Authentification - PAM

De Justine's wiki
Version datée du 6 novembre 2019 à 14:14 par Justine (discussion | contributions) (Page créée avec « https://www.tecmint.com/configure-pam-in-centos-ubuntu-linux/ = What's PAM ? = Linux-PAM (short for Pluggable Authentication Modules which evolved from the Unix-PAM arch... »)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigation Aller à la recherche

https://www.tecmint.com/configure-pam-in-centos-ubuntu-linux/

What's PAM ?

Linux-PAM (short for Pluggable Authentication Modules which evolved from the Unix-PAM architecture) is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system.

It integrates multiple low-level authentication modules into a high-level API that provides dynamic authentication support for applications. This allows developers to write applications that require authentication, independently of the underlying authentication system.

Many modern Linux distributions support Linux-PAM (hereinafter referred to as “PAM”) by default. In this article, we will explain how to configure advanced PAM in Ubuntu and CentOS systems.

Warnings

Before we proceed any further, note that: 

   As a system administrator, the most important thing is to master how PAM configuration file(s) define the connection between applications (services) and the pluggable authentication modules (PAMs) that perform the actual authentication tasks. You don’t necessarily need to understand the internal working of PAM.
   PAM has the potential to seriously alter the security of your Linux system. Erroneous configuration can disable access to your system partially, or completely. For instance an accidental deletion of a configuration file(s) under /etc/pam.d/* and/or /etc/pam.conf can lock you out of your own system!

Is a program PAM-aware ?

We can check a program's dynamic dependencies with ldd to know if a program is PAM-aware:

<source lang="bash"> $ sudo ldd /usr/sbin/sshd | grep libpam.so

libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007effddbe2000) </source>

PAM configuration

The /etc/pam.d directory contains the individual config files for PAM.

Each file contains a list of rules written on a single line, following this schema: 

type control-flag module module-arguments

Having a main file for PAM is deprecated; it is used only if the pam.d directory is absent. However, the pam.conf syntax is along the lines of: 

service type control-flag module module-arguments
  • Service : application name
  • Type : Module type / context / interface
  • Control_Flag : indicates the behavior of the PAM-API should the module fail to succeed in its authentication task.
  • Module : the absolute filename or relative pathname of the PAM
  • Module-arguments : space separated list of tokens for controlling module behavior.

PAM management group and Control Flags

Récupérée de « https://wiki.squi.fr/index.php?title=Authentification_-_PAM&oldid=1371 »