5 kx <html>
5 kx <head>
5 kx <meta http-equiv="content-type" content="text/html; charset=UTF-8">
5 kx </head>
5 kx <body>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <h3>PAM Explanation</h3>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>The Pluggable Authentication Modules system allows an administrator
5 kx to fully control how authentication is done on a system, and releaves a
5 kx developer from implementing all kinds of authentication mechanisms.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>The "old" way of doing authentication is through /etc/passwd, which
5 kx contained the username, uid and password. As long as everybody used
5 kx /etc/passwd there was nog problem, but when different schemes came into
5 kx play, like NIS, Kerberos, LDAP, and even the shadow system, it meant
5 kx that developers needed to support all these different ways in their
5 kx product, which created a enormous amount of duplicated code and a lot of
5 kx overhead for the developers. To overcome this issue PAM was created.
5 kx PAM provides a single interface for the developer to talk to. It just
5 kx tells an application if a user is allowed or not. Meaning that the
5 kx developer only has to support PAM.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>By means of modules the administrator can on the fly change the e.g.
5 kx the login policy for a certain system from /etc/passwd to kerberos
5 kx without the users or applications noticing the change. And as long as
5 kx all programs on a certain system, responsible for user authentication,
5 kx work with PAM all should be fine.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p><table border="0">
5 kx <tbody><tr><td align="center" bgcolor="#ffeedd">login</td>
5 kx <td align="center" bgcolor="#ddccbb">ftp</td>
5 kx <td align="center" bgcolor="#bbaa99">telnet</td>
5 kx <td align="center" bgcolor="#998877">ssh</td></tr>
5 kx <tr><td colspan="4" align="center" bgcolor="#fedcba">PAM API</td></tr>
5 kx <tr><td colspan="2" align="center" bgcolor="#fedcba">PAM library</td>
5 kx <td colspan="2" align="center" bgcolor="#fedcba">PAM configuration</td></tr>
5 kx <tr><td colspan="4" align="center" bgcolor="#fedcba">PAM SPI</td></tr>
5 kx <tr><td bgcolor="#dcba98">account checks</td>
5 kx <td bgcolor="#ba9876">authentication</td>
5 kx <td bgcolor="#987654">session management</td>
5 kx <td bgcolor="#765432">password management</td></tr>
5 kx </tbody></table>
5 kx </div>
5 kx
5 kx </p>
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>As said PAM is a modular system, hence the name. The
5 kx configuration of PAM can be done in two different ways. You could have
5 kx one long configuration file, or you could have a /etc/pam.d directory
5 kx which contains several files for the configuration. This document will
5 kx only discuss the /etc/pam.d variant.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>Within the /etc/pam.d directory there are files for every program
5 kx that needs authentication. In each file there are rules for that
5 kx specific service. Of course there would be a lot of duplication if your
5 kx created rules specific for every service, since most services will use
5 kx the same way of authentication. To solve this issue there is an include
5 kx statement that you can use in the configuration files.</p>
5 kx <pre>auth include file
5 kx </pre>
5 kx which includes the auth sections from the mentioned file.<p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>On Red Hat based systems the included file is often system-auth,
5 kx while for Debian based system you have a common-* file per "type" in the
5 kx configuration file.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>The "type" mentioned is the first colomn in the configuration file. The complete syntax for the file is:
5 kx </p>
5 kx <pre>type control module-path module-arguments</pre>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx The type can be:
5 kx <table border="1">
5 kx <tbody><tr>
5 kx <th>Type</th>
5 kx <th>Function</th>
5 kx <th>Description</th>
5 kx </tr>
5 kx <tr>
5 kx <td>account</td>
5 kx <td>pam_acct_mgmt</td>
5 kx <td>Tests if the user is allowed to access the service, meaning if
5 kx the password is not expired, if the user is allowed during this time of
5 kx day, if the load is not too high, etc.</td>
5 kx </tr>
5 kx <tr>
5 kx <td rowspan="2">auth</td>
5 kx <td>pam_authenticate</td>
5 kx <td>This is the actual authentication. In the good old fashioned way
5 kx it means that the password is checked to see if the user is who he or
5 kx she claims to be.</td>
5 kx </tr>
5 kx <tr>
5 kx <td>pam_setcred</td>
5 kx <td>Sets UID, GID and limits</td>
5 kx </tr>
5 kx <tr>
5 kx <td rowspan="2">session</td>
5 kx <td>pam_open_session</td>
5 kx <td>Things that should be done when the user is authenticated, and thus logs in.</td>
5 kx </tr>
5 kx <tr>
5 kx <td>pam_close_session</td>
5 kx <td>Things that should be done when the user logs off.</td>
5 kx </tr>
5 kx <tr>
5 kx <td>password</td>
5 kx <td>pam_chauthtok</td>
5 kx <td>Used when the user wants to change the authentication credentials (password). Check password length, strength, etc.</td>
5 kx </tr>
5 kx </tbody></table><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>Per type you can have multiple lines. So you can have "stacked"
5 kx modules that describe what should be done, or to what rules the username
5 kx and credentials should comply, before a user is authenticated to the
5 kx system.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>The second column in our configuration file is the "control" column.
