210.2 PAM authentication (weight: 3)

Tech Tutorial: 210.2 PAM Authentication #

Introduction #

Pluggable Authentication Modules (PAM) provide a mechanism for integrating multiple low-level authentication schemes into a high-level API, allowing for programs that rely on authentication to be written independently of the underlying authentication scheme. This tutorial aims to explore the configuration and management of PAM, a crucial topic for system administrators and security professionals working with Linux systems.

Exam Objective #

The key objective of this section is to understand and manage PAM authentication, including the configuration of PAM files and the use of various PAM tools and utilities.

Key Knowledge Areas: #

  • Configuration of PAM
  • Understanding of /etc/pam.d/
  • Familiarity with PAM management utilities

Utilities: #

  • pam_tally2
  • pam_cracklib
  • pam_unix
  • pam_wheel
  • pam_nologin

Step-by-Step Guide #

1. Understanding PAM Configuration Files #

PAM configuration files are located in the /etc/pam.d/ directory. Each service that uses PAM has its own file. For example, the SSH service configuration is in /etc/pam.d/sshd.

Example: #

# View content of PAM configuration for SSH
cat /etc/pam.d/sshd

2. Configuring PAM Modules #

PAM modules are configured in the service files located in /etc/pam.d/. Each line in these files describes a step in the authentication process.

Example: #

# Sample entry in /etc/pam.d/common-password
password    requisite                       pam_cracklib.so retry=3 minlen=8 difok=3

This line configures the pam_cracklib module to enforce password strength policies.

3. Using pam_tally2 for Login Attempts Management #

pam_tally2 module is used to lock user accounts after certain failed login attempts.

Configuration: #

# Add to /etc/pam.d/common-auth
auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=300

Resetting Fail Count: #

# Reset fail count for user
pam_tally2 --user=username --reset

4. Enhancing Security with pam_cracklib #

pam_cracklib is a module for enforcing password policies.

Configuration: #

# Edit /etc/pam.d/common-password
password    requisite   pam_cracklib.so retry=3 minlen=10 difok=3

5. Using pam_unix for Standard Unix Authentication #

This module provides standard Unix authentication.

Configuration: #

# Example entry in /etc/pam.d/common-auth
auth    required    pam_unix.so nullok

6. Restricting Access with pam_wheel #

pam_wheel is used for restricting access to su or sudo to users in the wheel group.

Configuration: #

# Add to /etc/pam.d/su
auth required pam_wheel.so use_uid

7. Managing System-wide Logins with pam_nologin #

pam_nologin denies login if the file /etc/nologin exists.

Configuration: #

# Add to /etc/pam.d/login
auth    requisite   pam_nologin.so

Conclusion #

Understanding and configuring PAM is essential for managing authentication and enhancing security on Linux systems. By mastering the various PAM modules and utilities like pam_tally2, pam_cracklib, pam_unix, pam_wheel, and pam_nologin, administrators can ensure robust authentication mechanisms aligned with security policies and requirements. Always test configurations in a controlled environment before applying them to production systems to avoid unintended access issues.