Did you know LQ has a Linux Hardware Compatibility List?
Go Back > Linux Answers > Applications / GUI / Multimedia
User Name


By Tinkster at 2006-09-22 15:09
PAM & Slackware 10.2


1. Rationale
2. "required" Software
3. Installation

1. Rationale

If you ever find yourself in a situation where you need PAM (Pluggable Authentication Module)
but do not want to give up on your beloved Slackware, it can be done. (And that's without Dropline-Gnome ;} )

Important: this is how I did it, it may NOT work for you, and I won't be held responsible if you render your machine unusable! :}

For example, you may have to autenticate users against an LDAP Server using PAM.
I know that Pat doesn't think very highly of PAM (considering the history of vulnerabilities it has); and I fully appreciate
that he doesn't want to integrate PAM into Slack.

This document describes a most basic PAM installation and configuration, no bells and whistles...

2. required software

You should download the latest versions of the sourcecode
(in the brackets I put version numbers the software I was using):

Linux-PAM (0.81)
util-linux (2.12p)
shadow (4.0.3)

If you want to install PAM on a working server, I think it'd be a good idea if you
first install (and check how it works) on a test computer with the same version of the
system (and the rest of software) you're using on the server. Good luck.

3. Installation

First of all, let's do Linux-PAM. No surprises:

./configure --exec-prefix=/usr
make install

A few directories were created (/lib/security, /usr/include/security, /etc/security).
As a result we've got libraries and header files, PAM modules and serveral config files (examples).
So, we've got everything we need but... it doesn't work yet.

The next step: util-linux.
Ideally you'll use Pat's build-script & source-package as a starting point.
You should edit the MCONFIG file and change one of the first lines
to HAVE_PAM=yes. If you start with an ordinary tarball, do the same. After that - as usual:

./configure --prefix=/usr
make install

And the last one - shadow:

Again: ideally you start with Pat's source package, edit the build-script to contain ./configure --with-libpam and use it as usual; if you don't:
./configure --with-libpam
make install

Now, try not to reboot your system and don't log out of the console you're working from! You need a config file - /etc/pam.conf.
Save this below as /etc/pam.conf.

# -----------------------------------------------------------------------------#
# Example /etc/pam.conf taken from #
# -----------------------------------------------------------------------------#
chfn auth required
chfn account required
chfn password required shadow md5 use_authtok
chsh auth required
chsh account required
chsh password required shadow md5 use_authtok
login auth requisite
login auth required
login auth required
login account requisite
login account required
login password required shadow md5 use_authtok
login session required
login session required
passwd password required shadow md5
su auth sufficient
su auth required
su auth required use_uid group=wheel
su auth required use_first_pass
su account required
su session required
sshd auth required shadow nodelay use_first_pass
sshd auth required
sshd auth required
sshd account required
sshd account requisite
sshd password required shadow use_authtok
sshd session required
sshd session required
shadow auth sufficient
shadow account required
shadow password required
shadow session required
useradd auth required
useradd account required
useradd password required
useradd session required
userdel auth required
userdel account required
userdel password required
userdel session required
usermod auth required
usermod account required
usermod password required
usermod session required
groupadd auth required
groupadd account required
groupadd password required
groupadd session required
groupdel auth required
groupdel account required
groupdel password required
groupdel session required
groupmod auth required
groupmod account required
groupmod password required
groupmod session required
newusers auth required
newusers account required
newusers password required
newusers session required
chpasswd auth required
chpasswd account required
chpasswd password required
chpasswd session required
chage auth sufficient
chage auth required
chage account required
chage password required
chage session required
other auth required
other auth required
other account required
other password required
other password required
other session required

Now you should try to login to the system on _another_ console. You shoud be
able to see ".... login(pam_unix) .... session opened ...." in the logs.

If you can't - don't reboot the system, check everything you did "step by step" and try again.
If everything went well, you should now start googling for PAM documentation (configuration).
BTW: if you find a "bug" in the pam.conf example above - please, let me know.

by Randux on Tue, 2006-09-26 14:21
What about setting up a chrooted environment for this? It might work well for a couple of reasons...

by Tinkster on Wed, 2006-09-27 02:51
Originally Posted by Randux
What about setting up a chrooted environment for this? It might work well for a couple of reasons...
I fail to see the benefits or applications of a chrooted login
facility. Can you elaborate?


by Randux on Wed, 2006-09-27 04:56
For one thing it avoids having to either take a chance with an existing Slackware machine or partitioning for another new one if someone doesn't want to have PAM on their main (only machine). For another, if something goes wrong and the guy can't log into his new system, since it's chrooted, he still has all the permissions he needs to fix things from the outside-in without having to boot a live CD or another Linux machine.

At least those were the thoughts I had when reading your article on PAMifying Slackware.

by Tinkster on Wed, 2006-09-27 13:13
Again: what is the benefit of running a "Pluggable Authentication Module"
in a chroot, and environment that's separate from the "main" machine?
What are you logging into, what are you going to be doing from there?

Commonly one sticks daemons into a chroot so that if the daemon gets
compromised the machine is not in the attackers hands. But for an authentication
process I still fail to see the benefit in that.

I understand that you see a risk in doing the PAMification, no questions asked.
But an isolated authentication (to me at least) makes no sense. Unless you want
to run a whole virtualised environment, in which case you're better of with
qemu or vmware.


by zborgerd on Wed, 2006-09-27 16:55
Just a note:

Dropline's PAM packages can be installed without GNOME itself. I've posted a link to it in the LinuxQuestions forums a few times.:

One of the main reasons why I like our PAM implementation is because you can benefit from some of the Redhat modules. In the case of things like gnome-volume-manager, this is a requirement so that it can determine who has console ownership, and you can even set up rules with pam_console to give access of devices to only the person logged into the local system.

Of course, these are not required if you just need PAM to build certain apps that require it in its most basic form, but I really think that PAM needs a bit more TLC than most pieces of software (it may seem crazy, but our PAM build script is 192 lines), and some of these tweaks really improve things.

With DLG 2.16.0's release (which is basically done, but we're waiting for Slackware 11.0's release), I've posted some much improved pam- packs (over our 2.14 packs) at the Dropline forum link mentioned above.

Just a note, in observation of your FAQ... The /etc/pam.conf file is often considered to be depreciated. Most newer implementations use /etc/pam.d/ instead, where individual config files are placed within that directory. It's still used by PAM, but only in the case that /etc/pam.d/ doesn't exist. It just makes more sense if you are going to pack up pam-aware applications that include configuration files, and you don't want to have to modify a single legacy pam.conf to add each app.

I'm a bit curious about the suggestion in your FAQ about rebuilding util-linux. I'm not sure that there is any real benefit of pamifying it. Correct me if I am wrong though. Since Slackware doesn't use util-linux the same way some vendors do, a lot of the tools exist in other packages. E.g., /bin/login, chfn, or chsh, is in Shadow rather than util-linux (as many distributions, such as like Fedora, like to do things). I don't really see the benefit of a pam-ified util-linux on Slackware.

Another thing... I noticed a mention of PAM "having a history of vulnerabilities" in your FAQ, but I don't really believe that is the case. PAM itself has proven to be quite secure over the years (note that Secunia's only advisory is from 2003): . The real offenders haven't been in PAM itself, but have been in third-party modules, like pam_ldap, which aren't included in PAM proper. PAM and "security problems" are an unfortunate myth that some Slackware users believe, but a good PAM implementation and a knowledgable system administrator can provide a powerful tool that improves security on Slackware.


All times are GMT -5. The time now is 04:36 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration