210.2. PAM authentication

210.2 PAM authentication

Weight: 3
Description: The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
Key Knowledge Areas:
    PAM configuration files, terms and utilities
    passwd and shadow passwords
    Use sssd for LDAP authentication
Terms and Utilities:
    /etc/pam.d/
    pam.conf
    nsswitch.conf
    pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss
    sssd.conf
Having Control over users and Authenticatios and auditing is so important. But there is not just one Authentication source which alway we use. There are different authentication sources like traditionamunix shadow file, LDAP servers, old Nis.

PAM (Pluggable Authentication Modules)

PAM is a kind of abstaraction layer which seats between programs and different kinds of Authentication sources, and handles the process of negotiating with authentication source and take the result back to the program.
This way developers do not need to find out how to design their programs to deal with different authentication sources and they just concentrate on their programs and use pam. From another perspective when a new authentication source implemented, there is no need to change programs, just implement a new pammodule and use it again and again, this way pam bring kind of mobilabilty for programs too.

PAM Architecure

Any program like passwd, or su which deal with username and password use pam. To do that, the program should work with pam library file pam_lib . PAM by itself is using configuration files /etc/pam.d. PAM is modular and uses differnt modules which are placed in /lib/security .
For example lets check login tool to findout if it uses pam or not(CentOS 7) :
1
[[email protected] ~]# ldd $(which login)
2
linux-vdso.so.1 => (0x00007fff3cdfe000)
3
libpam.so.0 => /lib64/libpam.so.0 (0x00007f1b30124000)
4
libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007f1b2ff20000)
5
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f1b2fcf7000)
6
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f1b2fad0000)
7
libc.so.6 => /lib64/libc.so.6 (0x00007f1b2f703000)
8
libdl.so.2 => /lib64/libdl.so.2 (0x00007f1b2f4ff000)
9
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f1b2f2f9000)
10
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f1b2f097000)
11
/lib64/ld-linux-x86-64.so.2 (0x00007f1b30333000)
12
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f1b2ee7b000)
Copied!
libpam andlibpam_misc bring passwd tool to the pam.

