{"id":12022,"date":"2019-03-21T03:18:24","date_gmt":"2019-03-21T03:18:24","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=12022"},"modified":"2019-03-21T03:18:24","modified_gmt":"2019-03-21T03:18:24","slug":"how-to-configure-and-use-pam-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/21\/how-to-configure-and-use-pam-in-linux\/","title":{"rendered":"How to Configure and Use PAM in Linux"},"content":{"rendered":"<p><strong>Linux-PAM<\/strong>\u00a0(short for\u00a0<strong>Pluggable Authentication Modules<\/strong>\u00a0which evolved from the Unix-PAM architecture) is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system.<\/p>\n<p>It integrates multiple low-level authentication modules into a high-level API that provides dynamic authentication support for applications. This allows developers to write applications that require authentication, independently of the underlying authentication system.<\/p>\n<p>Many modern Linux distributions support\u00a0<strong>Linux-PAM<\/strong>\u00a0(hereinafter referred to as \u201c<strong>PAM<\/strong>\u201d) by default. In this article, we will explain how to configure advanced\u00a0<strong>PAM<\/strong>\u00a0in\u00a0<strong>Ubuntu<\/strong>\u00a0and\u00a0<strong>CentOS<\/strong>\u00a0systems.<\/p>\n<p>Before we proceed any further, note that:<\/p>\n<ul>\n<li>As a system administrator, the most important thing is to master how PAM configuration file(s) define the connection between applications (services) and the pluggable authentication modules (PAMs) that perform the actual authentication tasks. You don\u2019t necessarily need to understand the internal working of PAM.<\/li>\n<li>PAM has the potential to seriously alter the security of your Linux system. Erroneous configuration can disable access to your system partially, or completely. For instance an accidental deletion of a configuration file(s) under\u00a0<strong>\/etc\/pam.d\/*<\/strong>\u00a0and\/or\u00a0<strong>\/etc\/pam.conf<\/strong>\u00a0can lock you out of your own system!<\/li>\n<\/ul>\n<h3>How to Check a Program is PAM-aware<\/h3>\n<p>To employ\u00a0<strong>PAM<\/strong>, an application\/program needs to be \u201c<strong>PAM aware<\/strong>\u201c; it needs to have been written and compiled specifically to use PAM. To find out if a program is \u201c<strong>PAM-aware<\/strong>\u201d or not, check if it has been compiled with the PAM library using the\u00a0<strong>ldd command<\/strong>.<\/p>\n<p>For example sshd:<\/p>\n<pre>$ sudo ldd \/usr\/sbin\/sshd | grep libpam.so\r\n\r\n\t<strong>libpam.so.0 =&gt; \/lib\/x86_64-linux-gnu\/libpam.so.0 (0x00007effddbe2000)<\/strong>\r\n<\/pre>\n<h3>How to Configure PAM in Linux<\/h3>\n<p>The main configuration file for\u00a0<strong>PAM<\/strong>\u00a0is\u00a0<strong>\/etc\/pam.conf<\/strong>\u00a0and the\u00a0<strong>\/etc\/pam.d\/<\/strong>\u00a0directory contains the PAM configuration files for each PAM-aware application\/services. PAM will ignore the file if the directory exists.<\/p>\n<p>The syntax for the main configuration file is as follows. The file is made up of a list of rules written on a single line (you can extend rules using the\u00a0<code>\u201c\\\u201d<\/code>\u00a0escape character) and comments are preceded with\u00a0<code>\u201c#\u201d<\/code>\u00a0marks and extend to the next end of line.<\/p>\n<p>The format of each rule is a space separated collection of tokens (the first three are case-insensitive). We will explain the these tokens in subsequent sections.<\/p>\n<pre>service type control-flag module module-arguments \r\n<\/pre>\n<p>where:<\/p>\n<ul>\n<li><strong>service<\/strong>: actual application name.<\/li>\n<li><strong>type<\/strong>: module type\/context\/interface.<\/li>\n<li><strong>control-flag<\/strong>: indicates the behavior of the PAM-API should the module fail to succeed in its authentication task.<\/li>\n<li><strong>module<\/strong>: the absolute filename or relative pathname of the PAM.<\/li>\n<li><strong>module-arguments<\/strong>: space separated list of tokens for controlling module behavior.<\/li>\n<\/ul>\n<p>The syntax of each file in\u00a0<strong>\/etc\/pam.d\/<\/strong>\u00a0is similar to that of the main file and is made up of lines of the following form:<\/p>\n<pre>type control-flag module module-arguments\r\n<\/pre>\n<p>This is a example of a rule definition (without module-arguments) found in the\u00a0<strong>\/etc\/pam.d\/sshd<\/strong>\u00a0file, which disallows non-root logins when\u00a0<strong>\/etc\/nologin<\/strong>\u00a0exists:<\/p>\n<pre>account required pam_nologin.so\r\n<\/pre>\n<h3>Understanding PAM Management Groups and Control-flags<\/h3>\n<p><strong>PAM<\/strong>\u00a0authentication tasks are separated into four independent management groups. These groups manage different aspects of a typical user\u2019s request for a restricted service.<\/p>\n<p>A module is associated to one these management group types:<\/p>\n<ul>\n<li><strong>account<\/strong>: provide services for account verification: has the user\u2019s password expired?; is this user permitted access to the requested service?.