5 kx The field tells PAM what it should do when the module reports a failure.
5 kx This field can be:
5 kx </p>
5 kx </div>
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <dl>
5 kx <dt>[value1=action1 value2=action2 ...]</dt>
5 kx <dd><p>PAM started with some predefined actions, which are described
5 kx below. The use of [...] in the control field is a later addition that
5 kx gives you full control of PAMs actions. The list below is split in two
5 kx parts, those that are relevant for system administrators and those that
5 kx are needed for debugging modules. Within the remainder of this document
5 kx we are only concerned about the administrators part.</p>
5 kx <p>For system administrators:
5 kx </p><dl>
5 kx <dt>abort</dt>
5 kx <dd>Critical error (?module fail now request)</dd>
5 kx <dt>acct_expired</dt>
5 kx <dd>User account has expired</dd>
5 kx <dt>auth_err</dt>
5 kx <dd>Authentication failure</dd>
5 kx <dt>authinfo_unavail</dt>
5 kx <dd>Underlying authentication service can not retrieve authentication information</dd>
5 kx <dt>authtok_err</dt>
5 kx <dd>Authentication token manipulation error</dd>
5 kx <dt>authtok_expired</dt>
5 kx <dd>user's authentication token has expired</dd>
5 kx <dt>authtok_disable_aging</dt>
5 kx <dd>Authentication token aging disabled</dd>
5 kx <dt>authtok_recover_err</dt>
5 kx <dd>Authentication information cannot be recovered</dd>
5 kx <dt>cred_err</dt>
5 kx <dd>Failure setting user credentials</dd>
5 kx <dt>cred_expired</dt>
5 kx <dd>User credentials expired</dd>
5 kx <dt>cred_insufficient</dt>
5 kx <dd>Can not access authentication data due to insufficient credentials</dd>
5 kx <dt>cred_unavail</dt>
5 kx <dd>Underlying authentication service can not retrieve user credentials unavailable</dd>
5 kx <dt>default</dt>
5 kx <dd>all not explicitly mentioned values</dd>
5 kx <dt>ignore</dt>
5 kx <dd>Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient</dd>
5 kx <dt>maxtries</dt>
5 kx <dd>An authentication service has maintained a retry count which has been reached. No further retries should be attempted</dd>
5 kx <dt>module_unknown</dt>
5 kx <dd>module is not known</dd>
5 kx <dt>new_authtok_reqd</dt>
5 kx <dd>New authentication token required. This is normally returned if
5 kx the machine security policies require that the password should be
5 kx changed beccause the password is NULL or it has aged</dd>
5 kx <dt>perm_denied</dt>
5 kx <dd>Permission denied</dd>
5 kx <dt>session_err</dt>
5 kx <dd>Can not make/remove an entry for the specified session</dd>
5 kx <dt>success</dt>
5 kx <dd>Successful function return</dd>
5 kx <dt>try_again</dt>
5 kx <dd>Preliminary check by password service</dd>
5 kx <dt>user_unknown</dt>
5 kx <dd>User not known to the underlying authenticaiton module</dd>
5 kx </dl><p></p>
5 kx
5 kx <p>Debugging modules:
5 kx </p><dl>
5 kx <dt>authtok_lock_busy</dt>
5 kx <dd>Authentication token lock busy</dd>
5 kx <dt>bad_item</dt>
5 kx <dd>Bad item passed to pam_*_item()</dd>
5 kx <dt>buf_err</dt>
5 kx <dd>Memory buffer error</dd>
5 kx <dt>conv_again</dt>
5 kx <dd>conversation function is event driven and data is not available yet</dd>
5 kx <dt>conv_err</dt>
5 kx <dd>Conversation error</dd>
