§2024-12-18

• Linux PAM — How to create an authentication module

• Linux Pluggable Authentication Modules (PAM) is a set of libraries that allow Linux system administrators to configure user authentication methods. PAM is a common framework for authentication and authorization, and is used by many system applications in Linux.

• PAM has the potential to seriously alter the security of your Linux system. Erroneous configuration can disable access to your system partially, or completely. For instance an accidental deletion of a configuration file(s) under /etc/pam.d/* and/or /etc/pam.conf can lock you out of your own system!

• How to Check a Program is PAM-aware, for example sshd

(base) alexlai@JetsonOrinNano:~$ sudo ldd /usr/sbin/sshd | grep libpam.so
[sudo] password for alexlai: 
	libpam.so.0 => /lib/aarch64-linux-gnu/libpam.so.0 (0x0000ffff8d550000)
    
- rserver-pam is PAM-aware while rserver is not

alexlai@hc4Noble:/opt/rstudio/bin$ ldd ./rserver | grep libpam.so alexlai@hc4Noble:/opt/rstudio/bin$ ldd ./rserver-pam | grep libpam.so libpam.so.0 => /lib/aarch64-linux-gnu/libpam.so.0 (0x0000ffffb1790000)

- Structure of PAM files
    - ` man pam.conf `


- The PAM configuration files is located in /etc/pam.d/
- When a PAM aware privilege granting application is started, it activates its attachment to the PAM-API. This activation performs a number of tasks, the most important being the reading of the configuration file(s): /etc/pam.conf. Alternatively and preferably, the configuration can be set by individual configuration files located in a pam.d directory. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf.

$ ls /etc/pam.d/ chfn chsh common-auth common-session cron newusers passwd runuser sshd su-l sudo-i chpasswd common-account common-password common-session-noninteractive login other rstudio runuser-l su sudo

$ cd /etc/pam.d/ alexlai@hc4Noble:/etc/pam.d$ ls chfn chsh common-auth common-session cron newusers passwd runuser sshd su-l sudo-i chpasswd common-account common-password common-session-noninteractive login other rstudio runuser-l su sudo

- common-auth is the file that handles the standard authentication of Linux users. Most of the other pam services configurations will include this file to enable authentication with local Linux users. The same applies to common-account, common-session, and common-password.

- alexlai@hc4Noble:/etc/pam.d$ cat common-auth 


```md
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth	[success=1 default=ignore]	pam_unix.so nullok
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so 
# end of pam-auth-update config

• The /etc/pam.d/ directory in Linux systems contains configuration files for the PAM (Pluggable Authentication Modules) framework. These files define how authentication and account management should be handled for various system services. The structure and format of these files are consistent, allowing administrators to configure and control authentication methods across the system.

Format of the PAM Configuration Files

• Each file in the /etc/pam.d/ directory typically follows a specific syntax and structure. Here's a breakdown of the format:
  • File Name: Each file in /etc/pam.d/ corresponds to a service on the system (e.g., sshd, sudo, login, etc.). For example, sshd for SSH, login for terminal logins, or sudo for sudo authentication.
  • Lines in the File: Each line in the file represents a configuration rule and has the following structure:
    • <module-type> <control-flag> <module-path> [arguments]
  • : This specifies the type of module. Common module types are:
  • auth: Authentication (verifies user identity)
  • account: Account management (checks account validity)
  • password: Password management (changes or validates passwords)
  • session: Session management (configures session settings, such as environment variables)
  • : This defines how PAM should behave if the rule succeeds or fails. Common control flags include:

required: The module must succeed for authentication to succeed (if it fails, further checks are still performed). requisite: The module must succeed for authentication to succeed (if it fails, no further checks are performed). sufficient: If the module succeeds, no further modules of the same type are processed (failure does not affect further checks). optional: The module is not essential, and its success or failure does not impact the authentication process. include: Includes another file from the /etc/pam.d/ directory (useful for reusing common configurations). audit: Tracks specific events for auditing purposes. : The path to the PAM module file (typically located in /lib/security/ or /lib64/security/).

[arguments]: Optional arguments that are passed to the PAM module (specific to each module).

Example Here’s an example of a typical entry in a PAM configuration file:

swift Copy code auth required pam_unix.so This line means:

auth: The module is part of the authentication process. required: This module is necessary for authentication to succeed. If it fails, further authentication checks will still be performed, but failure will eventually cause authentication to fail. pam_unix.so: The module used for authentication using standard UNIX methods (e.g., checking /etc/passwd and /etc/shadow). Example File: /etc/pam.d/sshd Here’s a more complete example for SSH authentication (/etc/pam.d/sshd):

makefile Copy code

PAM configuration for the Secure Shell service

auth required pam_sepermit.so auth include pam_unix.so account required pam_unix.so password include pam_unix.so session required pam_unix.so auth required pam_sepermit.so: This module checks if the user has permission to use SSH. auth include pam_unix.so: This line includes the standard UNIX authentication module. account required pam_unix.so: Checks account validity. password include pam_unix.so: Handles password-related operations (e.g., password changes). session required pam_unix.so: Manages session-related configurations. Special Directives

(Hash symbol): Comments are preceded by the # symbol. Anything following # on a line is ignored.

include : Includes another configuration file from /etc/pam.d/. This is useful for sharing common settings between services. auth sufficient : Specifies that if this module is successful, the authentication process is immediately completed without checking further modules of the same type. Conclusion PAM configuration files in /etc/pam.d/ are essential for controlling authentication, session management, and account validation for various services on a Linux system. Each file defines how a particular service (e.g., SSH, login, sudo) interacts with the PAM system to verify users, manage sessions, and enforce policies. The configuration is highly customizable to meet security and operational needs.

ChatGPT can make mistakes. Check important info. ?