Skip to main content

Plug & Rule : An Introduction to PAM!

The Pluggable Authentication Modules (PAM) library is a generalized API for authentication related services which allows a system administrator to dynamically configure authentication schemes for all PAM-enabled system utilities and applications by adding and removing PAM modules on the running system. It's a layer between Linux applications and native underlying authentication system. PAM is implemented as shared objects or so-files, and the applications communicate with the PAM library through the PAM API.

Fig. 1 : PAM Framework
Traditionally, login authentication is done by comparing the encrypted password for the user in the password file (/etc/shadow), but each program that requires authentication implements its own authentication mechanisms. For example, various services like FTP, SSH, et cetera have individual ways of authenticating their users. As a result, the administrator has to spend unnecessary amount of time in maintaining the database. A PAM service module provides authentication and other security services to such applications. 

Fig. 2 : PAM File System Layout


 Syntax for application's configuration files in /etc/pam.d is,

  module-type  control-flag  module-path  module-arguments


The four types of PAM services (Management Groups):
  1. Authentication  Management (auth)
    For authenticating users and provide user's information to the application.
  2. Account Management (account)
    For verifying the properties of the user's account.
  3. Session Management (session)
    For performing any tasks required at initialization and termination of a session.
  4. Password Management (password)
    For providing mechanism for managing the properties of a password and also change the authentication requirements for the user.
For each management group we can define a stack of modules.When an application calls the PAM library function, the PAM runtime will call each authentication function by its order in the configuration file.


The most commonly used control flags : 
  1. required
    The return code for a required module is stored. In case of first failure, the error message is stored, and parsing is carried out for the rest of the stack. However, the request isn't successful (regardless of response of other modules).
  2. sufficient
    The modules after a successful response of this module aren't called. In case of a failed response, other modules are checked.
  3. optional
    A     failed response doesn't affect the execution of the stack. 
  4. requisite
    In case of failure, PAM returns to the calling application and reports it instantly. No further rules are checked.
  5. include
    The authentication is redirected to another file, rules of which are checked for success.
  6. binding
    If the module is successful and no preceding modules that are flagged as required have failed, then remaining modules are skipped. In case of a failure, record the return code and continue processing the stack.

Fig. 3 : Snippet from /etc/pam.d/sshd

Examples:

1. Setting Password Requirements:
In this example, we set password requirement on a system to require a minimum of one symbol, one digit and a length of 12 characters.
Edit the existing pam_cracklib.so line in /etc/pam.d/system-auth and /etc/pam.d/password-auth so that it reads :




2. Apply Limits to User:
In this example, we set a limit over how many processes an user can create on the machine. Edit /etc/security/limits.conf and add the given lines. It limits the user student to create no more than 5 processes on the system. And, visitor may only have 3 simultaneous open sessions to the machine.

3. Locking Accounts with Failed Logins:
Here, we disable user accounts for 5 minutes in case of 5 sequential failed login attempts. Edit the existing pam_cracklib.so line in /etc/pam.d/system-auth and /etc/pam.d/password-auth so that it reads :








References:


Comments

Post a Comment

Popular posts from this blog

The C++ Way!

This post deals with definitions of few terms, understanding of which are important for having a strong foundation in C++.  This is a living blog and you can expect appends with logs at the bottom of the post. Object:  Most commonly accepted definition of an object is a region of memory that has a type. Variable:  A named storage that can be manipulated. Scope: A scope is a part of program in which a name has a particular meaning. '::' is the scope resolution operator used to refer to names from a different scope. #include<iostream> using namespace std; int variable_1 = 10 ; int main(){ int variable_1 = 20 ; cout << :: variable_1 << endl; //prints 10 on console. ::variable_name fetches the variable from global scope. return 0 ; } Lifetime: The lifetime of an object is the time during the programs execution that the object exists. Declaration: A declaration makes a name known to the program. We can dec...
1 comment
Read more

Understanding Firewalls and Netfilter

A Firewall is designed to prevent unauthorized outside users from accessing a network or host. It is a device (software or hardware), installed between the internal network and the Internet. Firewall performs filtering of the packets that attempt to enter or leave a network. This is done by defining various policies that enforce control over the network traffic. A Bastion Host defines a simple firewall implementation, where the bastion host is any computer that is fully exposed to attack by being on the public side of the DMZ, unprotected by a firewall or filtering router. [1] It is also referred to as the, Bastion firewall. The bastion node, is usually a very powerful server with improved security measures and custom software. A typical Bastion firewall implementation DMZ (Demilitarized Zone), also known as Perimeter Network, refers to the part of the network, that is neither private nor public. It introduces an additional layer of security, as external network has ac...
5 comments
Read more