5 kx <dt>incomplete</dt>
5 kx <dd>please call this function again to complete authentication stack. Before calling again, verify that conversation is completed</dd>
5 kx <dt>no_module_data</dt>
5 kx <dd>No module specific data is present</dd>
5 kx <dt>open_err</dt>
5 kx <dd>The module could not be loaded</dd>
5 kx <dt>service_err</dt>
5 kx <dd>Error in service module</dd>
5 kx <dt>symbol_err</dt>
5 kx <dd>Symbol not found</dd>
5 kx <dt>system_err</dt>
5 kx <dd>System error</dd>
5 kx </dl>
5 kx <p></p>
5 kx <p>The action part can be any of:
5 kx </p><dl>
5 kx <dt>ignore</dt>
5 kx <dd>The return status will not contribute to the return code.</dd>
5 kx <dt>bad</dt>
5 kx <dd>The return status is set to fail.</dd>
5 kx <dt>die</dt>
5 kx <dd>The return status is set to fail and the stack is terminated immediately and the return status reported to the application</dd>
5 kx <dt>ok</dt>
5 kx <dd>If the modules fails, the total stack state will be fail, if
5 kx the stack was already fail, the return code of this module will do
5 kx nothing.</dd>
5 kx <dt>done</dt>
5 kx <dd>Some as ok, but with direct termination of the stack</dd>
5 kx <dt>reset</dt>
5 kx <dd>Clear all memory of the state of the module stack and start again with the next module.</dd>
5 kx </dl>
5 kx </dd>
5 kx <p></p>
5 kx <dt><span style="font-weight:bold; color:black">requisite</span> ([success=ok new_authtok_reqd=ok ignore=ignore default=die])</dt>
5 kx <dd>When the module reports failure, the user gets denied
5 kx immediately. Meaning that e.g. a non-existend username can immediately
5 kx be denied. The downside is that an attacker knows that the username is
5 kx invalid.</dd>
5 kx <dt><span style="font-weight:bold; color:black">required</span> ([success=ok new_authtok_reqd=ok ignore=ignore default=bad])</dt><dt>
5 kx </dt><dd>When the module reports failure, the user gets denied after
5 kx all other lines in the type-section are checked. The reason that even
5 kx when the user is denied access all other lines are checked has to do
5 kx with system reponse. By checking all other lines a possible attacked has
5 kx no clue which module created the denial state, and thus makes it harder
5 kx for the attacker to create an alternative attack method.</dd>
5 kx <dt><span style="font-weight:bold; color:black">sufficient</span> ([success=done new_authtok_reqd=done default=ignore])</dt>
5 kx <dd>If no status is set by a previous required module and this
5 kx module reports success, the PAM framework returns success to the
5 kx application immediately without trying any other modules. A failure
5 kx means that the remaining lines are checked.</dd><dd>
5 kx </dd><dt><span style="font-weight:bold; color:black">optional</span> ([success=ok new_authtok_reqd=ok default=ignore])</dt>
5 kx <dd>According to the pam(8) manpage, will only cause an operation to fail if it's the only module in the stack for that facility</dd>
5 kx </dl>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>The third field in the configuration is the "module-path". This tells
5 kx PAM the modules to use and most the times the path to find the module.
5 kx According to the LFS, the modules should be located in /lib/security.
