Context Navigation

source: postlfs/security/linux-pam.xml@ cfd4fa8

Visit:

11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/xf86-video-removal

Last change on this file since cfd4fa8 was 18aa9339, checked in by Douglas R. Reno <renodr@…>, 16 months ago
Lots of tags for X
Property mode set to `100644`
File size: 20.8 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "895e8adfa14af334f679bbeb28503f66">
10	<!ENTITY linux-pam-size "966 KB">
11	<!ENTITY linux-pam-buildsize "39 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "ceb3dc248cb2f49a40904b93cb91db1b">
16	<!ENTITY linux-pam-docs-size "433 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25
26	<title>Linux-PAM-&linux-pam-version;</title>
27
28	<indexterm zone="linux-pam">
29	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to Linux PAM</title>
34
35	<para>
36	The <application>Linux PAM</application> package contains
37	Pluggable Authentication Modules used by the local
38	system administrator to control how application programs authenticate
39	users.
40	</para>
41
42	&lfs113_checked;
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>
48	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download MD5 sum: &linux-pam-md5sum;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Download size: &linux-pam-size;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated disk space required: &linux-pam-buildsize;
69	</para>
70	</listitem>
71	<listitem>
72	<para>
73	Estimated build time: &linux-pam-time;
74	</para>
75	</listitem>
76	</itemizedlist>
77
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<title>Optional Documentation</title>
81	<listitem>
82	<para>
83	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
84	</para>
85	</listitem>
86	<listitem>
87	<para>
88	Download MD5 sum: &linux-pam-docs-md5sum;
89	</para>
90	</listitem>
91	<listitem>
92	<para>
93	Download size &linux-pam-docs-size;
94	</para>
95	</listitem>
96	</itemizedlist>
97
98	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
99
100	<bridgehead renderas="sect4">Optional</bridgehead>
101	<para role="optional">
102	<xref linkend="db"/>,
103	<xref linkend="libnsl"/>,
104	<xref linkend="libtirpc"/>,
105	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
106	<ulink url="https://www.prelude-siem.org">Prelude</ulink>
107	</para>
108
109	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
110	<para role="optional">
111	<xref linkend="DocBook"/>,
112	<xref linkend="docbook-xsl"/>,
113	<xref linkend="fop"/>,
114	<xref linkend="libxslt"/> and either
115	<xref linkend="lynx"/> or
116	<ulink url="&w3m-url;">W3m</ulink>
117	</para>
118
119	<note>
120	<para role="required">
121	<xref role="runtime" linkend="shadow"/>
122	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
123	must</phrase><phrase revision="sysv">must</phrase> be reinstalled
124	and reconfigured
125	after installing and configuring <application>Linux PAM</application>.
126	</para>
127
128	<para role="recommended">
129	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
130	installed by default. Use <xref role="runtime" linkend="libpwquality"/>
131	to enforce strong passwords.
132	</para>
133	</note>
134
135	<para condition="html" role="usernotes">User Notes:
136	<ulink url="&blfs-wiki;/linux-pam"/>
137	</para>
138	</sect2>
139
140	<sect2 role="installation">
141	<title>Installation of Linux PAM</title>
142
143	<para revision="sysv">
144	First, prevent the installation of an unneeded systemd file:
145	</para>
146
147	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
148	-i modules/pam_namespace/Makefile.am &&
149	autoreconf</userinput></screen>
150
151	<para>
152	If you downloaded the documentation, unpack the tarball by issuing
153	the following command.
154	</para>
155
156	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
157
158	<para>
159	If you want to regenerate the documentation yourself, fix the
160	<command>configure</command> script so it will detect lynx:
161	</para>
162
163	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
164	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
165	-i configure</userinput></screen>
166
167	<para>
168	Compile and link <application>Linux PAM</application> by
169	running the following commands:
170	</para>
171
172	<screen><userinput>./configure --prefix=/usr \
173	--sbindir=/usr/sbin \
174	--sysconfdir=/etc \
175	--libdir=/usr/lib \
176	--enable-securedir=/usr/lib/security \
177	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
178	make</userinput></screen>
179
180	<para>
181	To test the results, a suitable <filename>/etc/pam.d/other</filename>
182	configuration file must exist.
183	</para>
184
185	<caution>
186	<title>Reinstallation or Upgrade of Linux PAM</title>
187	<para>
188	If you have a system with Linux PAM installed and working, be careful
189	when modifying the files in
190	<filename class="directory">/etc/pam.d</filename>, since your system
191	may become totally unusable. If you want to run the tests, you do not
192	need to create another <filename>/etc/pam.d/other</filename> file. The
193	existing file can be used for the tests.
194	</para>
195
196	<para>
197	You should also be aware that <command>make install</command>
198	overwrites the configuration files in
199	<filename class="directory">/etc/security</filename> as well as
200	<filename>/etc/environment</filename>. If you
201	have modified those files, be sure to back them up.
202	</para>
203	</caution>
204
205	<para>
206	For a first-time installation, create a configuration file by issuing the
207	following commands as the <systemitem class="username">root</systemitem>
208	user:
209	</para>
210
211	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
212
213	cat > /etc/pam.d/other << "EOF"
214	<literal>auth required pam_deny.so
215	account required pam_deny.so
216	password required pam_deny.so
217	session required pam_deny.so</literal>
218	EOF</userinput></screen>
219
220	<para>
221	Now run the tests by issuing <command>make check</command>.
222	Be sure the tests produced no errors before continuing the
223	installation. Note that the tests are very long.
224	Redirect the output to a log file, so you can inspect it thoroughly.
225	</para>
226
227	<para>
228	For a first-time installation, remove the configuration file
229	created earlier by issuing the following command as the
230	<systemitem class="username">root</systemitem> user:
231	</para>
232
233	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
234
235	<para>
236	Now, as the <systemitem class="username">root</systemitem>
237	user:
238	</para>
239
240	<screen role="root"><userinput>make install &&
241	chmod -v 4755 /usr/sbin/unix_chkpwd</userinput></screen>
242
243	</sect2>
244
245	<sect2 role="commands">
246	<title>Command Explanations</title>
247
248	<para>
249	<parameter>--enable-securedir=/usr/lib/security</parameter>:
250	This switch sets the installation location for the
251	<application>PAM</application> modules.
252	</para>
253
254	<para>
255	<option>--disable-regenerate-docu</option> : If the needed dependencies
256	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
257	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
258	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
259	html and text documentation files, are generated and installed.
260	Furthermore, if <xref linkend="fop"/> is installed, the PDF
261	documentation is generated and installed. Use this switch if you do not
262	want to rebuild the documentation.
263	</para>
264
265	<para>
266	<command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
267	The setuid bit for the <command>unix_chkpwd</command> helper program must be
268	turned on, so that non-<systemitem class="username">root</systemitem>
269	processes can access the shadow file.
270	</para>
271
272	</sect2>
273
274	<sect2 role="configuration">
275	<title>Configuring Linux-PAM</title>
276
277	<sect3 id="pam-config">
278	<title>Configuration Files</title>
279
280	<para>
281	<filename>/etc/security/*</filename> and
282	<filename>/etc/pam.d/*</filename>
283	</para>
284
285	<indexterm zone="linux-pam pam-config">
286	<primary sortas="e-etc-security">/etc/security/*</primary>
287	</indexterm>
288
289	<indexterm zone="linux-pam pam-config">
290	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
291	</indexterm>
292
293	</sect3>
294
295	<sect3>
296	<title>Configuration Information</title>
297
298	<para>
299	Configuration information is placed in
300	<filename class="directory">/etc/pam.d/</filename>.
301	Here is a sample file:
302	</para>
303
304	<screen><literal># Begin /etc/pam.d/other
305
306	auth required pam_unix.so nullok
307	account required pam_unix.so
308	session required pam_unix.so
309	password required pam_unix.so nullok
310
311	# End /etc/pam.d/other</literal></screen>
312
313	<para>
314	Now create some generic configuration files. As the
315	<systemitem class="username">root</systemitem> user:
316	</para>
317
318	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
319	cat > /etc/pam.d/system-account << "EOF" &&
320	<literal># Begin /etc/pam.d/system-account
321
322	account required pam_unix.so
323
324	# End /etc/pam.d/system-account</literal>
325	EOF
326
327	cat > /etc/pam.d/system-auth << "EOF" &&
328	<literal># Begin /etc/pam.d/system-auth
329
330	auth required pam_unix.so
331
332	# End /etc/pam.d/system-auth</literal>
333	EOF
334
335	cat > /etc/pam.d/system-session << "EOF" &&
336	<literal># Begin /etc/pam.d/system-session
337
338	session required pam_unix.so
339
340	# End /etc/pam.d/system-session</literal>
341	EOF
342
343	cat > /etc/pam.d/system-password << "EOF"
344	<literal># Begin /etc/pam.d/system-password
345
346	# use sha512 hash for encryption, use shadow, and try to use any previously
347	# defined authentication token (chosen password) set by any prior module.
