February 17th, 2003, 12:30 PM
PAM (Pluggable Authentication Modules) Security
Pluggable Authentication Modules (PAM)
This is a short introduction on PAM (Pluggable Authentication Modules. I hope it comes in handy to some of you who are interested in other ways of authentication other than the normal password styles.
The Pluggable Authentication Modules for Linux is a collection of shared libraries, which provide the authentication modules. A Linux system administrator can choose (if his systems are PAM compatible) how certain programs are to authenticate the users.
If for example a user logs into a Linux system, the application called “login” is involved. Login requests from the user a username and a password to go along with that username. The password is then encrypted and compared to the encrypted password in /etc/shadow. If the 2 encrypted passwords match, the program login allows access for that user into the system by validating that users login shell. If the two encrypted passwords do not match, access will be denied.
This is normally enough, aslong as the authentication is to be performed with Linux/Unix passwords. If other authentication mechanisms are to be used such as chip cards instead of passwords, then several programs have to be executed which perform an authentication which will work together with a chip card. Before PAM was introduced, login had to be extended in order to be compatible with chip cards. Also the conversion towards the shadow-password had to be modified and translated from login and a lot of other programs which performed the authentication process were involved. For example the ftp server or the secure shell.
Thanks to PAM, everything is easier now. PAM creates a software layer with a very clear defined interface between the application (ie. “login”) and the actual used authentication mechanism (ie. Chip card). The program-code which communicates with a chip card-reader or with /etc/shadow instead of /etc/passwd must not be available anymore in every program. Every PAM compatible program can use the program-code from PAM, which is nothing else than a few shared libraries. The PAM module is not linked dynamically with the applications like other normal shared libraries. Instead PAM offers the possibility to link the runtime configuration to the PAM-specific shared libraries. Due to this, its possible without the use of link- and compiler-”runs” <---(i hope this definition is correct) to reconfigure the runtimes for the different authentication mechanisms along with the different applications. All that is needed in order to do this, is a PAM compatible Linux system (all modern Linux systems are compatible) along with the needed PAM modules.
This is not where the possibilities of PAM end though, there is more to come . Since PAM creates a layer between an application and the authentication mechanism, many other “single-steps” for the authentication process can be configured here with great detail. An example of this is /etc/securetty/
The PAM configuration files are located in /etc/pam.d/ (also do a man pam for help). If for example you wish to allow remote root access and are using yast1/yast2 (suse) then the 5th or 6th line in /etc/pam.d/login will be uncommented, which is the responsible entry needed for /etc/securetty.
auth requisite pam_unix2.so nullok #set_secrpc
auth required pam_securetty.so
auth required pam_nologin.so
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so none # debug or trace
session required pam_limits.so
The documentation for pam can be found in /usr/share/doc/packages/pam/, in the man pages under man pam, or on the Internet. If you are using SuSE Linux, then also have a look at /usr/share/doc/packages/pam/modules/.
Also have a look at http://www.kernel.org/pub/Linux/libs/pam/ which provide information on many compatible smart cards, token cards, and secure-ID. Also the authentication against a windows NT machine acting as a server is possible, helping to synchronize the microsoft world with the Linux world inside a heterogeneous network environment. PAM is also a way to use biometrical authentication methods, but this my dear friends, is another story
I hope this helps you get started with PAM. Good luck to all of you.
Incase you want to test your results, but dont have any chip cards, etc.... try this.
Normally a remote root connection using telnet is not possible. Try to setup your PAM to allow remote root access using telnet. This will help you understand and give you a little practice on setting up PAM.
Note: I highly recomend to not use telnet for many other sucurity reasons, this is only for you to test if your PAM experiment works.
Ubuntu-: Means in African : "Im too dumb to use Slackware"