5 kx However the PAM default is /usr/lib/security.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>The last field is the "module-arguments" which varies per module.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <h3>PAM examples</h3>
5 kx <p>The examples below are a mix of Debian, Red Hat and CentOS system configurations mixed with additional features.</p>
5 kx
5 kx <p>The following examples are tested with login and with sshd. Do know
5 kx if you should replace system-auth (RHEL) or common-* (Debian) files with
5 kx it.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <h4>Example: Be a minimal plain old Unix replacement</h4>
5 kx <p>To act as a normal unix machine using /etc/passwd, /etc/shadow and
5 kx /etc/group we use the pam_unix.so. We need this anyway to support the
5 kx system accounts of our system like root.</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx # Per default the pam_unix.so module treats empty password fields as
5 kx # disabled accounts. The "nullok" option overrides this behaviour.
5 kx # To disable an account according to CERT policies, change the
5 kx # password field to * and set the login shell to /bin/false.
5 kx #
5 kx # The "md5" option enables MD5 passwords. Without this option, the
5 kx # default is Unix crypt.
5 kx auth sufficient pam_unix.so nullok
5 kx auth required pam_deny.so
5 kx
5 kx account required pam_unix.so
5 kx account required pam_permit.so
5 kx
5 kx session required pam_unix.so
5 kx
5 kx # NOT tested
5 kx password sufficient pam_unix.so shadow nullok md5
5 kx password required pam_deny.so
5 kx </pre>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <h4>Example: plain old unix towards pam only control</h4>
5 kx <p>Especially for the login functionality, there are a couple of
5 kx "native" files that give a system administrator control of who is
5 kx allowed to do what from where with which restrictions. The first ones
5 kx that you will probably know are the hosts.allow and hosts.deny files.
5 kx But also /etc/securetty, /etc/login.defs, and a couple more. If we want
5 kx to control everything through pam we have to adjust our stack a little
5 kx bit.</p>
5 kx
5 kx <p>Let's start with the auth section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx # Load the /etc/security/pam_env.conf file. Just to be sure
5 kx auth required pam_env.so
5 kx
5 kx # Enforce a minimal delay in case of failure (in microseconds).
5 kx # (Replaces the `FAIL_DELAY' setting from login.defs)
5 kx # Note that other modules may require another minimal delay. (for example,
5 kx # to disable any delay, you should add the nodelay option to pam_unix)
5 kx auth optional pam_faildelay.so delay=3000000
5 kx
5 kx # Disallows other than root logins when /etc/nologin exists
5 kx # (Replaces the `NOLOGINS_FILE' option from login.defs)
5 kx auth requisite pam_nologin.so
5 kx
5 kx # Disallows root logins except on tty's listed in /etc/securetty
5 kx # (Replaces the `CONSOLE' setting from login.defs)
5 kx auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
5 kx
5 kx # Check if the users shell exists
5 kx # (Uses /etc/shells)
5 kx auth required pam_shells.so
5 kx
5 kx # Outputs an issue file prior to each login prompt
5 kx # (Replaces the ISSUE_FILE option from login.defs).
5 kx auth optional pam_issue.so issue=/etc/issue
5 kx
5 kx # This allows certain extra groups to be granted to a user
5 kx # based on things like time of day, tty, service, and user.
5 kx # Please edit /etc/security/group.conf to fit your needs
5 kx # (Replaces the `CONSOLE_GROUPS' option in login.defs)
5 kx auth optional pam_group.so
5 kx
5 kx auth sufficient pam_unix.so nullok
5 kx auth required pam_deny.so
5 kx
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>Next we adjust the account section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx # Edit /etc/security/time.conf if you need to set time
5 kx # restrainst on logins.
5 kx # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
5 kx # as well as /etc/porttime)
5 kx account requisite pam_time.so
5 kx
5 kx # Edit /etc/security/access.conf if you need to set
5 kx # access limits.
5 kx # (Replaces /etc/login.access file)
5 kx account required pam_access.so
5 kx
5 kx account required pam_unix.so
5 kx account required pam_permit.so
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>Then the session section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx # This module parses environment configuration file(s)
5 kx # and also allows you to use an extended config
5 kx # file /etc/security/pam_env.conf.