348	# Use the same number of rounds as shadow.
349	password required pam_unix.so sha512 shadow try_first_pass \
350	rounds=500000
351
352	# End /etc/pam.d/system-password</literal>
353	EOF
354	</userinput></screen>
355
356	<para>
357	If you wish to enable strong password support, install
358	<xref linkend="libpwquality"/>, and follow the
359	instructions on that page to configure the pam_pwquality
360	PAM module with strong password support.
361	</para>
362
363	<!-- With the removal of the pam_cracklib module, we're supposed to be using
364	libpwquality. That already includes instructions in its configuration
365	information page, so we'll use those instead.
366
367	Linux-PAM must be installed prior to libpwquality so that PAM support
368	is built in, and the PAM module is built.
369	-->
370	<!-- WARNING: If for any reason the instructions below are reinstated be
371	careful with the number of rounds, which should match the one in shadow.
372	<para>
373	The remaining generic file depends on whether <xref
374	linkend="cracklib"/> is installed. If it is installed, use:
375	</para>
376
377	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
378	<literal># Begin /etc/pam.d/system-password
379
380	# check new passwords for strength (man pam_cracklib)
381	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
382	minlen=9 dcredit=1 ucredit=1 \
383	lcredit=1 ocredit=1 minclass=0 \
384	maxrepeat=0 maxsequence=0 \
385	maxclassrepeat=0 \
386	dictpath=/lib/cracklib/pw_dict
387	# use sha512 hash for encryption, use shadow, and use the
388	# authentication token (chosen password) set by pam_cracklib
389	# above (or any previous modules)
390	password required pam_unix.so sha512 shadow use_authtok
391
392	# End /etc/pam.d/system-password</literal>
393	EOF</userinput></screen>
394
395	<note>
396	<para>
397	In its default configuration, pam_cracklib will
398	allow multiple case passwords as short as 6 characters, even with
399	the <parameter>minlen</parameter> value set to 11. You should review
400	the pam_cracklib(8) man page and determine if these default values
401	are acceptable for the security of your system.
402	</para>
403	</note>
404
405	<para>
406	If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
407	use:
408	</para>
409
410	<screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"
411	<literal># Begin /etc/pam.d/system-password
412
413	# use sha512 hash for encryption, use shadow, and try to use any previously
414	# defined authentication token (chosen password) set by any prior module
415	password required pam_unix.so sha512 shadow try_first_pass
416
417	# End /etc/pam.d/system-password</literal>
418	EOF</userinput></screen>
419	-->
420	<para>
421	Next, add a restrictive <filename>/etc/pam.d/other</filename>
422	configuration file. With this file, programs that are PAM aware will
423	not run unless a configuration file specifically for that application
424	exists.
425	</para>
426
427	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
428	<literal># Begin /etc/pam.d/other
429
430	auth required pam_warn.so
431	auth required pam_deny.so
432	account required pam_warn.so
433	account required pam_deny.so
434	password required pam_warn.so
435	password required pam_deny.so
436	session required pam_warn.so
437	session required pam_deny.so
438
439	# End /etc/pam.d/other</literal>
440	EOF</userinput></screen>
441
442	<para>
443	The <application>PAM</application> man page (<command>man
444	pam</command>) provides a good starting point to learn
445	about the several fields, and allowable entries.
446	<!-- not accessible 2022-09-08 -->
447	<!-- it's available at a different address 2022-10-23-->
448	The
449	<ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
450	Linux-PAM System Administrators' Guide
451	</ulink> is recommended for additional information.
452	</para>
453
454	<important>
455	<para>
456	You should now reinstall the <xref linkend="shadow"/>
457	<phrase revision="sysv">package</phrase>
458	<phrase revision="systemd"> and <xref linkend="systemd"/>
459	packages</phrase>.