/etc/pam.d

The /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application. In earlier versions of PAM, the /etc/pam.conf file was used, but this file is now deprecated and is only used if the /etc/pam.d/ directory does not exist:
1
[[email protected] ~]# cd /etc/
2
[[email protected] etc]# cat pam.conf
3
cat: pam.conf: No such file or directory
4
6
[[email protected] ~]# cd /etc/pam.d/
7
[[email protected] pam.d]# ls
8
atd gdm-pin postlogin-ac su
9
chfn gdm-smartcard ppp sudo
10
chsh ksu remote sudo-i
11
config-util liveinst runuser su-l
12
crond login runuser-l system-auth
13
cups other setup system-auth-ac
14
fingerprint-auth passwd smartcard-auth systemd-user
15
fingerprint-auth-ac password-auth smartcard-auth-ac vlock
16
gdm-autologin password-auth-ac smtp vmtoolsd
17
gdm-fingerprint pluto smtp.postfix xserver
18
gdm-launch-environment polkit-1 sshd
19
gdm-password postlogin sssd-shadowutils
Copied!
Every binary which has some thing to do with pam need to have a configuration file.There are some generic configuration files also. Configuration files define what should exactly happen. PAM Configuration File Format is like this :
1
<service> <module-interface> <control-flag> <module-name> <module-arguments>
Copied!
1-Service: It defines what service, this line of configuration is about. Like ssh, or FTP. This way /etc/pam.conf file becomes a one huge file with many lines, that doesn't seem so good which is why in many moder linux distrobutions each service has its own configuration file with its name inside /etc/pam.d directory, as you can see above. Lets take a look at one of them before countinue:
1
[[email protected] pam.d]# cat login
2
#%PAM-1.0
3
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
4
auth substack system-auth
5
auth include postlogin
6
account required pam_nologin.so
7
account include system-auth
8
password include system-auth
9
# pam_selinux.so close should be the first session rule
10
session required pam_selinux.so close
11
session required pam_loginuid.so
12
session optional pam_console.so
13
# pam_selinux.so open should only be followed by sessions to be executed in the user context
14
session required pam_selinux.so open
15
session required pam_namespace.so
16
session optional pam_keyinit.so force revoke
17
session include system-auth
18
session include postlogin
19
-session optional pam_ck_connector.so
Copied!
system-auth is a generic configuration file that is included almost in every process that do some thing with authentication.
1
[[email protected] pam.d]# cat system-auth
2
#%PAM-1.0
3
# This file is auto-generated.
4
# User changes will be destroyed the next time authconfig is run.
5
auth required pam_env.so
6
auth required pam_faildelay.so delay=2000000
7
auth sufficient pam_fprintd.so
8
auth sufficient pam_unix.so nullok try_first_pass
9
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
10
auth required pam_deny.so
11
12
account required pam_unix.so
13
account sufficient pam_localuser.so
14
account sufficient pam_succeed_if.so uid < 1000 quiet
15
account required pam_permit.so
16
17
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
18
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
19
password required pam_deny.so
20
21
session optional pam_keyinit.so revoke
22
session required pam_limits.so
23
-session optional pam_systemd.so
24
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
25
session required pam_unix.so
Copied!
2- module-interface: Four types of PAM module interface are available. Each of these corresponds to a different aspect of the authorization process:
    auth: This module interface authenticates use. For example, it requests and verifies the validity of a password. Modules with this interface can also set credentials, such as group memberships or Kerberos tickets.
    account: This module interface verifies that access is allowed. For example, it may check if a user account has expired or if a user is allowed to log in at a particular time of day.
    password: This module interface is used for changing user passwords.
    session: This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user's home directory and making the user's mailbox available. For better understandning take a look at control.
3- control-flag : All PAM modules generate a success or failure result when called. Control flags tell PAM what do with the result. Modules can be stacked in a particular order, and the control flags determine how important the success or failure of a particular module is to the overall goal of authenticating the user to the service.
There are several simple flags, which use only a keyword to set the configuration:
    requisite : The module result must be successful for authentication to continue. However, if a test fails at this point, the user is notified immediately with a message reflecting the first failedrequiredorrequisitemodule test.
    required :The module result must be successful for authentication to continue. If the test fails at this point, the user is not notified until the results of all module tests that reference that interface are complete.
    sufficient : The module result is ignored if it fails. However, if the result of a module flagged sufficientis successfuland no previous modules flaggedrequiredhave failed, then no other results are required and the user is authenticated to the service.
    optional : The module result is ignored. A module flagged as optionalonly becomes necessary for successful authentication when no other modules reference the interface.
    include : Unlike the other controls, this does not relate to how the module result is handled. This flag pulls in all lines in the configuration file which match the given parameter and appends them as an argument to the module.
4-pam module name : The module name provides PAM with the name of the pluggable module containing the specified module interface. The directory name is omitted because the application is linked to the appropriate version of libpam, which can locate the correct version of the module.
5- module arguments : PAM uses _arguments _to pass information to a pluggable module during authentication for some modules. For example:
1
auth required pam_userdb.so db=/path/to/MyDB_file
Copied!
Invalid arguments are generally ignored and do not otherwise affect the success or failure of the PAM module. Some modules, however, may fail on invalid arguments. Most modules report errors to the/var/log/securefile.
Now that we now the format of PAM configuration file lets take a look at another one:
1
[[email protected] pam.d]# cat sshd
2
#%PAM-1.0
3
auth required pam_sepermit.so
4
auth substack password-auth
5
auth include postlogin
6
# Used with polkit to reauthorize users in remote sessions
7
-auth optional pam_reauthorize.so prepare
8
account required pam_nologin.so
9
account include password-auth
10
password include password-auth
11
# pam_selinux.so close should be the first session rule
12
session required pam_selinux.so close
13
session required pam_loginuid.so
14
# pam_selinux.so open should only be followed by sessions to be executed in the user context
15
session required pam_selinux.so open env_params
16
session required pam_namespace.so
17
session optional pam_keyinit.so force revoke
18
session include password-auth
19
session include postlogin
20
# Used with polkit to reauthorize users in remote sessions
21
-session optional pam_reauthorize.so prepare
Copied!
As you can see there are some generic configuration files like password-auth wich might be included and used in other configuration files again and again.