5 kx
5 kx # Backwards compatibility for /etc/environment
5 kx session required pam_env.so readenv=1 envfile=/etc/environment
5 kx
5 kx # Setting the locale or i18n settings
5 kx # Debian: locale variables are also kept into /etc/default/locale in etch
5 kx # reading this file *in addition to /etc/environment* does not hurt
5 kx # RHEL: locale variables are kept in /etc/sysconfig/i18n
5 kx #
5 kx # Debian: session required pam_env.so readenv=1 envfile=/etc/default/locale
5 kx # RHEL: session required pam_env.so readenv=1 envfile=/etc/sysconfig/i18n
5 kx
5 kx # Sets up user limits according to /etc/security/limits.conf
5 kx # (Replaces the use of /etc/limits in old login)
5 kx session required pam_limits.so
5 kx
5 kx # Sets the umask
5 kx # (Replaces UMASK setting in login.defs)
5 kx # Does not seem to have any influence on the umask...
5 kx # needs more testing
5 kx session optional pam_umask.so umask=0077
5 kx
5 kx # The following two options report some additional
5 kx # information when a user logs in. sshd also reports
5 kx # this information, so to prevent duplicate messages
5 kx # set in sshd_config:
5 kx # PrintLastLog no
5 kx # PrintMotd no
5 kx # (Replaces the `LASTLOG_ENAB' and `MOTD_FILE' options
5 kx # from login.defs)
5 kx session optional pam_lastlog.so
5 kx session optional pam_motd.so
5 kx
5 kx # Prints the status of the user's mailbox upon succesful login
5 kx # (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
5 kx #
5 kx # This also defines the MAIL environment variable
5 kx # However, userdel also needs MAIL_DIR and MAIL_FILE variables
5 kx # in /etc/login.defs to make sure that removing a user
5 kx # also removes the user's mail spool file.
5 kx # See comments in /etc/login.defs
5 kx session optional pam_mail.so standard
5 kx
5 kx # Create home dir if it does not exist on login
5 kx session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
5 kx
5 kx # SELinux needs to intervene at login time to ensure that the process
5 kx # starts in the proper default security context.
5 kx # Uncomment the following line to enable SELinux
5 kx # session required pam_selinux.so select_context
5 kx # Did NOT test this:
5 kx # session required pam_unix.so
5 kx
5 kx session required pam_unix.so
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>And last the password section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx # Alternate strength checking for password. Note that this
5 kx # requires the libpam-cracklib package to be installed.
5 kx # You will need to comment out the password line above and
5 kx # uncomment the next two in order to use this.
5 kx # (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
5 kx #
5 kx
5 kx # This is NOT tested
5 kx
5 kx password required pam_cracklib.so retry=3 minlen=6 difok=3
5 kx password required pam_unix.so use_authtok nullok md5
5 kx password required pam_deny.so
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <h4>Example: migrate to ldap</h4>
5 kx <p>This section builds on the previous one, but adds LDAP support. We
5 kx assume that users having a UID above 500 are in LDAP and all others are
5 kx in the default files (passwd, shadow, group). The password for the users
5 kx in LDAP is also placed in LDAP.</p>
5 kx
5 kx <p>One extra feature supported is the fact that we need to be able to
5 kx login to our servers with a normal unix account (root) when there is
5 kx trouble with LDAP.</p>
5 kx
5 kx <p>Let's start with the auth section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx auth required pam_env.so
5 kx auth optional pam_faildelay.so delay=3000000
5 kx auth requisite pam_nologin.so
5 kx auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
5 kx auth required pam_shells.so
5 kx auth optional pam_issue.so issue=/etc/issue
5 kx auth optional pam_group.so
5 kx
5 kx # We assume that UIDs above 500 are in LDAP
5 kx # If LDAP fails we want to still be able to login through local accounts
5 kx auth sufficient pam_unix.so nullok
5 kx auth requisite pam_succeed_if.so uid >= 500 quiet
5 kx auth sufficient pam_ldap.so use_first_pass
5 kx auth required pam_deny.so
5 kx
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>Next we adjust the account section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx account requisite pam_time.so
