PAM authentication

[ Enlarge Image ]

Using PAM on Linux for extra security

<< Back

by: fcruz. Linux - Unix Blogs.

The plugabble authentication module is a very usefull external application to install and set different rules directly into your linux box without adding any special external devices into your network. This article covers an example of PAM

How do I use PAM to secure/control login accounts/services?

Problem:

How do I use PAM to secure and control login accounts/services?

Solution:

Using PAM To Secure Your System

PAM (pluggable authentication modules) is an authentication subsystem used in Linux (and other UN*Xs) that allows a versatile and abstracted layer of system/application authentication, separate from the OS itself. This means that as newer, better authentication systems or applications come into being (e.g. Kerberos, bio-authentication, etc), they can simply be modularized using this open authentication standard, and implemented without having to rewrite major parts of the underlying OS.

What does this mean to you? Out of the box, these PAM based systems can allow you to implement various strong password policies, non-dictionary password policies, user login time windows, user/server resource allocation, and much more.

For example, if you wanted to be able to dictate that the user 'peg' can only log on between 8am to 5pm (800-1659), then the this entry can be made in the /etc/pam.d/time:

login;*;peg;!Al1700-0759

Where login is the PAM service we're adjusting, the * means "all terminals" (with the login module), peg (the user), !=not allowed and Al=Always (i.e. every day); then lastly the time every day that peg is not allowed to login is listed as from 1700 to 0759 (5pm to 7:59am).

NOTE: Before you can start using the time settings in login, you need to put reference to the "pam_time" module into the pam "login" configuration file. To do this, open the file

/etc/pam.d/login

and add the line

account  required    /lib/security/pam_time.so

as shown below:

#%PAM-1.0
auth     required    /lib/security/pam_securetty.so
auth     required    /lib/security/pam_stack.so service=system-auth
auth     required    /lib/security/pam_nologin.so
account  required    /lib/security/pam_time.so
account  required    /lib/security/pam_stack.so service=system-auth
password required    /lib/security/pam_stack.so service=system-auth

or if you want all users but 'jeff', to never be allowed to log in via remote shell, you could use:

login;ttyp*!tty*;*!jeff;!

where login is the PAM service, ttyp* is "apply policy to any pseudo terminal", !tty* is "NOT apply policy to any other terminals". Then for the user list that this applies to, we have * (or everybody) !jeff (except jeff). Then "!" disallows the login and with no time defined--meaning "all the time".

So as you can see, PAM enables you to very finely customize the Linux authentication services.

Share This Blog |

Trackback URL |

[ Back ]

How to restrict users in linux to their /home
Add remove services from linux startup
Usefull linux commands
Setting date & Time in Linux