Pluggable authentication modules

927 views

Published on

PAM Administration

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
927
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pluggable authentication modules

  1. 1. YahiaKandeelGCIH,GSEC, RHCE,CEH, CCNA, MCPIPBackbone Security EngineerEtisalat
  2. 2.  DiscretionaryAccessControls SeLinux TCPWrappers Xinetd IPTables PluggableAuthenticationModule Application AccessControl
  3. 3.  Historically.. Each program had its own way of authenticatingusers .. PAM Pluggable, modular architecture Affords the system administrator a great deal offlexibilityin setting authentication policies for thesystem.
  4. 4.  Centralized authentication mechanism /etc/pam.d/ contains the PAM configuration files for eachPAM-awareapplication All supported PAM Modules under /lib/security/ directory
  5. 5.  auth This module authenticates users against database account This module verifies that access is allowed. (e.g it checksexpiration and time restrictions) password This module is used for changing user passwords. session This module configures and manages user sessions (e.gmounting a users home directory and making the usersmailbox available.)
  6. 6.  An individual module can provide any or all module interfaces. Forinstance, pam_unix.so provides all four module interfaces. Module interface directives can be stacked, or placed upon oneanother, so that multiple modules are used together for one purpose. Each PAM modules generate a success or failure result when called. Controlflags tell PAM what to do with the result. Ordering is very Important .. /etc/pam.d/system-auth: Acommon interface for all applications and service daemons calling into thePAMlibrary.
  7. 7.  Required Ifsuccess continue checking, if fail continue with failure Requisite Ifsuccess continue checking, if fail abort with failure Sufficient Ifsuccess grant access immediately, if fail ignore Optional The module result is ignored. Include Interpret the given file.All lines in the given file are treated as theywere present in this configuration file
  8. 8. Name Descriptionpam_unix Modulefor traditional password authenticationpam_rootok Gainonly root accesspam_permit The promiscuous modulepam_nologin Prevent non root usespam_listfile denyor allow services based on an arbitrary filepam_tally2 The login counter (tallying) modulepam_succeed_if test account characteristicspam_deny The lockingpam_limits PAMmodule to limit resourcespam_timestamp Auth using cached successfulauth attemptspam_time PAMmodule for time control accesspam_cracklib Checkthe password against dictionary words
  9. 9.  Test account characteristics .. Synopsis: pam_succeed_if.so [flag...] [condition...] Flags: Conditions:auth required pam_succeed_if.so use_uiduser ingroup wheeluse_uidEvaluate conditions using the account of the user whose UID theapplication is running under instead of the user being authenticated.quiet Don´t log failure or success to the system log.Field Test Valueuser ingroup Wheeluid >= 500
  10. 10.  Authenticate using cached successful authenticationattempts. Synopsis: pam_timestamp.so[timestamp_timeout=number] The auth and session module types are provided.auth sufficient pam_timestamp.soauth required pam_unix.sosession required pam_unix.sosession optional pam_timestamp.so/etc/pam.d/wireshark
  11. 11.  Wireshark Timestamp Only for specific users
  12. 12.  Deny or allow using services based on an arbitraryfile Synopsis:pam_listfile.soitem=[user|rhost|group|shell]sense=[allow|deny]file=/path/filename onerr=[succeed|fail]auth required pam_listfile.soitem=user onerr=failfile=/etc/ssh.allowsense=allowitem What is listed in the file and should be checked for.sense Action to take if found in fileonerr What to do if something weird happens like being unable to open the file/etc/pam.d/sshd
  13. 13.  Enable or disable TTY auditing for specified users. Synopsis: pam_tty_audit.so[disable=patterns][enable=patterns] To view the data that was logged by the kernel to audit usethe command #aureport --tty.session required pam_tty_audit.sodisable=*enable=root/etc/pam.d/sshd
  14. 14.  The login counter. Synopsis:pam_tally2.so[onerr=[fail|succeed]][even_deny_root] [deny=n][unlock_time=n][root_unlock_time=n] [audit] To view the status for locked users run this command#pam_tally -u usernameauth required pam_tally2.so deny=4even_deny_root unlock_time=1200/etc/pam.d/sshd
  15. 15.  PAM module to limit resources Synopsis: pam_limits.so[change_uid][conf=/path/to/limits.conf] By default limits are taken from the /etc/security/limits.confsession required pam_limits.so/etc/pam.d/sshd<domain> <type> <item> <value>student - maxlogins 1/etc/security/limits.confCPUMaxloginPriorityMemlockHardSoft-Username@Groupuid:uid*
  16. 16.  PAM module for time control access Synopsis: pam_time.so [noaudit] The time access rules are taken from /etc/security/time.confaccount required pam_time.so/etc/pam.d/sshdservices; ttys; users; timessshd; * ; !root ; Wk0800-1700/etc/security/time.confUsersGroupsttyttyp**sshdlogin
  17. 17.  SSHD: Limit # of concurrent sessions At specific time For specific users Max number of failedlogins Audit user activities SU: OnlySpecific users can escalate their priviledges
  18. 18.  References: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-pam.html http://www.informit.com/articles/article.aspx?p=20968 Linuxman pages Contacts: Eng.Qandeel@gmail.com

×