5 kx account required pam_access.so
5 kx
5 kx # If the user id is below 500 end the account section, if LDAP failes
5 kx # we can still login with a local account
5 kx account required pam_unix.so
5 kx account sufficient pam_succeed_if.so uid < 500 quit
5 kx account [default=bad success=ok user_unknown=ignore] pam_ldap.so
5 kx account required pam_permit.so
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>Then the session section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx session required pam_env.so readenv=1 envfile=/etc/environment
5 kx session required pam_env.so readenv=1 envfile=/etc/sysconfig/i18n
5 kx session required pam_limits.so
5 kx session optional pam_umask.so umask=0077
5 kx session optional pam_lastlog.so
5 kx session optional pam_motd.so
5 kx session optional pam_mail.so standard
5 kx session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
5 kx
5 kx session required pam_unix.so
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <p>And last the password section:</p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx # This is NOT tested
5 kx # We need pam_ldap.so to set the password in LDAP
5 kx # Additional rules we might need:
5 kx # password sufficient pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass
5 kx # password sufficient pam_ldap.so
5 kx
5 kx password required pam_cracklib.so retry=3 minlen=6 difok=3
5 kx password sufficient pam_unix.so use_authtok md5
5 kx password required pam_ldap.so use_authtok
5 kx password required pam_deny.so
5 kx </pre><p></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: justify;">
5 kx <h4>Example: add kerberos support</h4>
5 kx <p>Only tested with LDAP, kerberos still needs testing.</p>
5 kx
5 kx <p>This example expands the above one, with kerberos. The users above
5 kx UID 500 are still in LDAP, but their password is stored in kerberos.</p>
5 kx
5 kx <p>NOTE: Debian supplies: <a href="http://www.eyrie.org/%7Eeagle/software/pam-krb5/">http://www.eyrie.org/~eagle/software/pam-krb5/</a><br>
5 kx RHEL supplies: <a href="http://people.redhat.com/nalin/pam_krb5/">http://people.redhat.com/nalin/pam_krb5/</a></p>
5 kx </div>
5 kx
5 kx <div style="padding: 0 1.5em; text-align: left;">
5 kx <pre>
5 kx auth required pam_env.so
5 kx auth optional pam_faildelay.so delay=3000000
5 kx auth requisite pam_nologin.so
5 kx auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
5 kx auth required pam_shells.so
5 kx auth optional pam_issue.so issue=/etc/issue
5 kx auth optional pam_group.so
5 kx
5 kx # pam_ldap.so is in here for migration purposes, when all your
5 kx # users are kerberized you can remove the pam_ldap.so line
5 kx auth sufficient pam_unix.so nullok try_first_pass
5 kx auth requisite pam_succeed_if.so uid >= 500 quiet
5 kx auth sufficient pam_ldap.so use_first_pass
5 kx auth sufficient pam_krb5.so use_first_pass
5 kx auth required pam_deny.so
5 kx
5 kx account requisite pam_time.so
5 kx account required pam_access.so
5 kx
5 kx account sufficient pam_unix.so broken_shadow
5 kx account sufficient pam_succeed_if.so uid < 500 quiet
5 kx account required pam_ldap.so
5 kx account [default=bad success=ok user_unknown=ignore] pam_krb5.so
5 kx account required pam_permit.so
5 kx
5 kx session required pam_env.so readenv=1 envfile=/etc/environment
5 kx session required pam_env.so readenv=1 envfile=/etc/sysconfig/i18n
5 kx session required pam_limits.so
5 kx session optional pam_umask.so umask=0077
5 kx session optional pam_lastlog.so
5 kx session optional pam_motd.so
5 kx session optional pam_mail.so standard
5 kx session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
5 kx
5 kx # pam_ldap.so for session?
5 kx session optional pam_keyinit.so revoke
5 kx session required pam_unix.so
5 kx session optional pam_krb5.so minimum_uid=500
5 kx
5 kx # Set password in krb database
5 kx password requisite pam_cracklib.so try_first_pass retry=3
5 kx password sufficient pam_unix.so md5 shadow nullok use_authtok
5 kx password required pam_krb5.so use_authtok clear_on_fail
5 kx password required pam_deny.so
5 kx </pre>
5 kx </div>
5 kx </body>
5 kx </html>
Radix cross Linux
The main Radix cross Linux repository contains the build scripts of packages, which have the most complete and common functionality for desktop machines
452 Commits
2 Branches
1 Tag