Pluggable authentication modules
Yahia_Kandeel
1,838 views
20 slides
Jun 17, 2013
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
PAM Administration
Slide Content
Yahia Kandeel
GCIH, GSEC, RHCE, CEH, CCNA, MCP
IP Backbone Security Engineer
Etisalat
GCIH, GSEC, RHCE, CEH, CCNA, MCP
IP Backbone Security Engineer
Etisalat
Discretionary Access Controls
SeLinux
TCPWrappers
Xinetd
IPTables
Pluggable Authentication Module
Application Access Control
SeLinux
TCPWrappers
Xinetd
IPTables
Pluggable Authentication Module
Application Access Control
Historically ..
Each program had its own way of authenticating
users ..
PAM
Pluggable, modular architecture
Affords the system administrator a great deal of
flexibility in setting authentication policies for the
system.
Each program had its own way of authenticating
users ..
PAM
Pluggable, modular architecture
Affords the system administrator a great deal of
flexibility in setting authentication policies for the
system.
Centralized authentication mechanism
/etc/pam.d/ contains the PAM configuration files for each
PAM-aware application
All supported PAM Modules under /lib/security/directory
/etc/pam.d/ contains the PAM configuration files for each
PAM-aware application
All supported PAM Modules under /lib/security/directory
auth
This module authenticatesusers against database
account
This module verifies that access is allowed. (e.git checks
expirationand timerestrictions)
password
This module is used for changinguser passwords.
session
This module configures and manages user sessions (e.g
mounting a user's home directory and making the user's
mailbox available.)
This module authenticatesusers against database
account
This module verifies that access is allowed. (e.git checks
expirationand timerestrictions)
password
This module is used for changinguser passwords.
session
This module configures and manages user sessions (e.g
mounting a user's home directory and making the user's
mailbox available.)
An individual module can provideany or all module interfaces. For
instance, pam_unix.soprovides all four module interfaces.
Module interface directives can be stacked, or placed upon one
another, so that multiple modules are used together for one purpose.
Each PAM modules generate a success or failure resultwhen called.
Control flags tell PAM what to do with the result.
Orderingis very Important ..
/etc/pam.d/system-auth:
A common interfacefor all applications and service daemons calling into the
PAM library.
instance, pam_unix.soprovides all four module interfaces.
Module interface directives can be stacked, or placed upon one
another, so that multiple modules are used together for one purpose.
Each PAM modules generate a success or failure resultwhen called.
Control flags tell PAM what to do with the result.
Orderingis very Important ..
/etc/pam.d/system-auth:
A common interfacefor all applications and service daemons calling into the
PAM library.
Required
If success continue checking, if fail continue with failure
Requisite
If success continuechecking, if fail abortwith failure
Sufficient
If success grant access immediately, if fail ignore
Optional
The module result is ignored.
Include
Interpret the given file. All lines in the given file are treatedas they
were present in this configuration file
If success continue checking, if fail continue with failure
Requisite
If success continuechecking, if fail abortwith failure
Sufficient
If success grant access immediately, if fail ignore
Optional
The module result is ignored.
Include
Interpret the given file. All lines in the given file are treatedas they
were present in this configuration file
Name Description
pam_unix Module for traditional password authentication
pam_rootok Gain only root access
pam_permit The promiscuous module
pam_nologin Prevent non rootuses
pam_listfile deny or allow services based on an arbitrary file
pam_tally2 The login counter (tallying) module
pam_succeed_iftest account characteristics
pam_deny The locking
pam_limits PAM module to limit resources
pam_timestamp Auth using cached successful auth attempts
pam_time PAM module for time control access
pam_cracklib Check the password against dictionary words
pam_unix Module for traditional password authentication
pam_rootok Gain only root access
pam_permit The promiscuous module
pam_nologin Prevent non rootuses
pam_listfile deny or allow services based on an arbitrary file
pam_tally2 The login counter (tallying) module
pam_succeed_iftest account characteristics
pam_deny The locking
pam_limits PAM module to limit resources
pam_timestamp Auth using cached successful auth attempts
pam_time PAM module for time control access
pam_cracklib Check the password against dictionary words
Test account characteristics ..
Synopsis: pam_succeed_if.so [flag...][condition...]
Flags:
Conditions:
auth required pam_succeed_if.so use_uiduser ingroupwheel
use_uid
Evaluate conditions using the account of the user whose UID the
application is running under instead of the user being authenticated.
quiet Don´t log failure or success to the system log.
Field Test Value
user ingroup Wheel
uid >= 500
Synopsis: pam_succeed_if.so [flag...][condition...]
Flags:
Conditions:
auth required pam_succeed_if.so use_uiduser ingroupwheel
use_uid
Evaluate conditions using the account of the user whose UID the
application is running under instead of the user being authenticated.
quiet Don´t log failure or success to the system log.
Field Test Value
user ingroup Wheel
uid >= 500
Authenticate using cached successful authentication
attempts.
Synopsis: pam_timestamp.so [timestamp_timeout=number]
The auth and session module types are provided.
authsufficient pam_timestamp.so
auth required pam_unix.so
session required pam_unix.so
session optional pam_timestamp.so
/etc/pam.d/wireshark
attempts.
Synopsis: pam_timestamp.so [timestamp_timeout=number]
The auth and session module types are provided.
authsufficient pam_timestamp.so
auth required pam_unix.so
session required pam_unix.so
session optional pam_timestamp.so
/etc/pam.d/wireshark
Wireshark
Timestamp
Only for specific users
Timestamp
Only for specific users
Deny or allow using services based on an arbitrary file
Synopsis:
pam_listfile.so item=[user|rhost|group|shell] sense=[allow|deny]
file=/path/filename onerr=[succeed|fail]
auth required pam_listfile.so item=user onerr=fail
file=/etc/ssh.allowsense=allow
item What is listed in the file and should be checked for.
sense Action to take if found in file
onerr What to do if something weird happens like being unable to open the file
/etc/pam.d/sshd
Synopsis:
pam_listfile.so item=[user|rhost|group|shell] sense=[allow|deny]
file=/path/filename onerr=[succeed|fail]
auth required pam_listfile.so item=user onerr=fail
file=/etc/ssh.allowsense=allow
item What is listed in the file and should be checked for.
sense Action to take if found in file
onerr What to do if something weird happens like being unable to open the file
/etc/pam.d/sshd
Enable or disable TTY auditing for specified users.
Synopsis: pam_tty_audit.so [disable=patterns] [enable=patterns]
To view the data that was logged by the kernel to audit use
the command #aureport--tty.
session required pam_tty_audit.so disable=* enable=root
/etc/pam.d/sshd
Synopsis: pam_tty_audit.so [disable=patterns] [enable=patterns]
To view the data that was logged by the kernel to audit use
the command #aureport--tty.
session required pam_tty_audit.so disable=* enable=root
/etc/pam.d/sshd
The login counter.
Synopsis:
pam_tally2.so [onerr=[fail|succeed]] [even_deny_root] [deny=n]
[unlock_time=n] [root_unlock_time=n] [audit]
To view the status for locked users run this command
#pam_tally-u username
auth requiredpam_tally2.so deny=4
even_deny_rootunlock_time=1200
/etc/pam.d/sshd
Synopsis:
pam_tally2.so [onerr=[fail|succeed]] [even_deny_root] [deny=n]
[unlock_time=n] [root_unlock_time=n] [audit]
To view the status for locked users run this command
#pam_tally-u username
auth requiredpam_tally2.so deny=4
even_deny_rootunlock_time=1200
/etc/pam.d/sshd
PAM module to limit resources
Synopsis: pam_limits.so [change_uid] [conf=/path/to/limits.conf]
By default limits are taken from the /etc/security/limits.conf
session required pam_limits.so
/etc/pam.d/sshd
<domain> <type><item> <value>
student - maxlogins 1
/etc/security/limits.conf
CPU
Maxlogin
Priority
Memlock
Hard
Soft
-
Username
@Group
uid:uid
*
Synopsis: pam_limits.so [change_uid] [conf=/path/to/limits.conf]
By default limits are taken from the /etc/security/limits.conf
session required pam_limits.so
/etc/pam.d/sshd
<domain> <type><item> <value>
student - maxlogins 1
/etc/security/limits.conf
CPU
Maxlogin
Priority
Memlock
Hard
Soft
-
Username
@Group
uid:uid
*
PAM module for time control access
Synopsis: pam_time.so [noaudit]
The time access rules are taken from /etc/security/time.conf
account required pam_time.so
/etc/pam.d/sshd
services; ttys;users; times
sshd; * ; !root ; Wk0800-1700
/etc/security/time.conf
Users
Groups
tty
ttyp*
*
sshd
login
Synopsis: pam_time.so [noaudit]
The time access rules are taken from /etc/security/time.conf
account required pam_time.so
/etc/pam.d/sshd
services; ttys;users; times
sshd; * ; !root ; Wk0800-1700
/etc/security/time.conf
Users
Groups
tty
ttyp*
*
sshd
login
SSHD:
Limit # of concurrent sessions
At specific time
For specific users
Max number of failed
logins
Audit user activities
SU:
Only Specific users can escalate their priviledges
Limit # of concurrent sessions
At specific time
For specific users
Max number of failed
logins
Audit user activities
SU:
Only Specific users can escalate their priviledges
References:
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-
pam.html
http://www.informit.com/articles/article.aspx?p=20968
Linux man pages
Contacts:
[email protected]
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-
pam.html
http://www.informit.com/articles/article.aspx?p=20968
Linux man pages
Contacts:
[email protected]
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,838
- Slides 20
- Age 4552 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views