/lib/security or /lib64/security

There is a place for pam modules itself:
1
[[email protected] pam.d]# cd /lib64/security/
2
[[email protected] security]# ls
3
pam_access.so pam_gdm.so pam_permit.so pam_time.so
4
pam_cap.so pam_gnome_keyring.so pam_postgresok.so pam_timestamp.so
5
pam_chroot.so pam_group.so pam_pwhistory.so pam_tty_audit.so
6
pam_console.so pam_issue.so pam_pwquality.so pam_umask.so
7
pam_cracklib.so pam_keyinit.so pam_rhosts.so pam_unix_acct.so
8
pam_debug.so pam_lastlog.so pam_rootok.so pam_unix_auth.so
9
pam_deny.so pam_limits.so pam_securetty.so pam_unix_passwd.so
10
pam_echo.so pam_listfile.so pam_selinux_permit.so pam_unix_session.so
11
pam_env.so pam_localuser.so pam_selinux.so pam_unix.so
12
pam_exec.so pam_loginuid.so pam_sepermit.so pam_userdb.so
13
pam_faildelay.so pam_mail.so pam_shells.so pam_warn.so
14
pam_faillock.so pam_mkhomedir.so pam_sss.so pam_wheel.so
15
pam_filter pam_motd.so pam_stress.so pam_xauth.so
16
pam_filter.so pam_namespace.so pam_succeed_if.so
17
pam_fprintd.so pam_nologin.so pam_systemd.so
18
pam_ftp.so pam_oddjob_mkhomedir.so pam_tally2.so
Copied!
If new way of authentication has been invented(Like finger print reader), there is a place which requied module should be placed and integrated with pam configuration files.
For lPIC2 exam we are required to know some of these modules:
    pam_unix
    pam_cracklib
    pam_limits
    pam_listfile
    pam_sss
pam_unix: This module configures authentication via /etc/passwd and /etc/shadow.
The pam_unix.so module supports the following management groups:
1
account
2
The type “account” does not authenticate the user but checks other things such as the expiration date of the password and might force the user to change his password based on the contents of the files /etc/passwd and /etc/shadow.
3
4
The following options are supported:
5
6
debug
7
Log information using syslog.
8
9
audit
10
Also logs information, even more than debug does.
11
12
auth
13
The type “auth” checks the user's password against the password database(s). This component is configured in the file /etc/nsswitch.conf. Please consult the man page (man nsswitch.conf) for further details.
14
15
The following options are supported:
16
17
audit
18
Log information using syslog.
19
20
debug
21
Also logs information using syslog but less than audit.
22
23
nodelay
24
This argument sets the delay-on-failure, which has a default of a second, to nodelay.
25
26
nullok
27
Allows empty passwords. Normally authentication fails if the password is blank.
28
29
try_first_pass
30
Use the password from the previous stacked auth module and prompt for a new password if the retrieved password is blank or incorrect.
31
32
use_first_pass
33
Use the result from the previous stacked auth module, never prompt the user for a password and fails if the result was a fail.
34
password
35
The type “password” changes the user's password.
36
37
The following options are supported:
38
39
audit
40
Log information using syslog.
41
42
bigcrypt
43
Use the DEC “C2” extension to crypt().
44
45
debug
46
Also logs information using syslog but less than audit.
47
48
md5
49
Use md5 encryption instead of crypt().
50
51
nis
52
Use NIS (Network Information Service) passwords.
53
54
not_set_pass
55
Don't use the passwords from other stacked modules and do not give the new password to other stacked modules.
56
57
nullok
58
Allows empty passwords. Normally authentication fails if the password is blank.
59
60
remember
61
Remember the last n passwords to prevent the user from using one of the last n passwords again.
62
63
try_first_pass
64
Use the password from the previous stacked auth module, and prompt for a new password if the retrieved password is blank or incorrect.
65
66
use_authtok
67
Set the new password to the one provided by a previous module.
68
69
use_first_pass
70
Use the result from the previous stacked auth module, never prompt the user for a password and fails if the result was a fail.
71
72
session
73
The type “session” uses syslog to log the user's name and session type at the start and end of a session.
74
75
The “session” type does not support any options.
Copied!
Most of services which need authentication include pam_unix.so . As an example we can add options to that inorder to remember last 3 user's password and dose not let user to set them again.
1
[[email protected] ~]# cd /etc/pam.d/
2
[[email protected] pam.d]# vim system-auth
3
4
[[email protected] pam.d]# cat system-auth
5
#%PAM-1.0
6
# This file is auto-generated.
7
# User changes will be destroyed the next time authconfig is run.
8
auth required pam_env.so
9
auth required pam_faildelay.so delay=2000000
10
auth sufficient pam_fprintd.so
11
auth sufficient pam_unix.so nullok try_first_pass
12
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
13
auth required pam_deny.so
14
15
account required pam_unix.so
16
account sufficient pam_localuser.so
17
account sufficient pam_succeed_if.so uid < 1000 quiet
18
account required pam_permit.so
19
20
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
21
