LinuxQuestions.org - pam settings system-auth

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - pam settings system-auth (https://www.linuxquestions.org/questions/linux-general-1/pam-settings-system-auth-629362/)

pam settings system-auth

Hi,

We are using RedHat Linux ES 4.0. There is this expectation from auditors to make /etc/pam.d/system-auth file to include these settings.

auth* required pam_deny.so
auth** required pam_warn.so
account* required pam_deny.so
account* required pam_warn.so
password* required pam_deny.so
password* required pam_warn.so
session* required pam_deny.so
session* required pam_warn.so
session* required pam_deny.so

But our current /etc/pam.d/system-auth looks like this

auth required /lib/security/$ISA/pam_tally.so no_magic_root onerr=fail
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root onerr=fail per_user
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1 lcredit=0 minlen=8
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Now question is hwo do I include the above setting in our existing system-auth file? I know that slight mistake in pam.d goes for big impact on authentication mechanism.
So just wanted to be sure before including those settings in our existing syste-auth.

Any suggestions are welcome. !!

Thanks in advance !!

The sensible way to go about implementing those changes would
be on the full-screen console. Hold one session open as root,
make a change, write it back, switch to a second console and
try to login as ordinary user. That'll test the change to auth
and account.

Similarly test password. Not sure about session.

Cheers,
Tink

Thanks for the info. I would surely follow the instructions. But at what location shall we include the statements in system-auth file. Becauze I suppose the order also does matter.

To the best of my knowledge the order is purely cosmetic
and I'd go for sorting them in with the existing entries,
so auth with auth, session with session and so on, and
for readabilities sake in descending order of the "importance",
e.g. required, sufficient, optional ...

Cheers,
Tink