Linux-PAM Modules
Server Administration

Configure and Use Linux-PAM

In the previous post, we talked about Linux iptables firewall, and some people asked about authentication. Today we will talk about the powerful framework in Linux used for authentication which is Linux-PAM. PAM or Pluggable Authentication Modules are the management layer that sits between Linux applications and the Linux native authentication system.

 

Linux-PAM Benefit

There are many programs on your system that use PAM modules like su, passwd, ssh and login and other services, we will discuss some of them.

PAM main focus is to authenticate your users.

Authentication in Linux is done by matching the encrypted password in /etc/shadow file with the entered one, but each program that requires authentication implements its own authentication mechanism.

We have many services on our systems that require authentication like SSH, FTP, TELNET, IMAP and many other services, so we will have a lot of authentication files besides /etc/shadow file to maintain, and it could be a serious problem if there is any inconsistent data between these authentication files.

Here comes PAM. With Linux-PAM, the system administrator can use the same user database for login to all services if he wants to.

To check if your program uses Linux-PAM or not:

$ ldd /bin/su

linux PAM check pam usability

You should see libpam.so library.

Linux-PAM Configuration

The configuration of Linux-PAM can be done in two similar ways. You can either type everything in one single file /etc/pam.conf or separate the configuration by service in the directory /etc/pam.d/.

The second way is better because it makes it easy to work with each service individually.

Some PAM modules require configuration files with the PAM configuration to operate. You can find the configuration files in /etc/security

If PAM is incorrectly configured, your environment can easily be compromised.

PAM Services

PAM module can provide mechanisms to authenticate users from any backend like a file /etc/passwd or database or any backend.

One of the Linux PAM modules is PAM service module. PAM service module is a library that provides authentication and other security services to applications such as login and FTP.

The four types of PAM services:

  • Authentication service modules
  • Account management modules
  • Session management modules
  • Password management modules

Any application requires authentication can register with PAM using a service name.

You can list Linux services that use Linux-PAM.

$ ls /etc/pam.d/

Linux PAM services

If you open any service file, you will see that the file is divided into three columns. The first column is management group, the second column is for control flags and the third column is the module (so file) used.

$ cat /etc/pam.d/sshd

account    required     pam_nologin.so

The account is the management group, required is the control flag and the used module is pam_nologin.so.

You may find a fourth column which is for module parameters.

Management Groups

There are four Management Groups you will see in PAM services files:

  • Auth Group: it can validate users
  • Account Group: controls the access to the service like using a service for a number of times per week
  • Session Group: responsible for the environment for a given service. group.
  • Password Group: is only used when a user wishes to update the password

Control Flags

We have four control flags in services files:

  • Requisite: the strongest flag. If a module is flagged as requisite, and it fails for any reason. PAM will return to the calling application and report the failure.
  • Required: Incase of failure, execution is not stopped and continues to the next module. After all modules have been executed, and there is one failed or more, PAM will return failure to the calling application.
  • Sufficient: if a sufficient module returns OK, the processing of modules will be stopped.
  • Optional: In the case of failure, the stack of modules continues execution and the return code is ignored.

Modules Order

The Linux-PAM modules in the stack are tried one by one.

The order is important because the effect of one module is required for the next module to work correctly.

If you try a configuration like the following to log in:

That will work properly, but if you change the order like this:

No one can log in, so the order matters.

Keep in mind that pam_deny module can be included as the last module in any stack for every service as a failsafe solution.

PAM Modules

There are PAM built-in modules on your system that you should know about, so you can use them perfectly.

pam_succeed_if Module

This module can be used to restrict access, so only listed groups can log in. You can validate user accounts like this:

auth required pam_succeed_if.so gid=1000,2000

If the user is not a member of either of the groups with ID 1000 or 2000, the user will not be allowed to log in.

You can use uid as user id instead.

auth requisite pam_succeed_if.so uid >= 1000

In this example, any user id greater than or equal 1000 can log in.

You can also use it with ingroup parameter like this:

auth required pam_succeed_if.so user ingroup mygroup

Only people in the group named mygroup can log in.

pam_nologin Module

This module allows root only to log in if the file /etc/nologin exists.

If /etc/nologin file does not exist, valid users can log in.

auth required pam_nologin.so

You can modify login service file with this line and create /etc/nologin file, so root only can log in.

This module used with auth, account management groups.

pam_access Module

The pam_access module can be used to achieve the same functionality as the pam_succeed_if module. But the pam_access module focused on logging in from networked hosts, while the pam_succeed_if module has no hint of where the user is coming from.

account required pam_access.so accessfile=/etc/security/access.conf

The restriction is configured in the /etc/security/access.conf file.

You can write the rules in access.conf file like this:

Only users who are members of the mygroup group are allowed to log in and deny access from one else.

Where plus sign means allow and minus sign means deny.

This module is used with auth, account, session, password management groups.

pam_deny Module

The module is able to restrict users from obtaining access to the system. It will always return a non-OK.

It always used at the end of the auth stack in order to prevent weaknesses due to misconfigurations.

If you need to disable a service, you can add the pam_deny module at the top of the modules stack like this:

We use the module here with auth management group, however, if the module is used in the password management group, it will prevent the user from changing his password.

This module is used with auth, account, session, password management groups.

pam_unix Module

This module is used to validate users against the /etc/shadow file as a backend.

auth required pam_unix.so

You will see this module used in many services in your system.

This module is used with auth, session, password management groups.

pam_localuser Module

This module is used to check if the user is listed in /etc/passwd.

account sufficient pam_localuser.so

This module is used with auth, session, password, account management groups.

pam_mysql Module

You can use the pam_mysql module to authenticate users with credentials stored in a MySQL database.

It can be used like this:

The parameters for pam_mysql is used to validate the user.

You can install if it is not on your system like this:

$ yum install libpam-mysql

This module is used with auth, session, password, account management groups.

pam_cracklib module

Weak passwords can lead to system compromise. This module ensures that you will use strong passwords.

password required pam_cracklib.so retry=3 minlen=12 difok=3

This example, ensures that the password should be at least six characters and at least three characters must be changed in the new password and you have three chances to pick a good password before the passwd program aborts.

This module is used with password management group.

pam_rootok Module

This module checks if the user ID is 0 that means only root users can run this service.

auth sufficient   pam_rootok.so

You can use this module to ensure that a specific service is allowed for root users only.

This module is used with auth management group.

pam_limits Module

This module is used to set limits on the system resources, even root users are affected by these limits.

Limits are taken from the /etc/security/limits.conf  file then /etc/security/limits.d/  directory.

session  required  pam_limits.so

You can use this module to protect your system resources.

This module is used with session management group.

The limits in /etc/security/limits.conf file could be hard or soft.

Hard: are set by the superuser and enforced by the Kernel. The user cannot change its value.

Soft: are ones that the user can move up or down within the permitted range by any pre-existing hard limits.

The limits could be fsize, cpu, nproc, nproc, data and many other limits.

The first limit for mygroup members which sets the number of processes for each one of them to be 50.

The second limit for the user named myuser which limits the CPU time to 5000 minutes.

You can edit any PAM service file in /etc/pam.d/ and use the module you want to protect your services the way you want.

I hope you find using Linux PAM modules easy and useful.

Thank you.