Been Cracked? Just Put PAM On It!
- Pluggable Authentication Modules
- PAM OVERVIEW
- PAM Configuration
- PAM ADMINISTRATION
- PAM and Passwords
- PAM and Passwords Summary
- PAM and login
- Time and Resource Limits
- Access Control with pam_listfile
- PAM and su
- Using pam_access
- Using pam_lastlog
- Using pam_rhosts_auth
- One-Time Password Support
- PAM and the other Configuration File
- Additional PAM Options
- PAM LOGS
- AVAILABLE PAM MODULES
- PAM-AWARE APPLICATIONS
- IMPORTANT NOTES ABOUT CONFIGURING PAM
- THE FUTURE OF PAM
- FOR FURTHER READING
- On-Line Documentation
Pluggable Authentication Modules
Although pluggable authentication modules (PAM) cannot protect your system after it has been compromised, it can certainly help prevent the compromise to begin with. It does this through a highly configurable authentication scheme. For example, conventionally UNIX users authenticate themselves by supplying a password at the password prompt after they have typed in their username at the login prompt. In many circumstances, such as internal access to workstations, this simple form of authentication is considered sufficient. In other cases, more information is warranted. If a user wants to log in to an internal system from an external source, like the Internet, more or alternative information may be requiredperhaps a one-time password. PAM provides this type of capability and much more. Most important, PAM modules allow you to configure your environment with the necessary level of security.
This chapter describes the use of pluggable authentication modules for Linux (Linux-PAM or just PAM1), as distributed with Red Hat 5.2/6.0, which provides a lot of authentication, logging, and session management flexibility. We generally describe PAM and its configuration, take a look at many of the available PAM modules, 2 and consider a number of examples.
Most recent Linux distributions include PAM. If your version does not, check out the web site:
There you will find source code and documentation. It is well worth the effort to download, compile, and integrate PAM into your system.
PAM provides a centralized mechanism for authenticating all services. It applies to login, remote logins (telnet and rlogin or rsh), ftp, Point-to-Point Protocol (PPP), and su, among others. It allows for limits on access of applications, limits of user access to specific time periods, alternate authentication methods, additional logging, and much more. In fact, PAM may be used for any Linux application! Cool! Let's see how it works.