Contents
Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
System administrators and programmers often want to restrict access to certain parts of the system or to limit the use of certain functions of an application. Without PAM, applications must be adapted every time a new authentication mechanism, such as LDAP, Samba, or Kerberos, is introduced. This process, however, is rather time-consuming and error-prone. One way to avoid these drawbacks is to separate applications from the authentication mechanism and delegate authentication to centrally managed modules. Whenever a newly required authentication scheme is needed, it is sufficient to adapt or write a suitable PAM module for use by the program in question.
The PAM concept consists of:
PAM modules which are a set of shared libraries for a specific authentication mechanism.
A module stack with of one or more PAM modules.
A PAM-aware service which needs authentication by
using a module stack or PAM modules. Usually a service is a familiar
name of the corresponding application, like login or
su. The service name other
is a
reserved word for default rules.
module arguments with which the execution of a single PAM module can be influenced.
a mechanism evaluating each result of a single PAM module execution. A positive value executes the next PAM module. The way a negative value is dealt with, depends on the configuration— “no influence, proceed” up to “terminate immediately” and anything in between are valid options.
PAM can be configured in two ways:
/etc/pam.conf
)
The configuration of each service is stored in
/etc/pam.conf
. However, for maintenance and
usability reasons, this configuration scheme is not used in
openSUSE.
/etc/pam.d/
)
Every service (or program) that relies on the PAM mechanism has its
own configuration file in the /etc/pam.d/
directory. For example, the service for
sshd
can be found in the
/etc/pam.d/sshd
file.
The files under /etc/pam.d/
define the PAM modules
used for authentication. Each file consists of lines, which define a
service, and each line consists of a maximum of four components:
TYPE
CONTROL
MODULE_PATH
MODULE_ARGS
The components have the following meaning:
TYPE
Declares the type of the service. PAM modules are processed as stacks. Different types of modules have different purposes. For example, one module checks the password, another verifies the location from which the system is accessed, and yet another reads user-specific settings. PAM knows about four different types of modules:
auth
Check the user's authenticity, traditionally by querying a password. However, this can also be achieved with the help of a chip card or through biometrics (for example, fingerprints or iris scan).
account
Modules of this type check if the user has general permission to use the requested service. As an example, such a check should be performed to ensure that no one can log in with the username of an expired account.
password
The purpose of this type of module is to enable the change of an authentication token. In most cases, this is a password.
session
Modules of this type are responsible for managing and configuring user sessions. They are started before and after authentication to log login attempts and configure the user's specific environment (mail accounts, home directory, system limits, etc.).
CONTROL
Indicates the behavior of a PAM module. Each module can have the following control flags:
required
A module with this flag must be successfully processed before the
authentication may proceed. After the failure of a module with the
required
flag, all other modules with the same
flag are processed before the user receives a message about the
failure of the authentication attempt.
requisite
Modules having this flag must also be processed successfully, in
much the same way as a module with the required
flag. However, in case of failure a module with this flag gives
immediate feedback to the user and no further modules are
processed. In case of success, other modules are subsequently
processed, just like any modules with the
required
flag. The requisite
flag can be used as a basic filter checking for the existence of
certain conditions that are essential for a correct authentication.
sufficient
After a module with this flag has been successfully processed, the
requesting application receives an immediate message about the
success and no further modules are processed, provided there was no
preceding failure of a module with the required
flag. The failure of a module with the
sufficient
flag has no direct consequences, in
the sense that any subsequent modules are processed in their
respective order.
optional
The failure or success of a module with this flag does not have any direct consequences. This can be useful for modules that are only intended to display a message (for example, to tell the user that mail has arrived) without taking any further action.
include
If this flag is given, the file specified as argument is inserted at this place.
MODULE_PATH
Contains a full filename of a PAM module. It does not need to be
specified explicitly, as long as the module is located in the default
directory /lib/security
(for all 64-bit platforms
supported by openSUSE®, the directory is
/lib64/security
).
MODULE_ARGS
Contains a space-separated list of options to influence the behavior
of a PAM module, such as debug
(enables debugging) or
nullok
(allows the use of empty passwords).
In addition, there are global configuration files for PAM modules under
/etc/security
, which define the exact behavior of
these modules (examples include pam_env.conf
and
time.conf
). Every application that uses a PAM module
actually calls a set of PAM functions, which then process the information
in the various configuration files and return the result to the
requesting application.
To facilitate the creation and maintenance of PAM modules, common default
configuration files for the types auth
,
account
, password
, and
session
modules have been introduced. These are
retrieved from every application's PAM configuration. Updates to the
global PAM configuration modules in common-*
are
thus propagated across all PAM configuration files without requiring the
administrator to update every single PAM configuration file.
The global PAM configuration files are maintained using the pam-config tool. This tool automatically adds new modules to the configuration, changes the configuration of existing ones or deletes modules (or options) from the configurations. Manual intervention in maintaining PAM configurations is minimized or no longer required.
64-Bit and 32-Bit Mixed Installations | |
---|---|
When using a 64-bit operating system, it is possible to also include a runtime environment for 32-bit applications. In this case, make sure that you install both versions of the pam modules. |
Consider the PAM configuration of sshd as an example:
Example 2.1. PAM Configuration for sshd (/etc/pam.d/sshd
)¶
#%PAM-1.0 auth required pam_nologin.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session
Declares the version of this configuration file for PAM 1.0. This is merely a convention, but could be used in the future to check the version. | |
Checks, if | |
Refers to the configuration files of four module types:
| |
Sets the login uid process attribute for the process that was authenticated. |
By including them instead of adding each module separately to the respective PAM configuration, you automatically get an updated PAM configuration when an administrator changes the defaults. Formerly, you had to adjust all configuration files manually for all applications when changes to PAM occurred or a new application was installed. Now the PAM configuration is made with central configuration files and all changes are automatically inherited by the PAM configuration of each service.
The first include file (common-auth
)
calls three modules of the auth
type:
pam_env.so
,
pam_gnome_keyring.so
and
pam_unix2.so
. See
Example 2.2, “Default Configuration for the auth
Section”.
Example 2.2. Default Configuration for the auth
Section¶
auth required pam_env.so auth optional pam_gnome_keyring.so auth required pam_unix2.so
The first one, pam_env.so
, loads
/etc/security/pam_env.conf
to set the environment
variables as specified in this file. It can be used to set the
DISPLAY
variable to the correct value, because the
pam_env
module knows about the
location from which the login is taking place. The second one
automatically unlocks the GNOME keyring when necessary. The last one,
pam_unix2
, checks the user's
login and password against /etc/passwd
and
/etc/shadow
.
The whole stack of auth
modules is processed before
sshd gets any feedback about whether the login has succeeded. Given that
all modules of the stack have the required
control
flag, they must all be processed successfully before sshd receives a
message about the positive result. If one of the modules is not
successful, the entire module stack is still processed and only then is
sshd notified about the negative result.
As soon as all modules of the auth
type have been
successfully processed, another include statement is processed, in this
case, that in Example 2.3, “Default Configuration for the account
Section”.
common-account
contains just one module,
pam_unix2
. If pam_unix2
returns the
result that the user exists, sshd receives a message announcing this
success and the next stack of modules (password
) is
processed, shown in Example 2.4, “Default Configuration for the password
Section”.
Example 2.4. Default Configuration for the password
Section¶
password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password required pam_unix2.so use_authtok nullok
Again, the PAM configuration of sshd involves just an include statement
referring to the default configuration for password
modules located in common-password
. These modules
must successfully be completed (control flags
requisite
and required
) whenever
the application requests the change of an authentication token.
Changing a password or another authentication token requires a security
check. This is achieved with the pam_pwcheck
module.
The pam_unix2
module used afterwards carries over
any old and new passwords from pam_pwcheck
, so the
user does not need to authenticate again after changing the password.
This procedure makes it impossible to circumvent the checks carried out
by pam_pwcheck
. Whenever the
account
or the auth
type are
configured to complain about expired passwords, the
password
modules should also be used.
Example 2.5. Default Configuration for the session
Section¶
session required pam_limits.so session required pam_unix2.so session optional pam_apparmor.so session optional pam_umask.so session optional pam_gnome_keyring.so auto_start only_if=gdm,lxdm
As the final step, the modules of the session
type
(bundled in the common-session
file) are called to
configure the session according to the settings for the user in question.
The pam_limits
module loads the file
/etc/security/limits.conf
, which may define limits
on the use of certain system resources. The
pam_unix2
module is processed again. The
pam_umask
module can be used to set the file mode
creation mask. Since this module carries the optional
flag, a failure of this module would not affect the successful completion
of the entire session module stack. The session
modules are called a second time when the user logs out.
Some of the PAM modules are configurable. The configuration files are
located in /etc/security
. This section briefly
describes the configuration files relevant to the sshd
example—pam_env.conf
and
limits.conf
.
pam_env.conf
can be used to define a standardized
environment for users that is set whenever the
pam_env
module is called. With it, preset
environment variables using the following syntax:
VARIABLE
[DEFAULT=value
] [OVERRIDE=value
]
VARIABLE
Name of the environment variable to set.
[DEFAULT=<value>]
Default value
the administrator wants to
set.
[OVERRIDE=<value>]
Values that may be queried and set by
pam_env
, overriding the default value.
A typical example of how pam_env
can be used is
the adaptation of the DISPLAY
variable, which is changed
whenever a remote login takes place. This is shown in
Example 2.6, “pam_env.conf”.
Example 2.6. pam_env.conf¶
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
The first line sets the value of the REMOTEHOST
variable
to localhost
, which is used whenever
pam_env
cannot determine any other value. The
DISPLAY
variable in turn contains the value of
REMOTEHOST
. Find more information in the comments in
/etc/security/pam_env.conf
.
The purpose of pam_mount
is to mount user home
directories during the login process, and to unmount them during logout
in an environment where a central file server keeps all the home
directories of users. With this method, it is not necessary to mount a
complete /home
directory where all the user home
directories would be accessible. Instead, only the home directory of the
user who is about to log in, is mounted.
After installing pam_mount
, a template of
pam_mount.conf.xml
is available in
/etc/security
. The description of the various
elements can be found in the manual page man 5
pam_mount.conf.
A basic configuration of this feature can be done with YaST. Select
+ + to add the file server; see Section “Configuring Clients” (Chapter 29, Samba, ↑Reference).
System limits can be set on a user or group basis in
limits.conf
, which is read by the
pam_limits
module. The file allows you to set
hard limits, which may not be exceeded at all, and soft limits, which
may be exceeded temporarily. For more information about the syntax and
the options, see the comments in
/etc/security/limits.conf
.
The pam-config tool helps you configure the global PAM
configuration files (/etc/pam.d/common-*-pc
) as well
as several selected application configurations. For a list of supported
modules, use the pam-config --list-modules command.
Use the pam-config command to maintain your PAM
configuration files. Add new modules to your PAM configurations, delete
other modules or modify options to these modules. When changing global
PAM configuration files, no manual tweaking of the PAM setup for
individual applications is required.
A simple use case for pam-config involves the following:
Auto-generate a fresh Unix-style PAM configuration.
Let pam-config create the simplest possible setup which you can extend
later on. The pam-config --create command creates a
simple UNIX authentication configuration. Pre-existing configuration
files not maintained by pam-config are overwritten, but backup copies
are kept as *.pam-config-backup
.
Add a new authentication method.
Adding a new authentication method (for example, LDAP) to your stack
of PAM modules comes down to a simple pam-config --add
--ldap command. LDAP is added wherever appropriate across
all common-*-pc
PAM configuration files.
Add debugging for test purposes.
To make sure the new authentication procedure works as planned, turn
on debugging for all PAM-related operations. The pam-config
--add --ldap-debug turns on debugging for LDAP-related PAM
operations. Find the debugging output in
/var/log/messages
.
Query your setup.
Before you finally apply your new PAM setup, check if it contains all
the options you wanted to add. The pam-config --query
--module
lists both the type and
the options for the queried PAM module.
Remove the debug options. Finally, remove the debug option from your setup when you are entirely satisfied with the performance of it. The pam-config --delete --ldap-debug command turns off debugging for LDAP authentication. In case you had debugging options added for other modules, use similar commands to turn these off.
When you create your PAM configuration files from scratch using the
pam-config --create command, it creates symbolic links
from the common-*
to the
common-*-pc
files. pam-config only modifies the
common-*-pc
configuration files. Removing these
symbolic links effectively disables pam-config, because pam-config only
operates on the common-*-pc
files and these files
are not put into effect without the symbolic links.
For more information on the pam-config command and the options available, refer to the manual page of pam-config(8).
In the /usr/share/doc/packages/pam
directory of the
installed system, find the following additional documentation:
In the top level of this directory, there is the general README file.
The modules
subdirectory holds README files about
the available PAM modules.
This document comprises everything that the system administrator should know about PAM. It discusses a range of topics, from the syntax of configuration files to the security aspects of PAM.
This document summarizes the topic from the developer's point of view, with information about how to write standard-compliant PAM modules.
This document comprises everything needed by an application developer who wants to use the PAM libraries.
PAM in general as well as the individual modules come with manual pages that provide a good overview of the functionality provided by the respective component.
Thorsten Kukuk has developed a number of PAM modules. Find the documentation of these modules at http://www.suse.de/~kukuk/pam/.