User authentication: PAM

PAM (Pluggable Authentication Modules) allows system administrators to choose how ap- plications authenticate users. Note that PAM can do nothing unless an application is com- piled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default config- uration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share /doc/libpam0g/Debian-PAM-MiniPolicy.gz for more information on how PAM ser- vicesshouldwork in Debian).

Each application with PAM support provides a configuration file in/etc/pam.d/which can be used to modify its behavior:

• what backend is used for sessions. • how do password checks behave.

The following description is far from complete, for more information you might want to read the The Linux-PAM System Administrator’s Guide (http://www.kernel.org/pub/ linux/libs/pam/Linux-PAM-html/pam.html) (at the primary PAM distribution site (http://www.kernel.org/pub/linux/libs/pam/)). This document is also provided in thelibpam-docDebian package.

PAM offers you the possibility to go through several authentication steps at once, without the user’s knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if he authenticates correct in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set torequisite, which returns a login failure if one module fails.

The first thing I like to do, is to add MD5 support to PAM applications, since this helps protect against dictionary cracks (passwords can be longer if using MD5). The following two lines should be added to all files in/etc/pam.d/that grant access to the machine, likeloginand

ssh.

# Be sure to install libpam-cracklib first or you will not be able to log in password required pam_cracklib.so retry=3 minlen=12 difok=3

password required pam_unix.so use_authtok nullok md5

So, what does this incantation do? The first line loads the cracklib PAM module, which pro- vides password strength-checking, prompts for a new password with a minimum length of 12 characters, a difference of at least 3 characters from the old password, and allows 3 retries. Cracklib depends on a wordlist package (such aswenglish,wspanish, wbritish, . . . ), so make sure you install one that is appropriate for your language or cracklib might not be useful to you at all. 14 The second line introduces the standard authentication module with MD5 passwords and allows a zero length password. Theuse_authtok directive is necessary to hand over the password from the previous module.

To make sure that the user root can only log into the system from local terminals, the following line should be enabled in/etc/pam.d/login:

auth requisite pam_securetty.so

Then you should modify the list of terminals on which direct root login is allowed in /etc /securetty. Alternatively, you could enable the pam_access module and modify /etc /security/access.conf which allows for a more general and fine-tuned access control,

14_{This dependency is not fixed, however, in the Debian 3.0 package. Please see Bug #112965 (http://bugs.}

but (unfortunately) lacks decent log messages (logging within PAM is not standardized and is particularly unrewarding problem to deal with). We’ll return toaccess.confa little later. Last but not the least, the following line should be enabled in/etc/pam.d/loginto set up user resource limits.

session required pam_limits.so

This restricts the system resources that users are allowed (see below in ‘Limiting resource us- age: thelimits.conffile’ on the next page). For example, you could restrict the number of concurrent logins (of a given group of users, or system-wide), number of processes, memory size etc.

Now edit/etc/pam.d/passwdand change the first line. You should add the option “md5” to use MD5 passwords, change the minimum length of password from 4 to 6 (or more) and set a maximum length, if you desire. The resulting line will look something like:

password required pam_unix.so nullok obscure min=6 max=11 md5

If you want to protect su, so that only some people can use it to become root on your system, you need to add a new group “wheel” to your system (that is the cleanest way, since no file has such a group permission yet). Add root and the other users that should be able tosuto the root user to this group. Then add the following line to/etc/pam.d/su:

auth requisite pam_wheel.so group=wheel debug

This makes sure that only people from the group “wheel” can usesuto become root. Other users will not be able to become root. In fact they will get a denied message if they try to become root.

If you want only certain users to authenticate at a PAM service, this is quite easy to achieve by using files where the users who are allowed to login (or not) are stored. Imagine you only want to allow user ’ref’ to log in viassh. So you put him into/etc/sshusers-allowed

and write the following into/etc/pam.d/ssh:

auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail

Since there have been a number of so called insecure tempfile vulnerabilities, thttpd is one example (see DSA-883-1 (http://www.debian.org/security/2005/dsa-883)), the

libpam-tmpdiris a good package to install. All you have to do is add the following to/etc /pam.d/common-session:

There has also been a discussion about adding this by default in etch. Seehttp://lists. debian.org/debian-devel/2005/11/msg00297.htmlfor more information.

Last, but not least, create/etc/pam.d/otherand enter the following lines:

auth required pam_securetty.so auth required pam_unix_auth.so auth required pam_warn.so auth required pam_deny.so account required pam_unix_acct.so account required pam_warn.so account required pam_deny.so

password required pam_unix_passwd.so password required pam_warn.so

password required pam_deny.so

session required pam_unix_session.so session required pam_warn.so

session required pam_deny.so

These lines will provide a good default configuration for all applications that support PAM (access is denied by default).