LFCS – Pluggable Authentication Module (PAM)

With every type of Operating System (OS), there needs to be security in place. With CentOS or Ubuntu, there is the Pluggable Authentication Modules (PAM).

The files allow you to configure security as you need for various areas:

  • Home Directory Creation
  • Password Policies
  • Resource Restriction
  • Login Times

NOTE: This is a partial tutorial. There are many more options you can set access restrictions on for the system.

These options should work on both CentOS 7 and Ubuntu for the LFCS exam.

Home Directory Creation

If a group of users is created, such as in a batch, you may not want to create all of the Home Directories at once. Instead, the Home Directories can be created when the individual user’s login.

For example, let’s say that a company hires 10 temporary employees. You create the accounts, but not the Home Folders to keep space. It is possible that not all of the new employees will show up. The accounts are ‘temp01’, ‘temp02’, ‘temp03’ and so on to ‘temp10’.

If I create the user accounts and specify to not make the Home Directories. If I then log in as one of the users and then perform ‘cd ~’ it will give an error message. The message states that it cannot change to the folder ‘/home/temp01’.

NOTE: On my Ubuntu system, the authentication module for creating the Home Directory through PAM was not installed. I had to perform a ‘sudo apt install oddjob’ command. The CentOS 7 system did not have the ‘oddjob’ service as well. I had to install it with the command ‘sudo yum install oddjob’.

To test on your system whether the ‘oddjob’ service is installed and enabled, use the following command:

Code:

sudo systemctl status oddjobd

If you get an error that the service is not available, then you need to install it as stated previously in the NOTE.

To start the service and enable it to run automatically when the system starts, perform the following two commands:

Code:

sudo systemctl start oddjobd
sudo systemctl enable oddjobd

With either OS, you can check to see if the service is running with the command:

Code:

sudo systemctl status oddjobd

You can check to see that the user account is set for a Home Directory, but we know one is not created. Use the command:

Code:

grep temp01 /etc/passwd

On the CentOS 7 system, the option ‘CREATE_HOME’ is set to yes in the file ‘/etc/login.defs’.

On the Ubuntu system, the option is not in the file and needs to be added. Go to the end of the file. On a blank line, add ‘CREATE_HOME yes’. The space between the ‘CREATE_HOME’ and ‘yes’ is a tab. You also need to edit the file ‘/usr/share/pam-configs/mkhomedir’ and change the line ‘Default: no’ to ‘Default: yes’. After saving the file, you need to run the following command:

Code:

sudo pam-auth-update --enable mkhomedir

For both Ubuntu and CentOS 7, you can run the command in a Terminal:
You should be prompted for the password you created. Once it is entered correctly, you should see a line that says ‘Creating directory ‘/home/username’.’ The ‘username’ will be replaced with the actual username you are logging in as for the session.

Exit back into your account and enter ‘ls /home’ to see that the Home Folder for the specific user was created.

Now that we can generate the Home Folders on login, we need to look at policies for passwords by the users.

Password Policies

For this section, we cover setting requirements for the passwords that the users use to log in to a session.

The main file to use is ‘/etc/security/pwquality.conf’. Open the file in your editor and we’ll cover some of the settings available as follows:

  • difok – The number of characters in the old password that cannot be in the new one. This can be beneficial for those users who have a name followed by a number and only increment the number by one each time they are forced to change their password.
  • minlen – the minimum number of characters for a password.
  • dcredit – the number of lower-cased characters/upper-cased characters/others. If you specify 2, then a combination of lower-cased and upper-cased characters would work. If 3 were specified, then the lower, upper and numeric would count as 3.
  • lcredit/ucredit/ocredit – number of specific types: lower-cased, upper-cased and others.

If you wish to use any of these options, remove the hashtag (#) at the beginning of the line and set the value after the equal sign (=) appropriately. Save the file after editing.

Linux has a program called ‘pwscore’ which can be used to determine the quality of a password. The scale is 0-100 where 0 is a bad password and 100 is an excellent password.

For Ubuntu, you need to install the ‘pwscore’ file with the command:

Code:

sudo apt install libpwquality-tools

In a Terminal, you enter the command ‘pwscore’ and press enter. You should now have a blank line with a cursor. Type in your password, which is shown on the screen and a value should be given back if the password passes the dictionary test.

The program allows you to see the complexity of your password. The values given back can help some users see that their password may not be too difficult.

Now that passwords have been hardened we can move on to the next way to control user security.

Resource Restriction

To see the resource restrictions for your user account, use the command ‘ulimit -a’. Default results are as follows:

core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 15549
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 15549
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

The limits are listed as are the parameter required for a certain limit. For example, the maximum number of open files is 1024. You can see on the line next to the value is ‘(-n)’. If we wanted to change the number of open files to be a higher amount, we would use the command:

Code:

ulimit -n 2048

Now, let’s do a little test. If we should change the number of processes to 5 from 15549, the command would be ‘ulimit -u 5’. You can then run ‘ulimit -a’ to see a listing of current values and ‘max user processes’ should now be 5.

Run the command ‘ps’ to see what processes are running. There should be 2, ‘bash’ and ‘ps’, but ‘ps’ has ended when the command exited. So, from a command prompt type ‘bash’ three times. You should get an error message that there are ‘No child processes’. Type exit two times to get back usable processes and change the process limit to 15549 or whatever value you had. If you have to reboot to clear the processes then do so. The values should go back to default after a reboot.

