Pluggable Authentication Module
Pluggable Authentication Modules (PAM) is a system-level authentication framework used in Linux and Unix-based operating systems to authenticate users. PAM allows system administrators to configure and manage authentication methods for different services and applications, without modifying the underlying code. This makes it easy to add or change authentication methods, such as adding support for a new type of password storage or integrating with a third-party authentication service.
What is Pluggable Authentication Module?
Pluggable Authentication Module (PAM) is a system that allows for the dynamic configuration of authentication mechanisms on a Unix-based system. PAM enables the system administrator to change the authentication mechanisms used by the system without having to recompile the software.
PAM is implemented as a library that provides a set of API calls that can be used by applications to authenticate users. The applications do not need to know the details of the underlying authentication mechanisms; they simply call the PAM API and PAM takes care of the rest.
The system administrator can configure the authentication mechanisms used by PAM by editing the configuration files in the /etc/pam.d directory.
In summary, PAM is a powerful and flexible system that allows for the dynamic configuration of authentication mechanisms on a Unix-based system. It enables the system administrator to change the authentication mechanisms used by the system without having to recompile the software.
Dissecting Pluggable Authentication Module
Overview of a Sample Pluggable Authentication Module
#%PAM-1.0
auth required pam_securetty.so
auth required pam_unix.so shadow nullok
auth required pam_nologin.so
account required pam_unix.so
password required pam_cracklib.so retry=3
password required pam_unix.so shadow nullok use_authtok
session required pam_unix.so
Lines 2 through 4 constructs three modules for PAM.
-
pam_securetty.somakes sure that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file. -
The shadow module automatically detects and uses shadow passwords to authenticate users. The argument null ok instructs the pam_unix.so module to allow a blank password.
-
pam_nologin.soverifies whether the file /etc/nologin exists. If it does accessing the endpoint for non-root user won’t be possible.
All three auth modules are verified and even if the first auth module fails the user is unable to log in, they are also abstained from knowing at what stage their authentication failed. As such knowledge in the hands of an attacker could allow them to more easily deduce how to penetrate the system making it vulnerable.
account required pam_unix.so performs necessary account verification. For example, if shadow passwords have been enabled, the account component of the pam_unix.so module verifies if the account had been expired or if the password has not been rotated within the grace period allowed.
In case of password expiration, the password component of the pam_cracklib.so module prompts for a new password. It then tests the newly created password to see whether it can easily be determined by a dictionary-based password cracking program. If it fails this test the first time, it gives the user two or more chances to create a strong password, as specified in the retry argument.
password required pam_unix.so shadow nullok use_authtok specifies that if the program changes the user’s password, it should use the password component of the pam_unix.so module to do so. This only happens if the auth portion of the pam_unix.so module has determined that the password needs to be changed.
The argument shadow tells the module to create shadow passwords when updating a user’s password. The argument nullok instructs the module to allow the user to change their password from a blank password, otherwise a null password is treated as an account lock.
The final argument on this line, use_authtok, provides a good example of the importance of order when stacking PAM modules. This argument tells the module not to prompt the user for a new password. Instead, it accepts any password that was recorded by a previous password module. In this way, all new passwords must pass the pam_cracklib.so test for secure passwords before being accepted.
session required pam_unix.so specifies that the session component of the pam_unix.so module manages the session. This module logs the username and the service type to /var/log/messages at the beginning and end of each session. It can be supplemented by stacking it with other session modules for more functionality.
Let’s walk though another sample configuration file to understand auth module stacking for the remote login program.
#%PAM-1.0
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_rhosts_auth.so
auth required pam_stack.so service=system-auth
First, pam_nologin.so checks to see if /etc/nologin exists. If it does, no one can log in except for root.
The pam_securetty.so module prevents the root user from logging in on insecure terminals. This effectively disallows all root rlogin attempts due to the application’s limited security safeguards. For logging in remotely as the root user use of OpenSSH is advised.
pam_env.so module sets the environmental variables specified in /etc/security/pam_env.conf. The pam_rhosts_auth.so module authenticates the user using .rhosts in the user’s home directory. If this succeeds, PAM immediately considers the authentication to have succeeded. If pam_rhosts_auth.so fails to authenticate the user, the authentication attempt is ignored.
If the pam_rhosts_auth.so module fails to successfully authenticate the user, the pam_stack.so module performs normal password authentication.
The argument service=system-auth indicates that the user must now pass through the PAM configuration for system authentication as found in /etc/pam.d/system-auth.
In Order to prevent PAM from prompting for a password when the securetty result fails, change the pam_securetty.so module from required to requisite