
334	# End /etc/pam.d/system-auth</literal>
335	EOF
336
337	cat > /etc/pam.d/system-session << "EOF"
338	<literal># Begin /etc/pam.d/system-session
339
340	session required pam_unix.so
341
342	# End /etc/pam.d/system-session</literal>
343	EOF
344	cat > /etc/pam.d/system-password << "EOF"
345	<literal># Begin /etc/pam.d/system-password
346
347	# use sha512 hash for encryption, use shadow, and try to use any previously
348	# defined authentication token (chosen password) set by any prior module
349	password required pam_unix.so sha512 shadow try_first_pass
350
351	# End /etc/pam.d/system-password</literal>
352	EOF
353	</userinput></screen>
354
355	<para>
356	If you wish to enable strong password support, install
357	<xref linkend="libpwquality"/>, and follow the
358	instructions in that page to configure the pam_pwquality
359	PAM module with strong password support.
360	</para>
361
362	<!-- With the removal of the pam_cracklib module, we're supposed to be using
363	libpwquality. That already includes instructions in it's configuration
364	information page, so we'll use those instead.
365
366	Linux-PAM must be installed prior to libpwquality so that PAM support
367	is built in, and the PAM module is built.
368	-->
369	<!--
370	<para>
371	The remaining generic file depends on whether <xref
372	linkend="cracklib"/> is installed. If it is installed, use:
373	</para>
374
375	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
376	<literal># Begin /etc/pam.d/system-password
377
378	# check new passwords for strength (man pam_cracklib)
379	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
380	minlen=9 dcredit=1 ucredit=1 \
381	lcredit=1 ocredit=1 minclass=0 \
382	maxrepeat=0 maxsequence=0 \
383	maxclassrepeat=0 \
384	dictpath=/lib/cracklib/pw_dict
385	# use sha512 hash for encryption, use shadow, and use the
386	# authentication token (chosen password) set by pam_cracklib
387	# above (or any previous modules)
388	password required pam_unix.so sha512 shadow use_authtok
389
390	# End /etc/pam.d/system-password</literal>
391	EOF</userinput></screen>
392
393	<note>
394	<para>
395	In its default configuration, pam_cracklib will
396	allow multiple case passwords as short as 6 characters, even with
397	the <parameter>minlen</parameter> value set to 11. You should review
398	the pam_cracklib(8) man page and determine if these default values
399	are acceptable for the security of your system.
400	</para>
401	</note>
402
403	<para>
404	If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
405	use:
406	</para>
407
408	<screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"
409	<literal># Begin /etc/pam.d/system-password
410
411	# use sha512 hash for encryption, use shadow, and try to use any previously
412	# defined authentication token (chosen password) set by any prior module
413	password required pam_unix.so sha512 shadow try_first_pass
414
415	# End /etc/pam.d/system-password</literal>
416	EOF</userinput></screen>
417	-->
418	<para>
419	Now add a restrictive <filename>/etc/pam.d/other</filename>
420	configuration file. With this file, programs that are PAM aware will
421	not run unless a configuration file specifically for that application
422	is created.
423	</para>
424
425	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
426	<literal># Begin /etc/pam.d/other
427
428	auth required pam_warn.so
429	auth required pam_deny.so
430	account required pam_warn.so
431	account required pam_deny.so
432	password required pam_warn.so
433	password required pam_deny.so
434	session required pam_warn.so
435	session required pam_deny.so
436
437	# End /etc/pam.d/other</literal>
438	EOF</userinput></screen>
439
440	<para>
441	The <application>PAM</application> man page (<command>man
442	pam</command>) provides a good starting point for descriptions
443	of fields and allowable entries. The
444	<ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
445	Linux-PAM System Administrators' Guide
446	</ulink> is recommended for additional information.
