LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
Reload this Page pam settings system-auth
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
LinkBack Search this Thread
Old 03-19-2008, 11:56 PM   #1
sachinh
Member
 
Registered: Jul 2004
Location: india
Distribution: RH
Posts: 189

Rep: Reputation: 30
pam settings system-auth

Hi,

We are using RedHat Linux ES 4.0. There is this expectation from auditors to make /etc/pam.d/system-auth file to include these settings.

auth* required pam_deny.so
auth** required pam_warn.so
account* required pam_deny.so
account* required pam_warn.so
password* required pam_deny.so
password* required pam_warn.so
session* required pam_deny.so
session* required pam_warn.so
session* required pam_deny.so

But our current /etc/pam.d/system-auth looks like this

auth required /lib/security/$ISA/pam_tally.so no_magic_root onerr=fail
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root onerr=fail per_user
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1 lcredit=0 minlen=8
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so



Now question is hwo do I include the above setting in our existing system-auth file? I know that slight mistake in pam.d goes for big impact on authentication mechanism.
So just wanted to be sure before including those settings in our existing syste-auth.

Any suggestions are welcome. !!


Thanks in advance !!
 
Old 03-20-2008, 05:08 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,622
Blog Entries: 10

Rep: Reputation: 772Reputation: 772Reputation: 772Reputation: 772Reputation: 772Reputation: 772Reputation: 772
The sensible way to go about implementing those changes would
be on the full-screen console. Hold one session open as root,
make a change, write it back, switch to a second console and
try to login as ordinary user. That'll test the change to auth
and account.

Similarly test password. Not sure about session.



Cheers,
Tink
 
Old 03-20-2008, 11:30 PM   #3
sachinh
Member
 
Registered: Jul 2004
Location: india
Distribution: RH
Posts: 189

Original Poster
Rep: Reputation: 30
Thanks for the info. I would surely follow the instructions. But at what location shall we include the statements in system-auth file. Becauze I suppose the order also does matter.
 
Old 03-21-2008, 12:07 AM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,622
Blog Entries: 10

Rep: Reputation: 772Reputation: 772Reputation: 772Reputation: 772Reputation: 772Reputation: 772Reputation: 772
To the best of my knowledge the order is purely cosmetic
and I'd go for sorting them in with the existing entries,
so auth with auth, session with session and so on, and
for readabilities sake in descending order of the "importance",
e.g. required, sufficient, optional ...


Cheers,
Tink
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/pam.d/system-auth is not found udayakumarsv Suse/Novell 1 01-30-2008 04:59 PM
Apache authentication on SuSE via PAM/system auth files jantman Linux - Server 0 10-02-2006 10:06 PM
code for /etc/pam.d/system-auth(password complexity) moinpasha Programming 0 09-18-2006 01:23 AM
pam.d/system-auth and LDAP? SheldonPlankton Linux - General 0 04-28-2005 01:11 PM
openssh/PAM auth problem crippler909 Linux From Scratch 1 06-08-2003 11:51 AM


All times are GMT -5. The time now is 07:47 PM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration