pam settings system-auth
Hi,
We are using RedHat Linux ES 4.0. There is this expectation from auditors to make /etc/pam.d/system-auth file to include these settings. auth* required pam_deny.so auth** required pam_warn.so account* required pam_deny.so account* required pam_warn.so password* required pam_deny.so password* required pam_warn.so session* required pam_deny.so session* required pam_warn.so session* required pam_deny.so But our current /etc/pam.d/system-auth looks like this auth required /lib/security/$ISA/pam_tally.so no_magic_root onerr=fail auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root onerr=fail per_user account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1 lcredit=0 minlen=8 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so Now question is hwo do I include the above setting in our existing system-auth file? I know that slight mistake in pam.d goes for big impact on authentication mechanism. So just wanted to be sure before including those settings in our existing syste-auth. Any suggestions are welcome. !! Thanks in advance !! |
The sensible way to go about implementing those changes would
be on the full-screen console. Hold one session open as root, make a change, write it back, switch to a second console and try to login as ordinary user. That'll test the change to auth and account. Similarly test password. Not sure about session. Cheers, Tink |
Thanks for the info. I would surely follow the instructions. But at what location shall we include the statements in system-auth file. Becauze I suppose the order also does matter.
|
To the best of my knowledge the order is purely cosmetic
and I'd go for sorting them in with the existing entries, so auth with auth, session with session and so on, and for readabilities sake in descending order of the "importance", e.g. required, sufficient, optional ... Cheers, Tink |
All times are GMT -5. The time now is 11:58 PM. |