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3
22
password required pam_deny.so
23
24
session optional pam_keyinit.so revoke
25
session required pam_limits.so
26
-session optional pam_systemd.so
27
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
28
session required pam_unix.so
Copied!
And fortunatley there is no need to do any thing else. Test it by creating a user and set different passwords for that 3 times and on forth effort try to set the first password which you have used, it won't let you.
pam_cracklib : This plugin provides strength-checking for passwords. This is done by performing a number of checks to ensure passwords are not too weak. It checks the password against dictonaries, the previous password(s) and rules about the use of numbers, upper and lowercase and other characters. Based on your distro pam_cracklib name might be name different.
1
Options
2
debug
3
4
This option makes the module write information to syslog(3) indicating the behavior of the module (this option does not write password information to the log file).
5
authtok_type=XXX
6
The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty.
7
retry=N
8
Prompt user at most N times before returning with error. The default is 1.
9
difok=N
10
This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.
11
minlen=N
12
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.
13
dcredit=N
14
(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10.
15
(N < 0) This is the minimum number of digits that must be met for a new password.
16
17
ucredit=N
18
(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.
19
(N < 0) This is the minimum number of upper case letters that must be met for a new password.
20
21
lcredit=N
22
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.
23
(N < 0) This is the minimum number of lower case letters that must be met for a new password.
24
25
ocredit=N
26
(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.
27
(N < 0) This is the minimum number of other characters that must be met for a new password.
28
29
minclass=N
30
The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.
31
maxrepeat=N
32
Reject passwords which contain more than N same consecutive characters. The default is 0 which means that this check is disabled.
33
maxsequence=N
34
Reject passwords which contain monotonic character sequences longer than N. The default is 0 which means that this check is disabled. Examples of such sequence are '12345' or 'fedcb'. Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password.
35
maxclassrepeat=N
36
Reject passwords which contain more than N consecutive characters of the same class. The default is 0 which means that this check is disabled.
37
reject_username
38
Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected.
39
gecoscheck
40
Check whether the words from the GECOS field (usualy full name of the user) longer than 3 characters in straight or reversed form are contained in the new password. If any such word is found the new password is rejected.
41
enforce_for_root
42
The module will return error on failed check also if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway.
43
use_authtok
44
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.
45
dictpath=/path/to/dict
46
Path to the cracklib dictionaries.
Copied!
For example we can set minimum charachters wich are required for a password, by the way you can see the name of`_pamcracklib.so` has been changed here in CentOS7 and that is pam\_pwquality.so :
1
[[email protected] pam.d]# vim system-auth
2
[[email protected] pam.d]# cat system-auth
3
#%PAM-1.0
4
# This file is auto-generated.
5
# User changes will be destroyed the next time authconfig is run.
6
auth required pam_env.so
7
auth required pam_faildelay.so delay=2000000
8
auth sufficient pam_fprintd.so
9
auth sufficient pam_unix.so nullok try_first_pass
10
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
11
auth required pam_deny.so
12
13
account required pam_unix.so
14
account sufficient pam_localuser.so
15
account sufficient pam_succeed_if.so uid < 1000 quiet
16
account required pam_permit.so
17
18
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=10 authtok_type=
19
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3
20
password required pam_deny.so
21
22
session optional pam_keyinit.so revoke
23
session required pam_limits.so
24
-session optional pam_systemd.so
25
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
26
session required pam_unix.so
Copied!
pam_limits : The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of uid=0 are affected by this limits, too. By default limits are taken from the /etc/security/limits.confconfig file. Then ndividual files from the/etc/security/limits.d/directory are read.
1
[[email protected] pam.d]# grep pam_limits *
2
fingerprint-auth:session required pam_limits.so
3
fingerprint-auth-ac:session required pam_limits.so
4
password-auth:session required pam_limits.so
5
password-auth-ac:session required pam_limits.so
6
runuser:session required pam_limits.so
7
smartcard-auth:session required pam_limits.so
8
smartcard-auth-ac:session required pam_limits.so
9
sudo:session required pam_limits.so
10
sudo-i:session required pam_limits.so
11
system-auth:session required pam_limits.so
12
system-auth-ac:session required pam_limits.so
13
[[email protected] pam.d]# cat sudo
14
#%PAM-1.0
15
auth include system-auth
16
account include system-auth
17
password include system-auth
18
session optional pam_keyinit.so revoke
19
session required pam_limits.so
Copied!
As you can see pam__limists.so is used in session module, so instead of manipulating that module which would have effects on other services we put our setting inside /etc/security/limits.conf :
1
[[email protected] pam.d]# cd /etc/security/
2
[[email protected] security]# ls
3
access.conf console.perms limits.d opasswd time.conf
4
chroot.conf console.perms.d namespace.conf pam_env.conf
5
console.apps group.conf namespace.d pwquality.conf
6
console.handlers limits.conf namespace.init sepermit.conf
7
[[email protected] security]# cat limits.conf
8
# /etc/security/limits.conf
9
#
10
#This file sets the resource limits for the users logged in via PAM.
11
#It does not affect resource limits of the system services.
12
#
13
#Also note that configuration files in /etc/security/limits.d directory,
14
#which are read in alphabetical order, override the settings in this
15
#file in case the domain is the same or more specific.
16
#That means for example that setting a limit for wildcard domain here
17
#can be overriden with a wildcard setting in a config file in the
18
#subdirectory, but a user specific setting here can be overriden only
19
#with a user specific setting in the subdirectory.
20
#
21
#Each line describes a limit for a user in the form:
22
#
23
#<domain> <type> <item> <value>
24
#
25
#Where:
26
#<domain> can be:
27
# - a user name
28
# - a group name, with @group syntax
29
# - the wildcard *, for default entry
30
# - the wildcard %, can be also used with %group syntax,
31
# for maxlogin limit
32
#
33
#<type> can have the two values:
34
# - "soft" for enforcing the soft limits
35
# - "hard" for enforcing hard limits
36
#
37
#<item> can be one of the following:
38
# - core - limits the core file size (KB)
39
# - data - max data size (KB)
40
# - fsize - maximum filesize (KB)
41
# - memlock - max locked-in-memory address space (KB)
42
# - nofile - max number of open file descriptors
43
# - rss - max resident set size (KB)
44
# - stack - max stack size (KB)
45
# - cpu - max CPU time (MIN)
46
# - nproc - max number of processes
47
# - as - address space limit (KB)
48
# - maxlogins - max number of logins for this user
49
# - maxsyslogins - max number of logins on the system
50
# - priority - the priority to run user process with
51
# - locks - max number of file locks the user can hold
52
# - sigpending - max number of pending signals
53
# - msgqueue - max memory used by POSIX message queues (bytes)
54
# - nice - max nice priority allowed to raise to values: [-20, 19]
55
# - rtprio - max realtime priority
56
#
57
#<domain> <type> <item> <value>
58
#
59
60
#* soft core 0
61
#* hard rss 10000
62
#@student hard nproc 20
63
#@faculty soft nproc 20
64
#@faculty hard nproc 50
65
#ftp hard nproc 0
66
#@student - maxlogins 4
67
68
# End of file
Copied!
For example, adding line below at the end of /etc/security/limits.conf can avoid pooruser from loging more than once :
1
@pooruser hard maxlogins 1
Copied!
For testing, create pooruser and try to ssh to the system more than once, see the results.
pam_listfile : This module allows or denies an action based on the presence of the item in a listfile. A listfile is a textfile containing a list of usernames, one username per line. The type of item can be set via the configuration parameter item and can have the value of user, tty, rhost, ruser, group, or shell. The sense configuration parameter determines whether the entries in the list are allowed. Possible values are allow and deny.
1
[[email protected] security]# cd /etc/pam.d/
2
[[email protected] pam.d]# grep pam_listfile.so *
Copied!
Right now no package or service is currently using pam_list file, for testing lets install a FTP server:
1
[[email protected] pam.d]# yum install vsftpd
2
3
[[email protected] pam.d]# grep pam_listfile.so *
4
vsftpd:auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
5
6
[[email protected] pam.d]# cat vsftpd
7
#%PAM-1.0
8
session optional pam_keyinit.so force revoke
9
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
10
auth required pam_shells.so
11
auth include password-auth
12
account include password-auth
13
session required pam_loginuid.so
14
session include password-auth
Copied!
The thing that it does is denying every user which his name/ her name is inside /etc/vsftpd/ftpusers. see:
1
[[email protected] pam.d]# cat /etc/vsftpd/ftpusers
2
# Users that are not allowed to login via ftp
3
root
4
bin
5
daemon
6
adm
7
lp
8
sync
9
shutdown
10
halt
11
mail
12
news
13
uucp
14
operator
15
games
16
nobody
Copied!
For testing , start vsftp service, create a pooruser and add it to this list, then try to login to the ftp server with pooruser.

