PAM authentication (210.2)
PAM authentication (210.2)¶
The candidate should be able to configure PAM to support authentication using various available methods.
Key Knowledge Areas¶
-
PAM configuration files, terms and utilities
-
passwd and shadow passwords
-
basic SSSD functionality for LDAP authentication
Terms and Utilities¶
-
/etc/pam.d
-
pam.conf
-
nsswitch.conf
-
pam_unix, pam_cracklib, pam_limits, pam_listfile
What is PAM?¶
PAM is the acronym for Pluggable Authentication Modules. PAM consists of
a set of libraries and an API (Application Programming Interface) that
can be used to perform authentication tasks. Privilege granting
programs, such as login
and su
, use the API to perform standard
authentication tasks.
How does it work?¶
account
- Provide account verification types of service: has the user's password expired? Is this user permitted access to the requested service?
authentication
- Establish if the user really is whom he claims to be. This can be done, for example, by asking a password or, given the right module, by reading a chip-card or by performing a retinal or fingerprint scan.
password
- This group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the authentication group. Some authentication mechanisms lend themselves well to being updated. The user might be presented with a question like "Please enter the new password".
session
- This group of tasks covers things that should be done prior to a service being offered and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The session management group is important as it provides both an opening and closing hook for modules that affect the services available to a user.
PAM can be configured using the file /etc/pam.conf
which has the following format:
1 |
|
service
- This is the name of the application involved, for example:
login
,ssh
orpasswd
.
type
- This is the type of group the task to be performed belongs to: account, auth (the authentication group), password or session.
control
-
This field indicates what the PAM-API should do in case authentication fails for any module.
re-quisite
- Upon failure, the authentication process will be terminated immediately.
required
- This will return failure after the remaining modules for this service and type have been invoked.
sufficient
- Upon success, the authentication process will be satisfied, unless a prior required module has failed the authentication.
optional
- The success or failure of this module is only important if this is the only module associated with this service and this type.
module-path
- This is the filename, including the full path, of the PAM that is to be used by the application.
module-arguments
- These are module specific arguments, separated by spaces, that are to be passed to the module. Refer to the specific module's documentation for further details.
Configuration is also possible using individual configuration files,
which is recommended. These files should all be located in the
/etc/pam.d
directory. If this directory exists, the file
/etc/pam.conf
will be ignored. The filenames should all be lowercase
and be identical to the name of the service, such as login
. The format
of these files is identical to /etc/pam.conf
with the exception that
there is no service field.
Modules
pam_unix¶
This module configures authentication via /etc/passwd
and
/etc/shadow
.
account
-
The type "account" does not authenticate the user but checks other things such as the expiration date of the password and might force the user to change his password based on the contents of the files
/etc/passwd
and/etc/shadow
.debug
- Log information using
syslog
.
audit
- Also logs information, even more than debug does.
- Log information using
auth
-
The type "auth" checks the user's password against the password database(s). This component is configured in the file
/etc/nsswitch.conf
. Please consult the man page (man nsswitch.conf
) for further details.audit
- Log information using
syslog
.
debug
- Also logs information using
syslog
but less than audit.
nodelay
- This argument sets the delay-on-failure, which has a default of a second, to nodelay.
nullok
- Allows empty passwords. Normally authentication fails if the password is blank.
try_first_pass
- Use the password from the previous stacked auth module and prompt for a new password if the retrieved password is blank or incorrect.
use_first_pass
- Use the result from the previous stacked auth module, never prompt the user for a password and fails if the result was a fail.
- Log information using
password
-
The type "password" changes the user's password. PAM password
audit
- Log information using
syslog
.
bigcrypt
- Use the DEC "C2" extension to crypt().
debug
- Also logs information using
syslog
but less than audit.
md5
- Use md5 encryption instead of crypt().
nis
- Use NIS (Network Information Service) passwords.
not_set_pass
- Don't use the passwords from other stacked modules and do not give the new password to other stacked modules.
nullok
- Allows empty passwords. Normally authentication fails if the password is blank.
remember
- Remember the last n passwords to prevent the user from using one of the last n passwords again.
try_first_pass
- Use the password from the previous stacked auth module, and prompt for a new password if the retrieved password is blank or incorrect.
use_authtok
- Set the new password to the one provided by a previous module.
use_first_pass
- Use the result from the previous stacked auth module, never prompt the user for a password and fails if the result was a fail.