447	</para>
448
449	<important>
450	<para>
451	You should now reinstall the <xref linkend="shadow"/>
452	<phrase revision="sysv">package.</phrase>
453	<phrase revision="systemd"> and <xref linkend="systemd"/>
454	packages.</phrase>
455	</para>
456	</important>
457
458	</sect3>
459
460	</sect2>
461
462	<sect2 role="content">
463	<title>Contents</title>
464
465	<segmentedlist>
466	<segtitle>Installed Program</segtitle>
467	<segtitle>Installed Libraries</segtitle>
468	<segtitle>Installed Directories</segtitle>
469
470	<seglistitem>
471	<seg>
472	faillock, mkhomedir_helper, pam_namespace_helper,
473	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
474	unix_update
475	</seg>
476	<seg>
477	libpam.so, libpamc.so and libpam_misc.so
478	</seg>
479	<seg>
480	/etc/security,
481	/usr/lib/security,
482	/usr/include/security and
483	/usr/share/doc/Linux-PAM-&linux-pam-version;
484	</seg>
485	</seglistitem>
486	</segmentedlist>
487
488	<variablelist>
489	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
490	<?dbfo list-presentation="list"?>
491	<?dbhtml list-presentation="table"?>
492
493	<varlistentry id="faillock">
494	<term><command>faillock</command></term>
495	<listitem>
496	<para>
497	displays and modifies the authentication failure record files
498	</para>
499	<indexterm zone="linux-pam faillock">
500	<primary sortas="b-faillock">faillock</primary>
501	</indexterm>
502	</listitem>
503	</varlistentry>
504
505	<varlistentry id="mkhomedir_helper">
506	<term><command>mkhomedir_helper</command></term>
507	<listitem>
508	<para>
509	is a helper binary that creates home directories
510	</para>
511	<indexterm zone="linux-pam mkhomedir_helper">
512	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
513	</indexterm>
514	</listitem>
515	</varlistentry>
516
517	<varlistentry id="pam_namespace_helper">
518	<term><command>pam_namespace_helper</command></term>
519	<listitem>
520	<para>
521	is a helper program used to configure a private namespace for a
522	user session
523	</para>
524	<indexterm zone="linux-pam pam_namespace_helper">
525	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
526	</indexterm>
527	</listitem>
528	</varlistentry>
529
530	<varlistentry id="pwhistory_helper">
531	<term><command>pwhistory_helper</command></term>
532	<listitem>
533	<para>
534	is a helper program that transfers password hashes from passwd or
535	shadow to opasswd
536	</para>
537	<indexterm zone="linux-pam pwhistory_helper">
538	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
539	</indexterm>
540	</listitem>
541	</varlistentry>
542	<!-- Removed with the removal of the pam_tally{,2} module
543	<varlistentry id="pam_tally">
544	<term><command>pam_tally</command></term>
545	<listitem>
546	<para>
547	is used to interrogate and manipulate the login counter file.
548	</para>
549	<indexterm zone="linux-pam pam_tally">
550	<primary sortas="b-pam_tally">pam_tally</primary>
551	</indexterm>
552	</listitem>
553	</varlistentry>
554
555	<varlistentry id="pam_tally2">
556	<term><command>pam_tally2</command></term>
557	<listitem>
558	<para>
559	is used to interrogate and manipulate the login counter file, but
560	does not have some limitations that <command>pam_tally</command>
561	does.
562	</para>
563	<indexterm zone="linux-pam pam_tally2">
564	<primary sortas="b-pam_tally2">pam_tally2</primary>
565	</indexterm>
566	</listitem>
567	</varlistentry>
568	-->
569
570	<varlistentry id="pam_timestamp_check">
571	<term><command>pam_timestamp_check</command></term>
572	<listitem>
573	<para>
574	is used to check if the default timestamp is valid
575	</para>
576	<indexterm zone="linux-pam pam_timestamp_check">
577	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
578	</indexterm>
579	</listitem>
580	</varlistentry>
581
582	<varlistentry id="unix_chkpwd">
583	<term><command>unix_chkpwd</command></term>
584	<listitem>
585	<para>
586	is a helper binary that verifies the password of the current user
587	</para>
588	<indexterm zone="linux-pam unix_chkpwd">
589	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
590	</indexterm>
591	</listitem>
592	</varlistentry>
593
594	<varlistentry id="unix_update">
595	<term><command>unix_update</command></term>
596	<listitem>
597	<para>
598	is a helper binary that updates the password of a given user
599	</para>
600	<indexterm zone="linux-pam unix_update">
601	<primary sortas="b-unix_update">unix_update</primary>
602	</indexterm>
603	</listitem>
604	</varlistentry>
605
606	<varlistentry id="libpam">
607	<term><filename class="libraryfile">libpam.so</filename></term>
608	<listitem>
609	<para>
610	provides the interfaces between applications and the
611	PAM modules
612	</para>
613	<indexterm zone="linux-pam libpam">
614	<primary sortas="c-libpam">libpam.so</primary>
615	</indexterm>
616	</listitem>
617	</varlistentry>
618
619	</variablelist>
620
621	</sect2>
622
623	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: