Objectives
- Explain the basic concepts that motivate the use of PAM
- List the steps involved in the authentication process
- Use and modify PAM configuration files
- Know how to interpret PAM rules and create new ones
- Apply LDAP to use and administer distributed directory services over the network
PAM: A Unified Approach to Authentication
In order to unify the authentication mechanism, the library
libpam
Is needed so that most applications can exploit it in order to perform the authentication process.
PAM has the following components
- PAM aware applications
- Configuration files in /etc/pam.d
- PAM modules in the libpam* libraries
Each PAM-aware application, or service may be configured with respect to PAM by an individual configuration file in
/etc/pam.d
Authentication Process
- A user invokes a PAM aware application, such as login, ssh or su
- The application calls libpam
- The library checks for files in /etc/pam.d
- This will check which PAM modules to invoke, including system-auth
- Each referenced module is executed in accordance with the rules of the relevant configuration file for that application
PAM Configuration files
Each file in /etc/pam.d corresponds to a service and each line in the file specifies a rule. The rule is formatted as a list of space separated tokens, the first two of which are case insensitive
type control module-path module-arguments
The contents of /etc/pam.d/su is
#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so
PAM Rules
Module
Specifies the management group the module is to be associated with
- auth
- Instruct the application to prompt the user for identification
- account
- Checks on aspects of the user's account such as password aging, access control, etc
- password
- Responsible for updating the user authentication token, usually a password
- session
- Used to provide functions before and after the session is stablished, like
- Setting up environment
- Logging
- Used to provide functions before and after the session is stablished, like
- required
- Must return success for the service to be granted. If part of a stack, all other modules are still executed. Application is not told which module or modules failed
- requisite
- Same as required except a failure in any module terminates the stack and a return status is sent to the application
- optional
- Module is not required. If its the only module then its return status to the application may cause failure
- sufficient
- If this module succeeds then no subsequent modules in the stack are executed. If it fails unless its the only one in the stack it will return a fail authentication otherwise if there are other modules the stack may return other than failure
Control
Manage how the success or failure of a module affects the overall authentication process
- required
- Must return success for the service to be granted. If its part of an stack all other modules are still executed
- requisite
- Same as required, except a failure in any module terminates the stack and a return status is sent to the application
- optional
- Module is not required. But if its the only one in the stack its return status may cause the stack to fail
- sufficient
- If this module succeeds, then no subsequent modules in the stack will be required. However if it fails it does not necessarily cause the stack to fail unless its the only one in the stack
- include
- substack
Module-path
Gives the file name of the library to be found in
/lib*/security
In either absolute or relative path form.
Module-arguments
Can be given to modify the PAM module's behavior
LDAP Authentication
Lightweight Directory Access Protocol, its an industry standard protocol to manage distributed directory services over the network, and is meant to be both open and vendor neutral.
When using LDAP for centralized authentication, each system connects to such LDAP server in order to perform authentication. Using TLS makes it a secure option and is recommended.
LDAP uses PAM and system-config-authentication or authconfig-tui. One has to specify
- Server
- Search base (Domain Name)
- TLS (Transport Layer Security)
Also required is openldap-clients, pam ldap and nss-pam-ldapd.
In order to configure a system for LDAP authentication, five files are changed
- /etc/openldap/ldap.conf
- /etc/pam_ldap.conf
- /etc/nslcd.conf
- /etc/sssd/sssd.conf
- /etc/nsswitch.conf
We can edit these files manually or use one fo the utility programs available
- system-config-authentication or authconfig-tui
