Linux Security PAM Flashcards
Describe the three fields/columns in system-auth
Where are the modules located (SO FILES)
Management group/module interface, control flag, module (SO file) used, module parameters or arguments (like close)
session required pam_selinux.so close
Module (so files)
/lib/security
lib64/security
What are the files for located in /etc/pam.d?
You’ll see files labelled like
atd
setup
sudo
These are how these processes/applications authenticate
Module interfaces/management groups
Authentication (auth) - Verifies user identity (like checking password or secret)
Account - Checks if specified account is valid (Is it enabled, expired, allowed to login, has service access)
Password - used for updating password, works with authentication, enforce strong passwords
Session - actions performed at beginning and end of session
Control Flags
Requisite - Strongest flag - If module interface flagged requisite and fails PAM returns to calling app and reports the failure. Return value is associated with first requisite or required fail.
Required - In case of failure, execution isn’t stopped and continues to next module. Afterword it will return with failure
Sufficient - If this module succeeds and no prior required module has failed, this returns a success. If fail, this is ignored and moves on through stack
Optional - Not based on success or failure, but rather something like, if you have a home directory fine, if you don’t then build one.
Include - include all lines of given type from the configuration file specified as an argument to this control (if file is specified in the third column use this
Substack - same as above
Modules
/lib64/security
These can provide mechanisms to authenticate users from any backend like a file /etc/passwd or database like openLDAP
pam_unix is the main module used to verify authentication
if you want to know more about modules look at their man page
man pam_unix
Module Arguments
Anything extra you want to add in
How are pam options read?
Check if program is pam-aware (uses pam for authentication)
From the top down
You can’t have optional before required
ldd /usr/sbin/sshd | grep pam
ldd /sbin/sshd | grep pam
What is PAM
and why was it created
Pluggable Authentication Module
Allows applications to authenticate in different ways
When a new authentication method is made, all services would need to be recompiled (bio-metrics, smart-card, etc)
Pam negates this by always being the one stop shop to tell services how to authenticate
If you just have pam_deny on its own, what does it do?
Rejects the login or whatever it’s there for but it doesn’t report anything. You’ll need a different entry before it.
Two ways to configure pam
/etc/pam.conf <- This is like putting everything into one file
/etc/pam.d <- better for each individual service
pam.conf will be ignored if pam.d exists
If a service/program doesn’t have a config file then what will it consult?
/etc/pam.d/other
What happens if you configure pam wrong?
It won’t let you log in
Where does PAM send its activity info to?
/var/log/secure
/var/log/messages
Where do you go to tell the system where to go for internal services?
/etc/nsswitch.conf
How does a normal log in work?
/etc/passwd checked for user
/etc/shadow used for user password
