LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Linux Answers > Applications / GUI / Multimedia
User Name
Password

Notices

By Tinkster at 2006-09-22 15:09
PAM & Slackware 10.2


TOC

1. Rationale
2. "required" Software
3. Installation


1. Rationale

If you ever find yourself in a situation where you need PAM (Pluggable Authentication Module)
but do not want to give up on your beloved Slackware, it can be done. (And that's without Dropline-Gnome ;} )

Important: this is how I did it, it may NOT work for you, and I won't be held responsible if you render your machine unusable! :}

For example, you may have to autenticate users against an LDAP Server using PAM.
I know that Pat doesn't think very highly of PAM (considering the history of vulnerabilities it has); and I fully appreciate
that he doesn't want to integrate PAM into Slack.

This document describes a most basic PAM installation and configuration, no bells and whistles...


2. required software

You should download the latest versions of the sourcecode
(in the brackets I put version numbers the software I was using):

Linux-PAM (0.81)
util-linux (2.12p)
shadow (4.0.3)

If you want to install PAM on a working server, I think it'd be a good idea if you
first install (and check how it works) on a test computer with the same version of the
system (and the rest of software) you're using on the server. Good luck.


3. Installation

First of all, let's do Linux-PAM. No surprises:

./configure --exec-prefix=/usr
make
make install

A few directories were created (/lib/security, /usr/include/security, /etc/security).
As a result we've got libraries and header files, PAM modules and serveral config files (examples).
So, we've got everything we need but... it doesn't work yet.

The next step: util-linux.
Ideally you'll use Pat's build-script & source-package as a starting point.
You should edit the MCONFIG file and change one of the first lines
to HAVE_PAM=yes. If you start with an ordinary tarball, do the same. After that - as usual:

./configure --prefix=/usr
make
make install

And the last one - shadow:

Again: ideally you start with Pat's source package, edit the build-script to contain ./configure --with-libpam and use it as usual; if you don't:
./configure --with-libpam
make
make install

Now, try not to reboot your system and don't log out of the console you're working from! You need a config file - /etc/pam.conf.
Save this below as /etc/pam.conf.

# -----------------------------------------------------------------------------#
# Example /etc/pam.conf taken from http://linio.boo.pl/eng) #
# -----------------------------------------------------------------------------#
chfn auth required pam_unix.so
chfn account required pam_unix.so
chfn password required pam_unix.so shadow md5 use_authtok
#
chsh auth required pam_unix.so
chsh account required pam_unix.so
chsh password required pam_unix.so shadow md5 use_authtok
#
login auth requisite pam_securetty.so
login auth required pam_unix.so
login auth required pam_nologin.so
login account requisite pam_time.so
login account required pam_unix.so
login password required pam_unix.so shadow md5 use_authtok
login session required pam_unix.so
login session required pam_limits.so
#
passwd password required pam_unix.so shadow md5
#
su auth sufficient pam_rootok.so
su auth required pam_unix_auth.so
su auth required pam_wheel.so use_uid group=wheel
su auth required pam_unix.so use_first_pass
su account required pam_unix.so
su session required pam_unix.so
#
sshd auth required pam_unix.so shadow nodelay use_first_pass
sshd auth required pam_nologin.so
sshd auth required pam_shells.so
sshd account required pam_unix.so
sshd account requisite pam_time.so
sshd password required pam_unix.so shadow use_authtok
sshd session required pam_unix.so
sshd session required pam_limits.so
#
shadow auth sufficient pam_rootok.so
shadow account required pam_permit.so
shadow password required pam_permit.so
shadow session required pam_deny.so
#
useradd auth required pam_rootok.so
useradd account required pam_permit.so
useradd password required pam_permit.so
useradd session required pam_deny.so
#
userdel auth required pam_rootok.so
userdel account required pam_permit.so
userdel password required pam_permit.so
userdel session required pam_deny.so
#
usermod auth required pam_rootok.so
usermod account required pam_permit.so
usermod password required pam_permit.so
usermod session required pam_deny.so
#
groupadd auth required pam_rootok.so
groupadd account required pam_permit.so
groupadd password required pam_permit.so
groupadd session required pam_deny.so
#
groupdel auth required pam_rootok.so
groupdel account required pam_permit.so
groupdel password required pam_permit.so
groupdel session required pam_deny.so
#
groupmod auth required pam_rootok.so
groupmod account required pam_permit.so
groupmod password required pam_permit.so
groupmod session required pam_deny.so
#
newusers auth required pam_rootok.so
newusers account required pam_permit.so
newusers password required pam_permit.so
newusers session required pam_deny.so
#
chpasswd auth required pam_rootok.so
chpasswd account required pam_permit.so
chpasswd password required pam_permit.so
chpasswd session required pam_deny.so
#
chage auth sufficient pam_rootok.so
chage auth required pam_unix.so
chage account required pam_unix.so
chage password required pam_permit.so
chage session required pam_deny.so
#
other auth required pam_deny.so
other auth required pam_warn.so
other account required pam_deny.so
other password required pam_deny.so
other password required pam_warn.so
other session required pam_deny.so



Now you should try to login to the system on _another_ console. You shoud be
able to see ".... login(pam_unix) .... session opened ...." in the logs.

If you can't - don't reboot the system, check everything you did "step by step" and try again.
If everything went well, you should now start googling for PAM documentation (configuration).
BTW: if you find a "bug" in the pam.conf example above - please, let me know.


by Randux on Tue, 2006-09-26 14:21
What about setting up a chrooted environment for this? It might work well for a couple of reasons...

by Tinkster on Wed, 2006-09-27 02:51
Quote:
Originally Posted by Randux
What about setting up a chrooted environment for this? It might work well for a couple of reasons...
I fail to see the benefits or applications of a chrooted login
facility. Can you elaborate?


Cheers,
Tink

by Randux on Wed, 2006-09-27 04:56
For one thing it avoids having to either take a chance with an existing Slackware machine or partitioning for another new one if someone doesn't want to have PAM on their main (only machine). For another, if something goes wrong and the guy can't log into his new system, since it's chrooted, he still has all the permissions he needs to fix things from the outside-in without having to boot a live CD or another Linux machine.

At least those were the thoughts I had when reading your article on PAMifying Slackware.

by Tinkster on Wed, 2006-09-27 13:13
Again: what is the benefit of running a "Pluggable Authentication Module"
in a chroot, and environment that's separate from the "main" machine?
What are you logging into, what are you going to be doing from there?

Commonly one sticks daemons into a chroot so that if the daemon gets
compromised the machine is not in the attackers hands. But for an authentication
process I still fail to see the benefit in that.

I understand that you see a risk in doing the PAMification, no questions asked.
But an isolated authentication (to me at least) makes no sense. Unless you want
to run a whole virtualised environment, in which case you're better of with
qemu or vmware.



Cheers,
Tink

by zborgerd on Wed, 2006-09-27 16:55
Just a note:

Dropline's PAM packages can be installed without GNOME itself. I've posted a link to it in the LinuxQuestions forums a few times.:

http://forums.droplinegnome.org/viewtopic.php?t=4441

One of the main reasons why I like our PAM implementation is because you can benefit from some of the Redhat modules. In the case of things like gnome-volume-manager, this is a requirement so that it can determine who has console ownership, and you can even set up rules with pam_console to give access of devices to only the person logged into the local system.

Of course, these are not required if you just need PAM to build certain apps that require it in its most basic form, but I really think that PAM needs a bit more TLC than most pieces of software (it may seem crazy, but our PAM build script is 192 lines), and some of these tweaks really improve things.

With DLG 2.16.0's release (which is basically done, but we're waiting for Slackware 11.0's release), I've posted some much improved pam-0.99.6.2 packs (over our 2.14 packs) at the Dropline forum link mentioned above.

Just a note, in observation of your FAQ... The /etc/pam.conf file is often considered to be depreciated. Most newer implementations use /etc/pam.d/ instead, where individual config files are placed within that directory. It's still used by PAM, but only in the case that /etc/pam.d/ doesn't exist. It just makes more sense if you are going to pack up pam-aware applications that include configuration files, and you don't want to have to modify a single legacy pam.conf to add each app.

I'm a bit curious about the suggestion in your FAQ about rebuilding util-linux. I'm not sure that there is any real benefit of pamifying it. Correct me if I am wrong though. Since Slackware doesn't use util-linux the same way some vendors do, a lot of the tools exist in other packages. E.g., /bin/login, chfn, or chsh, is in Shadow rather than util-linux (as many distributions, such as like Fedora, like to do things). I don't really see the benefit of a pam-ified util-linux on Slackware.

Another thing... I noticed a mention of PAM "having a history of vulnerabilities" in your FAQ, but I don't really believe that is the case. PAM itself has proven to be quite secure over the years (note that Secunia's only advisory is from 2003): http://secunia.com/product/1701/?task=statistics . The real offenders haven't been in PAM itself, but have been in third-party modules, like pam_ldap, which aren't included in PAM proper. PAM and "security problems" are an unfortunate myth that some Slackware users believe, but a good PAM implementation and a knowledgable system administrator can provide a powerful tool that improves security on Slackware.


  



All times are GMT -5. The time now is 08:51 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration