Beyond Linux® From Scratch - Version 7.4

Chapter 4. Security

Linux-PAM-1.1.7

Introduction to Linux PAM

The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users.

This package is known to build using an LFS 7.4 platform but has not been tested.

Package Information

Additional Downloads

Optional Documentation

Linux PAM Dependencies

Optional

Berkeley DB-6.0.20, CrackLib-2.9.0, libtirpc-0.2.3 and Prelude

Optional (To Rebuild the Documentation)

docbook-xml-4.5, docbook-xsl-1.78.1, fop-1.1, libxslt-1.1.28 and w3m-0.5.3

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/linux-pam

Installation of Linux PAM

If you downloaded the documentation, unpack the tarball by issuing the following command. 

tar -xf ../Linux-PAM-1.1.7-docs.tar.bz2 --strip-components=1

Install Linux PAM by running the following commands: 

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --docdir=/usr/share/doc/Linux-PAM-1.1.7 \
            --disable-nis &&
make

To test the results, a configuration file must be created. This file will be removed after the tests have completed. Ensure there are no errors produced by the tests before continuing the installation. First create the configuration file by issuing the following commands as the root user: 

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so
EOF

Now run the tests by issuing make check.

Remove the configuration file created earlier by issuing the following command as the root user: 

rm -rfv /etc/pam.d

Now, as the root user: 

make install &&
chmod -v 4755 /sbin/unix_chkpwd

Command Explanations

--disable-nis: This switch disables building of the Network Information Service/Yellow Pages support in pam_unix and pam_access modules. Remove it if you have installed libtirpc-0.2.3.

chmod -v 4755 /sbin/unix_chkpwd: The unix_chkpwd helper program must be setuid so that non-root processes can access the shadow file.

Configuring Linux-PAM

Config Files

/etc/security/* and /etc/pam.d/*

Configuration Information

Configuration information is placed in /etc/pam.d/. Below is an example file: 

# Begin /etc/pam.d/other

auth            required        pam_unix.so     nullok
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so     nullok

# End /etc/pam.d/other

The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.

Refer to http://debian.securedservers.com/kernel/pub/linux/libs/pam/modules.html for a list of various third-party modules available.

[Important]

Important

You should now reinstall the Shadow-4.1.5.1 package.

Contents

Installed Program: mkhomedir_helper, pam_tally, pam_tally2, pam_timestamp_check, unix_chkpwd and unix_update
Installed Libraries: libpam.so, libpamc.so and libpam_misc.so
Installed Directories: /etc/security, /lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-1.1.7

Short Descriptions

mkhomedir_helper

is a helper binary that creates home directories.

pam_tally

is used to interrogate and manipulate the login counter file.

pam_tally2

is used to interrogate and manipulate the login counter file, but does not have some limitations that pam_tally does.

pam_timestamp_check

is used to check if the default timestamp is valid

unix_chkpwd

is a helper binary that verifies the password of the current user.

unix_update

is a helper binary that updates the password of a given user.

libpam.so

provides the interfaces between applications and the PAM modules.

Last updated on 2013-09-12 20:08:10 -0700