There are what are called soft and hard limits. Soft limits are the user default. Hard limits are the maximum that a user can change the value to with ‘ulimit’. The values are set in the file ‘/etc/security/limits.conf’. In the file, you can specify the users or groups, hard or soft, the parameter that is being set and the value. The defaults in the file are as follows:

#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp – chroot /ftp
#@student – maxlogins 4

These entries are all commented out, but they can be used as examples.

The first line can be used to set the ‘core file size’ to 0 for all users. This is a default setting anyway.

The second line sets a hard entry for the Root user to a ‘core file size’ of 100,000.

The third line is an entry ignored in later versions of Linux.

The fourth line sets a hard entry for the ‘student’ group for the number of processes (nproc) to 20.

NOTE: To specify a group place an at (@) sign before the name.

The fifth and sixth lines are for the ‘faculty’ group. The fourth is a soft entry for the number of processes to 20. The fifth line sets a hard value to 50 for the number of processes.

The seventh line sets a hard value of 0 to the number of processes for the FTP user.

The eighth line sets the ‘chroot’ to ‘ftp’ for the FTP user.

Lastly, the ‘student’ group is limited to 4 max logins for the group.

If you try to enter a value higher than the hard limit, you get an error.

Any changes made will take effect when you log in after the changes are made.

Now that we can limit resources, we need to look at limiting the times that users can log in.

Login Times

For both Ubuntu and CentOS 7, the file we will be looking at to control login times is at ‘/etc/security/time.conf’.

The default is as follows:

# this is an example configuration file for the pam_time module. Its syntax
# was initially based heavily on that of the shadow package (shadow-960129).

#
# the syntax of the lines is as follows:
#
# services;ttys;users;times
#
# white space is ignored and lines maybe extended with ‘\n’ (escaped
# newlines). As should be clear from reading these comments,
# text following a ‘#’ is ignored to the end of the line.
#
# the combination of individual users/terminals etc is a logic list
# namely individual tokens that are optionally prefixed with ‘!’ (logical
# not) and separated with ‘&’ (logical and) and ‘|’ (logical or).
#
# services
# is a logic list of PAM service names that the rule applies to.
#
# ttys
# is a logic list of terminal names that this rule applies to.
#
# users
# is a logic list of users or a netgroup of users to whom this
# rule applies.
#
# NB. For these items the simple wildcard ‘*’ may be used only once.
#
# times
# the format here is a logic list of day/time-range
# entries the days are specified by a sequence of two character
# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
# that repeated days are unset MoMo = no day, and MoWk = all weekdays
# bar Monday. The two character combinations accepted are
#
# Mo Tu We Th Fr Sa Su Wk Wd Al
#
# the last two being week-end days and all 7 days of the week
# respectively. As a final example, AlFr means all days except Friday.
#
# each day/time-range can be prefixed with a ‘!’ to indicate “anything
# but”
#
# The time-range part is two 24-hour times HHMM separated by a hyphen
# indicating the start and finish time (if the finish time is smaller
# than the start time it is deemed to apply on the following day).
#
# for a rule to be active, ALL of service+ttys+users must be satisfied
# by the applying process.
#
#
# Here is a simple example: running blank on tty* (any ttyXXX device),
# the users ‘you’ and ‘me’ are denied service all of the time
#
#blank;tty* & !ttyp*;you|me;!Al0000-2400
# Another silly example, user ‘root’ is denied xsh access
# from pseudo terminals at the weekend and on mondays.
#xsh;ttyp*;root;!WdMo0000-2400
#
# End of example file.
#

So, to set time limits, the parameters are set as ‘services;ttys;users;times’.

If we wanted to allow access to the server from all services, ttys, and users for Monday to Friday from 7 A.M. to 6 P.M. (If we wanted to allow early arrivals or late workers more time), the parameter would be:

Code:

*;*;*;Wk0700-1800

There are a few abbreviations you should be aware of for the parameters:

  • Mo – Monday
  • Tu – Tuesday
  • We – Wednesday
  • Th – Thursday
  • Fr – Friday
  • Sa – Saturday
  • Su – Sunday
  • Wk – Weekdays (Monday-Friday)
  • Wd – Week-end Days (Saturday-Sunday)
  • Al – All seven day

Times are given in Military Time (24-hour clock).

You can specify individual days such as: ‘MoWeFr’. If you wanted the weekdays except for Wednesday, the parameter would be ‘WeWk’.

For an entry, you could specify the exclamation mark (!) as a ‘not’. So, for all times except Saturday and Sunday, you could also use ‘!Wd’. If no times are specified, all 24 hours for the day are allowed.

To specify users, you separate multiple users with the pipe (|). For instance, you wanted to allow access to ‘tech01’ and ‘tech02’ for all times and services, the parameter would be:

Code:

*;*;tech01|tech02;Al

To see which ‘services’ you can use in the file, look at ‘/etc/pam.d/’ to see a list of available services for PAM. Any of the listed names can be used.

Keep in mind that the settings you make will not take effect for users currently logged into the system.

At the current time, PAM does not cause a forced logoff for users that log on to a system within their allowed time frame. Once their time frame has been passed, they remain logged into the system.

Conclusion

PAM allows an administrator control over users and sets restrictions for their abilities.

These configurations are something you will want to look into and practice. Also, test the settings you use and see how they work in different circumstances.

Posted by Linux Admin