- Log information using
session
-
The type "session" uses syslog to log the user's name and session type at the start and end of a session.
The "session" type does not support any options.
For each service that requires authentication a file with the name of
that service must be created in /etc/pam.d
. Examples of those services
are: login
, ssh
, ppp
, su
.
For example purposes the file /etc/pam.d/login
will be used:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
pam_nis¶
This module configures authentication via NIS. ConfiguringNIS
Authentication To be able to authenticate via NIS, the module
pam_nis.so
is needed. This module can be found at PAM
NIS Authorisation
Module.
To set up things in such a way that NIS authentication is sufficient
(and if that is not the case try pam_unix.so
), the lines that do the
trick in /etc/pam.d/login
are:
1 2 3 4 5 6 7 |
|
pam_ldap¶
This module configures authentication via LDAP. To be able to
authenticatie via LDAP, the module ConfiguringLDAP Authentication
pam_ldap.so
is needed. This module can be found at PADL Software Pty
Ltd.
To set up things in such a way that LDAP authentication is sufficient,
(and if that is not the case try pam_unix.so
), the
lines that do the trick in /etc/pam.d/login
are:
1 2 3 4 5 |
|
pam_cracklib¶
This plugin provides strength-checking for passwords. This is done by performing a number of checks to ensure passwords are not too weak. It checks the password against dictonaries, the previous password(s) and rules about the use of numbers, upper and lowercase and other characters.
1 2 3 4 5 6 7 8 9 10 |
|
pam_limits¶
The pam_limits PAM module sets limits on the system resources that can
be obtained in a user-session. Users of uid=0 are affected by this
limits, too. By default limits are taken from the
/etc/security/limits.conf
config file. Then individual files from the
/etc/security/limits.d/
directory are read. The files are parsed one
after another in the order of \"C\" locale. The effect of the individual
files is the same as if all the files were concatenated together in the
order of parsing. If a config file is explicitely specified with a
module option then the files in the above directory are not parsed. The
module must not be called by a multithreaded application.
pam_listfile¶
This module allows or denies an action based on the presence of the item in a listfile. A listfile is a textfile containing a list of usernames, one username per line. The type of item can be set via the configuration parameter item and can have the value of user, tty, rhost, ruser, group, or shell. The sense configuration parameter determines whether the entries in the list are allowed. Possible values are allow and deny.
SSSD¶
Configure SSSD for LDAP authentication
The following steps describe the configuration of SSSD to use LDAP for authentication:
1. The following packages need to be installed:
1 2 3 4 5 6 7 8 |
|
Use your package manager to install these packages.
2. Check the current settings for sssd, if any:
1 |
|
This will show you the current settings which are already in place. Also
check for an existing /etc/sssd/sssd.conf
file. On a fresh
installation you can expect all settings to be disabled and that the
sssd.conf file will not be present.
3. Now configure sssd:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
4. Check the configuration in /etc/sssd/sssd.conf
.
In case you're using TLS make sure that the ldap_tls_cacertdir
and
ldap_tls_cacert
parameters are configured correctly and point to your
certificates. Also change ldap_id_use_start_tls
to "True".
To effect the changes, run:
1 |
|
Verify that all changes are effective by running:
1 |
|
5. Update /etc/openldap/ldap.conf
to use the same ldap settings. Your
ldap.conf
file will look like this:
1 2 3 4 5 6 |
|
Please note that TLS_REQUIRE
is set to never. This is done in order to
avoid issues with application stacks like PHP
, which have difficulties
with LDAPS
and TLS
.
6. Make sure that sssd is up and running and that it will be started
after a system reboot. Run systemctl status sssd
to check this. To
start sssd, run systemctl start sssd
and to make sssd persistent
across reboots, run systemctl enable sssd
.