PAM
Note: This page is quite old and is likely out of date. My opinions may have also changed dramatically since this was written. It is here as a reference until I get around to updating it.
Overview
/etc/pam.d/
directory contains the PAM configuration files for each PAM-aware
application. Each pam aware configuration file has lines in the format of:
<module interface> <control flag> <module> <module arguments>
Module Interfaces
There are only four module interfaces:
- account - Verify access is allowed. Check if account has expired, time of day checks, etc
- auth - Authenticates use, verifies the validity of a password, set credentials & group memberships & kerberos tickets
- password - Used for updating credentials
- session - Additional tasks performed after access has been granted, stuff like mounting user directories and making users mailbox available.
A module can provide any or all module interfaces.
Module interface directives can be 'stacked' so that multiple modules are used together for one purpose. The order of these directives. Commented out lines start with '#'.
Control flags
- include - The module name that is provided will not load a module, but rather include another pam configuration file at this point in the config.
- optional - The module result is ignored, this is only becomes necessary for successful authentication when no other modules reference the interface.
- required - The module result must be successful for authentication to continue. If the test fails at this point, the user is not notified until the results of all modules tests that reference that interface are complete.
- requisite - The module result must be successful for authentication to continue. If a test fails at this point, the uesr is notified immediately with a message reflecting the first failed required or requisite module test.
- sufficient - The module result is ignored if it fails. However, if the result of a module flagged sufficient is successful and no previous modules flagged required have failed, then no other results are required and the request succeeds.
Module
Available modules can be found in /lib/security
or /lib64/security
depending on the system architecture.
Module Arguments
These are module dependent refer to the man page of the module.
Confusing Lines I Don't Understand
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
pam_cracklib
pam_cracklib
allows for quick quality control settings of passwords. It
allows minimum requirements of the number of different types of characters that
need to be used in a password before it can be used. It also checks the
password against a dictionary.
By default it checks against a dictionary but that really isn't enough for good
password security. Further password control can be accomplished using
pam_passwdqc
.
Default:
password requisite pam_cracklib.so try_first_pass retry=3 type=
Recommended (require one of each type, minimum length 14):
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
Other (credit based):
password requisite pam_cracklib.so try_first_pass retry=3 minlen=22 dcredit=2 ocredit=4
The credit based system requires a bit of explaining, it requires a 22 character password and treats numbers as 2 characters and symbols as 4 characters. This can be dangerous as you can have an 11 digit number as a password which isn't secure...
pam_passwdqc
pam_passwdqc
replaces pam_cracklib
in checking the quality of the password.
To use it you need to comment out pam_cracklib
in /etc/pam.d/system-auth
.
You'll need to add this line to the /etc/pam.d/system-auth
:
password requisite pam_passwdqc.so retry=3 min=disabled,disabled,22,16,12 passphrase=4 similar=deny enforce=users
What this does is it prevent any passwords with one or two character types. Requires a password with three character types to be a minimum of 16 characters and one with four character types to be a minimum of 12 characters.
The middle option (22) is the minimum length of a passphrase (grouping of words found in the dictionary file). The minimum number of words is controlled by the passphrase option.
It denies similar passwords as previous ones and only enforces quality control for root passwords (since they're sha512 hashes they only have two character classes and would thus be denied).
This is untested but to the best of my knowledge passphrases still need to be at least three character classes (since one and two are disabled).
pam_tally2
pam_tally2
comes with Fedora's pam package so it will be installed. It's very
useful to prevent bruteforce attempts BUT it can also used to lock access out
to a legitimate user. It is recommended to not turn this on for the entire
system but just remote login services that use pam (for example SSH).
To use it you need to add the following line to the services pam file. So for
SSH the file would be /etc/pam.d/sshd
. The following is what needs to be
added:
auth required pam_tally2.so deny=5 onerr=fail audit silent
account required pam_tally2.so
You'll also need to change:
auth sufficient pam_unix.so nullok try_first_pass
To:
auth required pam_unix.so nullok try_first_pass
And get rid of the following two lines as they will interfere with the rest of the changes:
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Resetting a User's Account
Information about users password tally can be found in /var/log/tallylog
.
[root@localhost ~]# /sbin/pam_tally2 --user username --reset
Automatic Unlocking
Additionally adding unlock_time=1800
. This allows the user to log back in
half an hour after the account has been locked.
e0ae306a @ 2024-07-15