<\/li>\n<li><strong>authentication<\/strong>: authenticate a user and set up user credentials.<\/li>\n<li><strong>password<\/strong>: are responsible for updating user passwords and work together with authentication modules.<\/li>\n<li><strong>session<\/strong>: manage actions performed at the beginning of a session and end of a session.<\/li>\n<\/ul>\n<p><strong>PAM<\/strong>\u00a0loadable object files (the modules) are to be located in the following directory:\u00a0<strong>\/lib\/security\/<\/strong>\u00a0or\u00a0<strong>\/lib64\/security<\/strong>\u00a0depending on the architecture.<\/p>\n<p>The supported\u00a0<strong>control-flags<\/strong>\u00a0are:<\/p>\n<ul>\n<li><strong>requisite<\/strong>: failure instantly returns control to the application indicating the nature of the first module failure.<\/li>\n<li><strong>required<\/strong>: all these modules are required to succeed for\u00a0<strong>libpam<\/strong>\u00a0to return success to the application.<\/li>\n<li><strong>sufficient<\/strong>: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).<\/li>\n<li><strong>optional<\/strong>: the success or failure of this module is generally not recorded.<\/li>\n<\/ul>\n<p>In addition to the above are the keywords, there are two other valid control flags:<\/p>\n<ul>\n<li><strong>include<\/strong>: include all lines of given type from the configuration file specified as an argument to this control.<\/li>\n<li><strong>substack<\/strong>: include all lines of given type from the configuration file specified as an argument to this control.<\/li>\n<\/ul>\n<h3>How to Restrict root Access to SSH Service Via PAM<\/h3>\n<p>As an example, we will configure how to use PAM to\u00a0<a href=\"https:\/\/www.tecmint.com\/disable-ssh-root-login-in-linux\/\" target=\"_blank\" rel=\"noopener\">disable root user access to a system via SSH<\/a>\u00a0and login programs. Here, we want to disable root user access to a system, by restricting access to login and sshd services.<\/p>\n<p>We can use the\u00a0<strong>\/lib\/security\/pam_listfile.so<\/strong>\u00a0module which offers great flexibility in limiting the privileges of specific accounts. Open and edit the file for the target service in the\u00a0<strong>\/etc\/pam.d\/<\/strong>\u00a0directory as shown.<\/p>\n<pre>$ sudo vim \/etc\/pam.d\/sshd\r\nOR\r\n$ sudo vim \/etc\/pam.d\/login\r\n<\/pre>\n<p>Add this rule in both files.<\/p>\n<pre>auth    required       pam_listfile.so \\\r\n        onerr=succeed  item=user  sense=deny  file=\/etc\/ssh\/deniedusers\r\n<\/pre>\n<p>Explaining the tokens in the above rule:<\/p>\n<ul>\n<li>auth: is the module type (or context).<\/li>\n<li><strong>required<\/strong>: is a control-flag that means if the module is used, it must pass or the overall result will be fail, regardless of the status of other modules.<\/li>\n<li><strong>pam_listfile.so<\/strong>: is a module which provides a way to deny or allow services based on an arbitrary file.<\/li>\n<li><strong>onerr=succeed<\/strong>: module argument.<\/li>\n<li><strong>item=user<\/strong>: module argument which specifies what is listed in the file and should be checked for.<\/li>\n<li><strong>sense=deny<\/strong>: module argument which specifies action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.<\/li>\n<li><strong>file=\/etc\/ssh\/deniedusers<\/strong>: module argument which specifies file containing one item per line.<\/li>\n<\/ul>\n<p>Next, we need to create the file\u00a0<strong>\/etc\/ssh\/deniedusers<\/strong>\u00a0and add the name\u00a0<strong>root<\/strong>\u00a0in it:<\/p>\n<pre>$ sudo vim \/etc\/ssh\/deniedusers\r\n<\/pre>\n<p>Save the changes and close the file, then set the required permissions on it:<\/p>\n<pre>$ sudo chmod 600 \/etc\/ssh\/deniedusers\r\n<\/pre>\n<p>From now on, the above rule will tell PAM to consult the\u00a0<strong>\/etc\/ssh\/deniedusers<\/strong>\u00a0file and deny access to the SSH and login services for any listed user.<\/p>\n<h3>How to Configuring Advanced PAM in Linux<\/h3>\n<p>To write more complex PAM rules, you can use valid\u00a0<strong>control-flags<\/strong>\u00a0in the following form:<\/p>\n<pre>type [value1=action1 value2=action2 \u2026] module module-arguments\r\n<\/pre>\n<p>Where\u00a0<strong>valueN<\/strong>\u00a0corresponds to the return code from the function invoked in the module for which the line is defined. You can find supported values from the on-line\u00a0<a href=\"http:\/\/linux-pam.org\/Linux-PAM-html\/Linux-PAM_SAG.html\" target=\"_blank\" rel=\"nofollow noopener\">PAM Administrator\u2019s Guide<\/a>. A special value is default, which implies all valueN\u2019s not mentioned explicitly.<\/p>\n<p>The\u00a0<strong>actionN<\/strong>\u00a0can take one of the following forms:<\/p>\n<ul>\n<li><strong>ignore<\/strong>: if this action is used with a stack of modules, the module\u2019s return status will not contribute to the return code the application obtains.<\/li>\n<li><strong>bad<\/strong>: indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack.<\/li>\n<li><strong>die<\/strong>: equivalent to bad but may terminate the module stack and PAM immediately returning to the application.<\/li>\n<li><strong>ok<\/strong>: this instructs PAM that the system administrator thinks this return code should contribute directly to the return code of the full stack of modules.<\/li>\n<li><strong>done<\/strong>: equivalent to\u00a0<strong>ok<\/strong>\u00a0but may terminate the module stack and PAM immediately returning to the application.<\/li>\n<li><strong>N (an unsigned integer)<\/strong>: equivalent to\u00a0<strong>ok<\/strong>\u00a0but may jump over the next\u00a0<strong>N<\/strong>\u00a0modules in the stack.<\/li>\n<li><strong>Reset<\/strong>: this action clears all memory of the state of the module stack and restart with the next stacked module.<\/li>\n<\/ul>\n<p>Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the\u00a0<code>[...]<\/code>\u00a0syntax, which allow you to write more complicated rules and they are:<\/p>\n<ul>\n<li><strong>required<\/strong>: [success=ok new_authtok_reqd=ok ignore=ignore default=bad]<\/li>\n<li><strong>requisite<\/strong>: [success=ok new_authtok_reqd=ok ignore=ignore default=die]<\/li>\n<li><strong>sufficient<\/strong>: [success=done new_authtok_reqd=done default=ignore]<\/li>\n<li><strong>optional<\/strong>: [success=ok new_authtok_reqd=ok default=ignore]<\/li>\n<\/ul>\n<p>The following is an example from a modern\u00a0<strong>CentOS 7<\/strong>\u00a0system. Let\u2019s consider these rules from the\u00a0<strong>\/etc\/pam.d\/postlogin<\/strong>\u00a0PAM file:<\/p>\n<pre>#%PAM-1.0\r\n# This file is auto-generated.\r\n# User changes will be destroyed the next time authconfig is run.\r\nsession     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet\r\nsession     [default=1]   pam_lastlog.so nowtmp showfailed\r\nsession     optional      pam_lastlog.so silent noupdate showfailed<\/pre>\n<p>Here is another example configuration from the\u00a0<strong>\/etc\/pam.d\/smartcard-auth<\/strong>\u00a0PAM file:<\/p>\n<pre>#%PAM-1.0\r\n# This file is auto-generated.\r\n# User changes will be destroyed the next time authconfig is run.\r\nauth        required      pam_env.so\r\nauth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card\r\nauth        required      pam_deny.so\r\n\r\naccount     required      pam_unix.so\r\naccount     sufficient    pam_localuser.so\r\naccount     sufficient    pam_succeed_if.so uid &lt; 1000 quiet\r\naccount     required      pam_permit.so\r\n\r\npassword    required      pam_pkcs11.so\r\n\r\nsession     optional      pam_keyinit.so revoke\r\nsession     required      pam_limits.so\r\n-session     optional      pam_systemd.so\r\nsession     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid\r\nsession     required      pam_unix.so\r\n<\/pre>\n<p>For more information, see the\u00a0<strong>pam.d<\/strong>\u00a0man page:<\/p>\n<pre>$ man pam.d \r\n<\/pre>\n<p>Lastly, a comprehensive description of the Configuration file syntax and all PAM modules can be found in the\u00a0<a href=\"http:\/\/linux-pam.org\/Linux-PAM-html\/\" target=\"_blank\" rel=\"nofolow noopener\">documentation for Linux-PAM<\/a>.<\/p>\n<h5>Summary<\/h5>\n<p><strong>PAM<\/strong>\u00a0is a powerful high-level API that allows programs that rely on authentication to authentic users to applications in a Linux system. It\u2019s powerful but very challenging to understand and use.<\/p>\n<p>In this article, we\u2019ve explained how to configure advanced features of PAM in Ubuntu and CentOS. If you have any questions or comments to share, use the feedback form below.<\/p>\n<p><a href=\"https:\/\/www.tecmint.com\/configure-pam-in-centos-ubuntu-linux\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Linux-PAM\u00a0(short for\u00a0Pluggable Authentication Modules\u00a0which evolved from the Unix-PAM architecture) is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system. It integrates multiple low-level authentication modules into a high-level API that provides dynamic authentication support for applications. This allows developers to write applications that require &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/21\/how-to-configure-and-use-pam-in-linux\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How to Configure and Use PAM in Linux&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12022","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=12022"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12022\/revisions"}],"predecessor-version":[{"id":12023,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12022\/revisions\/12023"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=12022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=12022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=12022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}