Article title: Linux-PAM System Management Guide (2 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Abstract: In the following content, we will discuss how to securely use Linux-PAM and introduce the usage of the Linux-PAM module.
5. Linux-PAM security issues
This chapter discusses how to securely use Linux-PAM.
5.1 if an error occurs
If an error occurs, Linux-PAM may change the system security. It depends on your choice. you can choose insecure (open system) and absolute security (deny any access ). Generally, Linux-PAM tends to be the latter when an error occurs. Any configuration error may cause the entire or part of the system to be inaccessible.
The biggest problem may be that the configuration file (/etc/PAM. d/* OR/etc/pam. conf) of Linux-pam has been deleted. If this happens, your system will be locked.
However, there is still a way to restore it. The best way is to restart the system to enter the single-user mode and set it correctly. The following are the solutions proposed by David Wood in the email:
First, start the system in single-user mode. When LILO boot: is displayed, enter LILO boot: linux single>. here, if the kernel label is linux, you can press the TAB key to list available kernels.
In this way, you do not need to log on to the system.
If this method does not work, you can use an emergency disk to start the system.
Assume that your PAM system is only damaged by the configuration file, perform the following steps: cd/etc
Mv pam. conf pam. conf. orig
Mv pam. d pam. d. orig
Mkdir pam. d
Cd pam. d
Then, use the editing program to edit the/etc/pam. d/other file, which should include the following four lines:
Then you can log on. If the problem persists, it may be caused by incorrect input or a more serious problem. If an input error occurs, logs are left in the log file. you can use tail/var/log/messages to view the logs.
Now you have logged on to the system again. The following job is to reinstall Linux-PAM and other software (assuming the RedHat system), run the following command to reinstall the PAM package: rpm-Uvh -- force pam -*
Install (reinstall) the affected software packages, such as the libc Library, util-linux, wuftp, and NetKit. If you use the X system, you also need to reinstall it.
5.2 do not use vulnerable other files
If the default configuration file other is vulnerable, the system is vulnerable to attacks.
This is an example configuration. the pam_deny module rejects all access requests, and the pam_warn module sends a warning message to the auth. notice log device:
This chapter describes the usage of the Linux-PAM module.
6.1 access Module
6.1.1 Summary
Module Name
Pam_access
Author
Alexei Nogin
Maintainer
Author
Management group function provided
Account
System dependency
A configuration file is required. By default,/etc/security/access. conf is used as the configuration file. you can also specify other files.
Network Support
Use the PAM_TTY variable to obtain the terminal name. if this variable is not set, use the ttyname () function to obtain the terminal name of the standard input file descriptor. You can also use the gethostname (), yp_get_default_domain (), and gethostbyname () functions to obtain the host name, domain name, and other information, as the third item of each configuration line.
6.1.2 Summary
Provides a log monitoring-style logon access control mechanism
Description
This module provides a log monitoring-style logon access control mechanism based on the login name, host name, domain name, internet address, network address, or terminal name. A. Nogin made many changes to the login_access.c file in the logdaemon-5.6 (author: Wietse Venema's) and used it in this module.
The behavior of this module can be corrected using the following parameters:
Accessfile =/path/to/file. conf use another configuration file to replace the default configuration file/etc/security/access. conf.
Examples and suggestions
For example, there are many users on an NIS server or email server, but you do not want these users to have the login capability. We recommend that you use this module.
If your module is in the/lib/security directory, and you use/etc/pam. d/style configuration, which can be found in/etc/pam. d/login,/etc/pam. d/rlogin,/etc/pam. d/rsh and/etc/pam. d/add the following line to the ftp file to start the module:
Account required/lib/security/pam_access.so
Note: Unless your system can ignore the role of the. rhosts file, this module will not work. For details, see Introduction to the pam_rhost_auth module.
In addition, there is an example access. conf configuration file in the release of the software.
6.2 chroot module
6.2.1 summary
Module Name
Pam_chrooot
Author
Bruce Campbell
Maintainer
Author
Management group function provided
Account, session, authentication
Network Support
Local Host
6.2.2 summary
This module provides a false file system for common users. for example, in their opinion, the/directory is actually/some/where/else.
If there are several types of users in the system, and you pay great attention to security issues, you can use this module. It can restrict system information that users can see and programs that can run.
6.2.3 account component
The original work has not been completed
6.2.4 session component
Same as above
Identifiable parameters
You can use the common parameters and log level of PAM as their parameters.
Examples and suggestions
Provide reasonable programs, such as providing only cat, ls, rm, cp, and ed.
Do not abuse this module. for example, you can install an isolated environment for each user, but this is a waste of disk space.
6.3 password strength check module
6.3.1 summary
Module Name
Pam_cracklib
Author
Cristian Gafton
Maintainer
Author
Management group function provided
Password
System dependency
Libcrack library and dictionary/usr/lib/cracklib. dict are required.
6.3.2 summary
This module can be inserted into the Cascade module implementing the password management group function to provide password strength check for a given program.
This module works in the following way: First, call the cracklib routine to check the password strength. if the password is not easy to decrypt, perform the following strength check:
Whether the new password is the old password.
The new password is case-insensitive.
Whether the old password is similar. It is mainly controlled by the difok parameter. if the number of different characters between the old and new passwords is greater than or equal to this parameter, the new password is accepted. the default value of this parameter is 10 or 1/2 of the new password. To avoid querying a long and complex password, you can also use the difignore parameter. This parameter can specify a value. if the length of the new password exceeds this value, this check is not required. the default value is 23.
Whether the new password is too short. Controlled by five parameters: minlen, dcredit, ucredit, lcredit, and ocredit. I will not introduce them here.
Whether the new password is the loopback of the old password
Whether the password has been used before. Passwords used in the past can be found in the/etc/security/opasswd file.
This module works well even if there are no parameters for the standard UNIX encryption algorithm. However, for the MD5 encryption algorithm, the password can exceed 8 characters. using the default settings will make it difficult for users to find a satisfactory password. The default setting of the MD5 algorithm requires that the new password and the old password should not have more than 1/2 characters, and is mandatory. For example, if the old password is "the quick brown fox jumped over the lazy dog", it is difficult to replace it :). In addition, the MD5 algorithm allows the password to be less than five characters by default. Therefore, the MD5 system needs to make some adjustments to the configuration, increase the limit of the number of characters, and reduce the limit on the proportion of different characters.
6.3.3 password component
Identifiable parameters
Debug, type = XXX, retry = N, difok = N, minlen = N, dcredit = N, ucredit = N, lcredit = N, ocredit = N, use_authtok
Description
This module prompts the user to enter a password, and then checks its strength based on a system dictionary and a set of rules.
By default, it first prompts the user to enter a password. if the strength is sufficient, it prompts the user to re-enter the password to ensure that the password is entered correctly. After these actions are completed, the password is sent to the subsequent module, and the subsequent module installs a new verification mark (that is, the password ).
The actions of this module can be changed through some parameters:
Debug
The detailed behavior information of the module is written to syslog, but the password information is not included.
Type = xxx
Modify prompt information. The default message is "New UNIX password:" and "Retype UNIX password ". Setting this option can replace xxx with UNIX.
Retry = N
The number of times the password is entered. the default value is 1. That is to say, exit if the password entered by the user is not strong enough. You can use this option to set the number of inputs so that everything can start from scratch.
Difok = N
The default value is 10. This parameter allows
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