sssd

sssd is a centeral service in the authentication process, that determines how exactly the authentication is going to happen. sssd can authenticate us against LDAP, ActiveDirectory, Nis , ... . sssd is especialy developed to do that. Lets just take a look at it inorder to have a better understanding of pam_sss. Here we just chek the service and read sample configuration file:
1
[email protected] ~]# systemctl status sssd
2
● sssd.service - System Security Services Daemon
3
Loaded: loaded (/usr/lib/systemd/system/sssd.service; disabled; vendor preset: disabled)
4
Active: inactive (dead)
5
6
[[email protected] ~]# cp /usr/share/doc/sssd-common-1.16.0/sssd-example.conf /etc/sssd/sssd.conf
7
[[email protected] ~]# cat /etc/sssd/sssd.conf
8
[sssd]
9
config_file_version = 2
10
services = nss, pam
11
# SSSD will not start if you do not configure any domains.
12
# Add new domain configurations as [domain/<NAME>] sections, and
13
# then add the list of domains (in the order you want them to be
14
# queried) to the "domains" attribute below and uncomment it.
15
; domains = LDAP
16
17
[nss]
18
19
[pam]
20
21
# Example LDAP domain
22
; [domain/LDAP]
23
; id_provider = ldap
24
; auth_provider = ldap
25
# ldap_schema can be set to "rfc2307", which stores group member names in the
26
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
27
# the "member" attribute. If you do not know this value, ask your LDAP
28
# administrator.
29
; ldap_schema = rfc2307
30
; ldap_uri = ldap://ldap.mydomain.org
31
; ldap_search_base = dc=mydomain,dc=org
32
# Note that enabling enumeration will have a moderate performance impact.
33
# Consequently, the default value for enumeration is FALSE.
34
# Refer to the sssd.conf man page for full details.
35
; enumerate = false
36
# Allow offline logins by locally storing password hashes (default: false).
37
; cache_credentials = true
38
39
# An example Active Directory domain. Please note that this configuration
40
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
41
# compliant attribute names. To support UNIX clients with AD 2003 or older,
42
# you must install Microsoft Services For Unix and map LDAP attributes onto
43
# msSFU30* attribute names.
44
; [domain/AD]
45
; id_provider = ldap
46
; auth_provider = krb5
47
; chpass_provider = krb5
48
;
49
; ldap_uri = ldap://your.ad.example.com
50
; ldap_search_base = dc=example,dc=com
51
; ldap_schema = rfc2307bis
52
; ldap_sasl_mech = GSSAPI
53
; ldap_user_object_class = user
54
; ldap_group_object_class = group
55
; ldap_user_home_directory = unixHomeDirectory
56
; ldap_user_principal = userPrincipalName
57
; ldap_account_expire_policy = ad
58
; ldap_force_upper_case_realm = true
59
;
60
; krb5_server = your.ad.example.com
61
; krb5_realm = EXAMPLE.COM
Copied!
We need to configure and start sssd serviceif have a plan to use it but leave it for now.
pam_sss.so : is the PAM interface to the System Security Services daemon (SSSD). Errors and results are logged through syslog.

nsswitch.conf

nsswitch determines the order that files or services are used to perform either Authentication or Authorative responses to some thing on the system. We typically nsswitch.conf is edited when we are dealing with DNS entries. (We have talked about nsswitch when we talked about BIND DNS in previous course).
1
[[email protected] ~]# cat /etc/nsswitch.conf
2
#
3
# /etc/nsswitch.conf
4
#
5
# An example Name Service Switch config file. This file should be
6
# sorted with the most-used services at the beginning.
7
#
8
# The entry '[NOTFOUND=return]' means that the search for an
9
# entry should stop if the search in the previous entry turned
10
# up nothing. Note that if the search failed due to some other reason
11
# (like no NIS server responding) then the search continues with the
12
# next entry.
13
#
14
# Valid entries include:
15
#
16
# nisplus Use NIS+ (NIS version 3)
17
# nis Use NIS (NIS version 2), also called YP
18
# dns Use DNS (Domain Name Service)
19
# files Use the local files
20
# db Use the local database (.db) files
21
# compat Use NIS on compat mode
22
# hesiod Use Hesiod for user lookups
23
# [NOTFOUND=return] Stop searching if not found so far
24
#
25
26
# To use db, put the "db" in front of "files" for entries you want to be
27
# looked up first in the databases
28
#
29
# Example:
30
#passwd: db files nisplus nis
31
#shadow: db files nisplus nis
32
#group: db files nisplus nis
33
34
passwd: files sss
35
shadow: files sss
36
group: files sss
37
#initgroups: files sss
38
39
#hosts: db files nisplus nis dns
40
hosts: files dns myhostname
41
42
# Example - obey only what nisplus tells us...
43
#services: nisplus [NOTFOUND=return] files
44
#networks: nisplus [NOTFOUND=return] files
45
#protocols: nisplus [NOTFOUND=return] files
46
#rpc: nisplus [NOTFOUND=return] files
47
#ethers: nisplus [NOTFOUND=return] files
48
#netmasks: nisplus [NOTFOUND=return] files
49
50
bootparams: nisplus [NOTFOUND=return] files
51
52
ethers: files
53
netmasks: files
54
networks: files
55
protocols: files
56
rpc: files
57
services: files sss
58
59
netgroup: nisplus sss
60
61
publickey: nisplus
62
63
automount: files nisplus sss
64
aliases: files nisplus
Copied!
The Authentication order and nsswitch can effect how authentication takes place on our system, including wehther pam any modules are involved ,since they are files. So one way for troubleshooting pam if it not applied, is by controlling nsswitch and the see the order of files.
That is all.
Last modified 2yr ago