Linux Pluggable Authentication Modules (PAM) provide dynamic authorization for applications and services in a Linux system. Linux PAM is evolved from the unix Pluggable Authentication modules architecture.
Each file under pam.d has 3 fields
A. First field
1.auth
Module authenticate the user,by checking the password
2.account
Module verifies that access is allowed,by checking if users account is valid,expired,allowed to access in this time of day.
3. passwd
Module sets and verify the passwords
4.session
Module configure and manage user sessions. Represents the enviornment of a user.
B. Control Flag
1. required
Module result must be successfull for authentication to continue. If result failed returns failure only after remaining modules are invoked.
2. requisite
Module result must be successfull for authentication to continue. But if module result is fail user is noticed immediately with message reflecting failed required or requiste module
3. Sufficient
If module results fail , it is ignored, but if its successful and no required modules is failed ,then user is authenticated to service.
4. Optional
If module results fail,it is ignored.If module result is successful it does not play role in overall success/failure for module.
CONFIGURATION FILE
1. /etc/pam.d/login
A.account required pam_nologin.so
Checks for /etc/nologin file, If exists stops normal user from logging in.
If module is commented, allows user to login even if file /etc/nologin exists
B.auth requisite pam_access.so
Checks for user name, If username is correct only then it prompts for password
if user incorrect,Displays login incorrect.But if this module is commented though
username is wrong it prompts for password
C.session required pam_mkhomedir.so
Create user without homedir --> useradd -M suma
If homedir doesnt exist,this module creates home dir as soon as user is logged in. But if this module is commented if user is created without homedir,it wont create home dir.
D. auth auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
Checks if any terminal is commented in the /etc/securetty, if any terminal is commented root cannot login in that terminal,But if this module is commented root can login in a terminal, though that particular terminal is commented in /etc/securetty file.
2. /etc/security/limits.conf
suma ............. maxlogins 3
Allows this user to login in only 3 terminals, after 3 logins, we cant even
ssh as that particular user. Even ssh not allowed because USEPAM yes in
/etc/ssh/sshd_config
3. /etc/pam.d/su
auth required pam_rootok.so
Change above line from sufficent to required,So even root user needs password
when he tries to do su.. Change line from sufficent to required.
4. /etc/pam.d/system_auth
passwd required pam_passwdqc.so
When even root tries to set password for normal user, even root is forced
to set complex password for normal user.
5. /etc/pam.d/vsftpd
1. auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/suma
onerr=succedd
Create file suma under /etc/vsftpd, and add some users to the file /etc/vsftpd/suma So tht users are not allowed to login thru ftp.Default file is /etc/vsftpd/ftpusersSo any users put into tht file are denied to ftp.
If you found this post useful, I would really love it, if you can Like the Page, or share it with your Facebook/Google+/Twitter Friends... It will keep me motivated. Thank you!
Each file under pam.d has 3 fields
A. First field
1.auth
Module authenticate the user,by checking the password
2.account
Module verifies that access is allowed,by checking if users account is valid,expired,allowed to access in this time of day.
3. passwd
Module sets and verify the passwords
4.session
Module configure and manage user sessions. Represents the enviornment of a user.
B. Control Flag
1. required
Module result must be successfull for authentication to continue. If result failed returns failure only after remaining modules are invoked.
2. requisite
Module result must be successfull for authentication to continue. But if module result is fail user is noticed immediately with message reflecting failed required or requiste module
3. Sufficient
If module results fail , it is ignored, but if its successful and no required modules is failed ,then user is authenticated to service.
4. Optional
If module results fail,it is ignored.If module result is successful it does not play role in overall success/failure for module.
CONFIGURATION FILE
1. /etc/pam.d/login
A.account required pam_nologin.so
Checks for /etc/nologin file, If exists stops normal user from logging in.
If module is commented, allows user to login even if file /etc/nologin exists
B.auth requisite pam_access.so
Checks for user name, If username is correct only then it prompts for password
if user incorrect,Displays login incorrect.But if this module is commented though
username is wrong it prompts for password
C.session required pam_mkhomedir.so
Create user without homedir --> useradd -M suma
If homedir doesnt exist,this module creates home dir as soon as user is logged in. But if this module is commented if user is created without homedir,it wont create home dir.
D. auth auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
Checks if any terminal is commented in the /etc/securetty, if any terminal is commented root cannot login in that terminal,But if this module is commented root can login in a terminal, though that particular terminal is commented in /etc/securetty file.
2. /etc/security/limits.conf
suma ............. maxlogins 3
Allows this user to login in only 3 terminals, after 3 logins, we cant even
ssh as that particular user. Even ssh not allowed because USEPAM yes in
/etc/ssh/sshd_config
3. /etc/pam.d/su
auth required pam_rootok.so
Change above line from sufficent to required,So even root user needs password
when he tries to do su.. Change line from sufficent to required.
4. /etc/pam.d/system_auth
passwd required pam_passwdqc.so
When even root tries to set password for normal user, even root is forced
to set complex password for normal user.
5. /etc/pam.d/vsftpd
1. auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/suma
onerr=succedd
Create file suma under /etc/vsftpd, and add some users to the file /etc/vsftpd/suma So tht users are not allowed to login thru ftp.Default file is /etc/vsftpd/ftpusersSo any users put into tht file are denied to ftp.
If you found this post useful, I would really love it, if you can Like the Page, or share it with your Facebook/Google+/Twitter Friends... It will keep me motivated. Thank you!
No comments:
Post a Comment