This video shows you how to decipher and interpret PAM configurations.
- [Instructor] Let's look at a sample PAM configuration. PAM configuration files, like most other configuration files, use a hash mark or a pound sign to indicate a comment. The first line in this file is a comment. The second line in the file is a directive. Auth is a module interface, required is the control flag, and pam_securetty.so is the authentication module. The three lines that start with auth are known as a stack. In this case, all three directives are required to succeed in order for authentication to be successful.
The auth required pam_securetty line ensures that if the user is trying to login as root, the tty in which the user is logging in is listed in the etc/securetty file, if that file exists. If the tty is not listed in the file, any attempt to login as root fails. The next line uses the pam_unix module. This module prompts the user for a password and then checks the password, using the information stored in etc/password and etc/shadow.
The nullok argument instructs the pam_unix module to allow blank passwords. The pam_login module is used to prevent non-root users from loggin onto the system when either the etc/nologin or var/run/nologin files are present. As a system administrator, you can use these files to keep people from logging into the system while you perform maintenance, for example. When a user logs in, the contents of the nologin file will be displayed to them. Let's move onto the account required pam_unix.so line.
The account interface of the pam_unix module performs any necessary account verification, such as checking to make sure the account hasn't expired. If the password on the account has expired, the next line comes into play. It uses the pam_pwquality module with an argument of retry=3. This module prompts the user to enter a new password and then performs some quality tests on that password, including to see if it's a dictionary word. If the password fails the quality test, the retry=3 argument tells the module to give the user two additional chances to create an acceptable password before returning with an error.
The next line uses the password interface of the pam_unix module. The arguments are shadow, nullok and use_authtok. The backslash you see here is simply a line continuation character. If you were to place this on one line, then you wouldn't need to use that backslash. The shadow argument tells pam_unix to use shadow passwords. The nullok argument allows the user to change their password from a blank password. If this argument isn't used, a null password is treated as a locked account.
The use_authtok argument tells the module not to prompt for a password, but to use any password that was gathered by a previous password module. This allows us to use the pam_pwquality module to enforce strong passwords. This particular example highlights the importance of the order in which PAM directives are listed. Finally, the last line of this configuration uses the session interface of the pam_unix module which logs when a user logs into or out of the system. If you want to understand exactly what a module does, what interfaces it supports and what arguments it expects, refer to its documentation.
The simplest way to do this is to drop the .so extension, which stands for shared object, by the way, and then pass it as an argument to the man command. So if you want to read up on the pam_unix.so module documentation, you would run man pam_unix. We'll be coming back to PAM from time to time throughout this course. Now that you understand how PAM works in general, we can get into some specific account security measures and how you can go about creating configurations for those measures.
- What makes Linux secure?
- Physical security concepts
- Encrypting new and existing devices
- Account and network security
- Linux firewall fundamentals
- File system security
- File and directory permissions
- ACLs and rootkits