460	</para>
461	</important>
462
463	</sect3>
464
465	</sect2>
466
467	<sect2 role="content">
468	<title>Contents</title>
469
470	<segmentedlist>
471	<segtitle>Installed Program</segtitle>
472	<segtitle>Installed Libraries</segtitle>
473	<segtitle>Installed Directories</segtitle>
474
475	<seglistitem>
476	<seg>
477	faillock, mkhomedir_helper, pam_namespace_helper,
478	pam_timestamp_check, pwhistory_helper, unix_chkpwd and
479	unix_update
480	</seg>
481	<seg>
482	libpam.so, libpamc.so and libpam_misc.so
483	</seg>
484	<seg>
485	/etc/security,
486	/usr/lib/security,
487	/usr/include/security and
488	/usr/share/doc/Linux-PAM-&linux-pam-version;
489	</seg>
490	</seglistitem>
491	</segmentedlist>
492
493	<variablelist>
494	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
495	<?dbfo list-presentation="list"?>
496	<?dbhtml list-presentation="table"?>
497
498	<varlistentry id="faillock">
499	<term><command>faillock</command></term>
500	<listitem>
501	<para>
502	displays and modifies the authentication failure record files
503	</para>
504	<indexterm zone="linux-pam faillock">
505	<primary sortas="b-faillock">faillock</primary>
506	</indexterm>
507	</listitem>
508	</varlistentry>
509
510	<varlistentry id="mkhomedir_helper">
511	<term><command>mkhomedir_helper</command></term>
512	<listitem>
513	<para>
514	is a helper binary that creates home directories
515	</para>
516	<indexterm zone="linux-pam mkhomedir_helper">
517	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
518	</indexterm>
519	</listitem>
520	</varlistentry>
521
522	<varlistentry id="pam_namespace_helper">
523	<term><command>pam_namespace_helper</command></term>
524	<listitem>
525	<para>
526	is a helper program used to configure a private namespace for a
527	user session
528	</para>
529	<indexterm zone="linux-pam pam_namespace_helper">
530	<primary sortas="b-pam_namespace_helper">pam_namespace_helper</primary>
531	</indexterm>
532	</listitem>
533	</varlistentry>
534
535	<varlistentry id="pwhistory_helper">
536	<term><command>pwhistory_helper</command></term>
537	<listitem>
538	<para>
539	is a helper program that transfers password hashes from passwd or
540	shadow to opasswd
541	</para>
542	<indexterm zone="linux-pam pwhistory_helper">
543	<primary sortas="b-pwhistory_helper">pwhistory_helper</primary>
544	</indexterm>
545	</listitem>
546	</varlistentry>
547	<!-- Removed with the removal of the pam_tally{,2} module
548	<varlistentry id="pam_tally">
549	<term><command>pam_tally</command></term>
550	<listitem>
551	<para>
552	is used to interrogate and manipulate the login counter file.
553	</para>
554	<indexterm zone="linux-pam pam_tally">
555	<primary sortas="b-pam_tally">pam_tally</primary>
556	</indexterm>
557	</listitem>
558	</varlistentry>
559
560	<varlistentry id="pam_tally2">
561	<term><command>pam_tally2</command></term>
562	<listitem>
563	<para>
564	is used to interrogate and manipulate the login counter file, but
565	does not have some limitations that <command>pam_tally</command>
566	does.
567	</para>
568	<indexterm zone="linux-pam pam_tally2">
569	<primary sortas="b-pam_tally2">pam_tally2</primary>
570	</indexterm>
571	</listitem>
572	</varlistentry>
573	-->
574
575	<varlistentry id="pam_timestamp_check">
576	<term><command>pam_timestamp_check</command></term>
577	<listitem>
578	<para>
579	is used to check if the default timestamp is valid
580	</para>
581	<indexterm zone="linux-pam pam_timestamp_check">
582	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
583	</indexterm>
584	</listitem>
585	</varlistentry>
586
587	<varlistentry id="unix_chkpwd">
588	<term><command>unix_chkpwd</command></term>
589	<listitem>
590	<para>
591	is a helper binary that verifies the password of the current user
592	</para>
593	<indexterm zone="linux-pam unix_chkpwd">
594	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
595	</indexterm>
596	</listitem>
597	</varlistentry>
598
599	<varlistentry id="unix_update">
600	<term><command>unix_update</command></term>
601	<listitem>
602	<para>
603	is a helper binary that updates the password of a given user
604	</para>
605	<indexterm zone="linux-pam unix_update">
606	<primary sortas="b-unix_update">unix_update</primary>
607	</indexterm>
608	</listitem>
609	</varlistentry>
610
611	<varlistentry id="libpam">
612	<term><filename class="libraryfile">libpam.so</filename></term>
613	<listitem>
614	<para>
615	provides the interfaces between applications and the
616	PAM modules
617	</para>
618	<indexterm zone="linux-pam libpam">
619	<primary sortas="c-libpam">libpam.so</primary>
620	</indexterm>
621	</listitem>
622	</varlistentry>
623
624	</variablelist>
625
626	</sect2>
627
628	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: