Authentification - PAM

De Justine's wiki
Aller à la navigation Aller à la recherche

https://www.tecmint.com/configure-pam-in-centos-ubuntu-linux/

What's PAM ?

Linux-PAM (short for Pluggable Authentication Modules which evolved from the Unix-PAM architecture) is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system.

It integrates multiple low-level authentication modules into a high-level API that provides dynamic authentication support for applications. This allows developers to write applications that require authentication, independently of the underlying authentication system.

Many modern Linux distributions support Linux-PAM (hereinafter referred to as “PAM”) by default. In this article, we will explain how to configure advanced PAM in Ubuntu and CentOS systems.

Warnings

Before we proceed any further, note that: 

   As a system administrator, the most important thing is to master how PAM configuration file(s) define the connection between applications (services) and the pluggable authentication modules (PAMs) that perform the actual authentication tasks. You don’t necessarily need to understand the internal working of PAM.
   PAM has the potential to seriously alter the security of your Linux system. Erroneous configuration can disable access to your system partially, or completely. For instance an accidental deletion of a configuration file(s) under /etc/pam.d/* and/or /etc/pam.conf can lock you out of your own system!

Is a program PAM-aware ?

We can check a program's dynamic dependencies with ldd to know if a program is PAM-aware:

<source lang="bash"> $ sudo ldd /usr/sbin/sshd | grep libpam.so

libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007effddbe2000) </source>

PAM configuration

The /etc/pam.d directory contains the individual config files for PAM.

Each file contains a list of rules written on a single line, following this schema: 

type control-flag module module-arguments

Here is an example:

<source>

  1. /etc/pam.d/gdm-password

auth include system-local-login auth optional pam_gnome_keyring.so

account include system-local-login

password include system-local-login password optional pam_gnome_keyring.so use_authtok </source>

  • Type : The management group (see below)
  • Control flag : See below
  • Module : All of the pam modules are in /lib/security. We can even create our own !
  • Arguments : arguments to the module.

Having a main file for PAM is deprecated; it is used only if the pam.d directory is absent. However, the pam.conf syntax is along the lines of: 

service type control-flag module module-arguments
  • Service : application name
  • Type : Module type / context / interface
  • Control_Flag : indicates the behavior of the PAM-API should the module fail to succeed in its authentication task.
  • Module : the absolute filename or relative pathname of the PAM
  • Module-arguments : space separated list of tokens for controlling module behavior.

BUT that is not the main point. The main point to understand is the type of configs found in /etc/pam.d files.

PAM management group and Control Flags

PAM authentication tasks are separated into four independent management groups. These groups manage different aspects of a typical user’s request for a restricted service.

A module is associated to one these management groups:

  • account: provide services for account verification: has the user’s password expired?; is this user permitted access to the requested service?.
  • authentication: authenticate a user and set up user credentials.
  • password: are responsible for updating user passwords and work together with authentication modules.
  • session: manage actions performed at the beginning of a session and end of a session.

The different control-flags are:

  • requisite: a failure returns control to the application, indicating the nature of the first module failure
  • required: all these modules are required to succeed for libpam to return success to the application.
  • sufficient: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
  • optional: the success or failure of this module is generally not recorded.
  • include: include all lines of given type from the configuration file specified as an argument to this control.
  • substack: include all lines of given type from the configuration file specified as an argument to this control.

PAM loadable object files (the modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture.

Disabling root access via PAM

We can use the /lib/security/pam_listfile.so module which offers great flexibility in limiting the privileges of specific accounts. Open and edit the file for the target service in the /etc/pam.d/ directory as shown.

<source lang="bash"> $ sudo vim /etc/pam.d/sshd OR $ sudo vim /etc/pam.d/login </source>

Add this rule in both files : 

auth    required       pam_listfile.so \
       onerr=succeed  item=user  sense=deny  file=/etc/ssh/deniedusers
#####
   auth: is the module type (or context).
   required: is a control-flag that means if the module is used, it must pass or the overall result will be fail, regardless of the status of other modules.
   pam_listfile.so: is a module which provides a way to deny or allow services based on an arbitrary file.
   onerr=succeed: module argument.
   item=user: module argument which specifies what is listed in the file and should be checked for.
   sense=deny: module argument which specifies action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
   file=/etc/ssh/deniedusers: module argument which specifies file containing one item per line.
######

We then only need to create /etc/ssh/deniedusers with 600 perms, and add "root" in it.

Récupérée de « https://wiki.squi.fr/index.php?title=Authentification_-_PAM&oldid=2348 »