Beyond Linux^® From Scratch (systemd Edition) - Version r12.4-1307

Chapter 4. Security

Prev
libcap-2.77 with PAM
Next
liboauth-1.0.3
Up
Home

Linux-PAM-1.7.2

Introduction to Linux PAM

The Linux PAM package contains Pluggable Authentication Modules used by the local system administrator to control how application programs authenticate users.

Note

This package is known to build and work properly using an LFS 13.0 platform.

Package Information

Download (HTTP): https://github.com/linux-pam/linux-pam/releases/download/v1.7.2/Linux-PAM-1.7.2.tar.xz
Download MD5 sum: 934c26eca3fada956356a30489e86291
Download size: 500 KB
Estimated disk space required: 16 MB (with tests)
Estimated build time: 0.3 SBU (with tests)

Additional Downloads

Optional Documentation

Download (HTTP): https://anduin.linuxfromscratch.org/BLFS/Linux-PAM/Linux-PAM-1.7.2-docs.tar.xz
Download MD5 sum: 8b0c69931e4805ee5c297192c46d0e28
Download size: 500 KB

Linux PAM Dependencies

Optional

libnsl-2.0.1, libtirpc-1.3.7, rpcsvc-proto-1.4.4, Berkeley DB (deprecated), libaudit, and libeconf

Optional (To build the Documentation and Man Pages)

docbook-xml-5.0, docbook-xsl-ns-1.79.2, fop-2.11 (for the PDF format), libxslt-1.1.45, and Lynx-2.9.2 (for the plain text format)

Note

Shadow-4.19.3 and Systemd-259.1 must be reinstalled and reconfigured after installing and configuring Linux PAM.

With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not installed by default. Use libpwquality-1.4.5 to enforce strong passwords.

Kernel Configuration

For the PAM module pam_loginuid.so (referred by the PAM configuration file system-session if Systemd-259.1 is rebuilt with PAM support later) to work, a kernel configuration parameter need to be set or the module will just do nothing:

General setup --->
  [*] Auditing support                                                   [AUDIT]

Installation of Linux PAM

If you've installed docbook-xml-5.0, docbook-xsl-ns-1.79.2, libxslt-1.1.45, and Lynx-2.9.2 and you wish to generate the plain text format of the documentations, modify meson.build to use Lynx-2.9.2 instead of W3m or Elinks that BLFS does not provide:

sed -e "s/'elinks'/'lynx'/"                       \
    -e "s/'-no-numbering', '-no-references'/      \
          '-force-html', '-nonumbers', '-stdin'/" \
    -i meson.build

Compile and link Linux PAM by running the following commands:

mkdir build &&
cd    build &&

meson setup ..        \
  --prefix=/usr       \
  --buildtype=release \
  -D docdir=/usr/share/doc/Linux-PAM-1.7.2 &&

ninja

To test the results, a suitable /etc/pam.d/other configuration file must exist.

Reinstallation or Upgrade of Linux PAM

If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The existing file can be used for the tests.

For a first-time installation, create a configuration file by issuing the following commands as the root user:

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so
EOF

Now run the tests by issuing ninja test. Be sure the tests produced no errors before continuing the installation.

For a first-time installation, remove the configuration file created earlier by issuing the following command as the root user:

rm -fv /etc/pam.d/other

Now, as the root user:

ninja install &&
chmod -v 4755 /usr/sbin/unix_chkpwd

If you do not have the optional dependencies installed to build the documentation and downloaded the optional pre-built documentation, again as the root user:

tar -C / -xvf ../../Linux-PAM-1.7.2-docs.tar.xz

Configuring Linux-PAM

Configuration Files

/etc/security/* and /etc/pam.d/*

Configuration Information

Configuration information is placed in /etc/pam.d/. Here is a sample file:

# Begin /etc/pam.d/other

auth            required        pam_unix.so     nullok
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so     nullok

# End /etc/pam.d/other

Now create some generic configuration files. As the root user:

install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account

account   required    pam_unix.so

# End /etc/pam.d/system-account
EOF

cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      required    pam_unix.so

# End /etc/pam.d/system-auth
EOF

cat > /etc/pam.d/system-session << "EOF" &&
# Begin /etc/pam.d/system-session

session   required    pam_unix.so

# End /etc/pam.d/system-session
EOF

cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password  required    pam_unix.so       yescrypt shadow try_first_pass

# End /etc/pam.d/system-password
EOF

If you wish to enable strong password support, install libpwquality-1.4.5, and follow the instructions on that page to configure the pam_pwquality PAM module with strong password support.

Next, add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application exists.

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_warn.so
auth        required        pam_deny.so
account     required        pam_warn.so
account     required        pam_deny.so
password    required        pam_warn.so
password    required        pam_deny.so
session     required        pam_warn.so
session     required        pam_deny.so

# End /etc/pam.d/other
EOF

The PAM man page (man pam) provides a good starting point to learn about the several fields, and allowable entries. The Linux-PAM System Administrators' Guide at /usr/share/doc/Linux-PAM-1.7.0/Linux-PAM_SAG.txt is recommended for additional information.

Important

You should now reinstall the Shadow-4.19.3 and Systemd-259.1 packages.

Installed Program: faillock, mkhomedir_helper, pam_namespace_helper, pam_timestamp_check, pwhistory_helper, and unix_chkpwd

Installed Libraries: libpam.so, libpamc.so and libpam_misc.so

Installed Directories: /etc/security, /usr/lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-1.7.2

Short Descriptions

faillock	displays and modifies the authentication failure record files
mkhomedir_helper	is a helper binary that creates home directories
pam_namespace_helper	is a helper program used to configure a private namespace for a user session
pwhistory_helper	is a helper program that transfers password hashes from passwd or shadow to opasswd
pam_timestamp_check	is used to check if the default timestamp is valid
unix_chkpwd	is a helper binary that verifies the password of the current user
`libpam.so`	provides the interfaces between applications and the PAM modules

Prev
libcap-2.77 with PAM
Next
liboauth-1.0.3
Up
Home

Beyond Linux® From Scratch (systemd Edition) - Version r12.4-1307

Chapter 4. Security

Linux-PAM-1.7.2

Introduction to Linux PAM

Note

Package Information

Additional Downloads

Linux PAM Dependencies

Optional

Optional (To build the Documentation and Man Pages)

Note

Kernel Configuration

Installation of Linux PAM

Reinstallation or Upgrade of Linux PAM

Configuring Linux-PAM

Configuration Files

Configuration Information

Important

Contents

Short Descriptions

Beyond Linux^® From Scratch (systemd Edition) - Version r12.4-1307