Beyond Linux® From Scratch - Version 6.3

Chapter 4. Security

Linux-PAM-0.99.10.0

Introduction to Linux-PAM

The Linux-PAM package contains Pluggable Authentication Modules. This is useful to enable the local system administrator to choose how applications authenticate users.

Package Information

Additional Downloads

Linux-PAM Dependencies

Optional

CrackLib-2.8.12, and Prelude

Optional (To {,Re}build the Documentation)

libxslt-1.1.22, DocBook XML DTD-4.5, DocBook XSL Stylesheets-1.71.1, w3m, and FOP-0.93

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/linux-pam

Installation of Linux-PAM

If you downloaded the documentation, unpack the tarball from the same top-level directory you unpacked the source tarball from. The files will unpack into the correct directories of the source tree.

Install Linux-PAM by running the following commands: 

./configure --libdir=/lib \
            --sbindir=/lib/security \
            --enable-securedir=/lib/security \
            --docdir=/usr/share/doc/Linux-PAM-0.99.10.0 \
            --enable-read-both-confs \
            --with-xauth=/usr/X11R6/bin/xauth &&
make

The test suite will not provide meaningful results until the package has been installed and minimally configured. If, after installing the package and creating a minimum configuration as shown below in the 'other' example, you wish to run the tests, issue make check.

Now, as the root user: 

make install &&
chmod -v 4755 /lib/security/unix_chkpwd &&

mv -v /lib/security/pam_tally /sbin &&

mv -v /lib/libpam{,c,_misc}.la /usr/lib &&
sed -i 's| /lib| /usr/lib|' /usr/lib/libpam_misc.la &&

if [ -L /lib/libpam.so ]; then
   for LINK in libpam{,c,_misc}.so; do
       ln -v -sf ../../lib/$(readlink /lib/${LINK}) /usr/lib/${LINK} &&
       rm -v /lib/${LINK}
   done
fi

Command Explanations

--libdir=/lib: This parameter results in the libraries being installed in /lib as they may be required in single-user mode.

--sbindir=/lib/security: This parameter results in two executables, one of which is not intended to be run from the command line, being installed in the same directory as the PAM modules. The other executable is later moved to the /sbin directory.

--enable-securedir=/lib/security: This parameter results in the PAM modules being installed in /lib/security.

--docdir=...: This parameter results in the documentation being installed in a versioned directory name.

--enable-read-both-confs: This parameter allows the local administrator to choose which configuration file setup to use.

--with-xauth=/usr/X11R6/bin/xauth: This parameter forces the build of the pam_xauth module, even if xauth is not yet installed. Omit this switch if you have no plans to build Xorg, or modify the path if you intend to install Xorg into a non-standard path.

chmod -v 4755 /lib/security/unix_chkpwd: The unix_chkpwd password-helper program must be setuid so that non-root processes can access the shadow-password file.

mv -v /lib/security/pam_tally /sbin: The pam_tally program is designed to be run by the system administrator, possibly in single-user mode, so it is moved to the appropriate directory.

mv -v /lib/libpam{,c,_misc}.la /usr/lib: This command moves the Libtool library files to /usr/lib as they are expected to reside there.

sed -i 's| /lib| /usr/lib|' /usr/lib/libpam_misc.la: This command corrects an installation reference due to the file being moved in the previous step.

for ...; do ...; done: These commands are used to relocate the .so symbolic links into the /usr/lib directory by cloning and then removing the existing symlinks. Using readlink ensures the new symlinks point at the correct library filenames.

Configuring Linux-PAM

Config Files

/etc/security/* and /etc/pam.d/* or /etc/pam.conf

Configuration Information

Configuration information is placed in /etc/pam.d/ or /etc/pam.conf depending on system administrator preference. Below are example files of each type: 

# Begin /etc/pam.d/other

auth            required        pam_unix.so     nullok
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so     nullok

# End /etc/pam.d/other

# Begin /etc/pam.conf

other           auth            required        pam_unix.so     nullok
other           account         required        pam_unix.so
other           session         required        pam_unix.so
other           password        required        pam_unix.so     nullok

# End /etc/pam.conf

The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.

Refer to http://www.kernel.org/pub/linux/libs/pam/modules.html for a list of various modules available.

[Important]

Important

You should now reinstall the Shadow-4.0.18.1 package.

Contents

Installed Program: pam_tally
Installed Libraries: libpam.{so,a}, libpamc.{so,a}, and libpam_misc.{so,a}
Installed Directories: /etc/pam.d, /etc/security, /lib/security and /usr/include/security

Short Descriptions

pam_tally

is used to view or manipulate the faillog file.

libpam.{so,a}

provides the interfaces between applications and the PAM modules.

Last updated on 2008-05-16 01:37:44 -0500