PAM Authentication - SME Networks

General index of the series: Computer Networks for SMEs: Introduction

Hello friends and friends!

With this article we intend to offer an Overview to the topic of Authentication through PAM. We are used to using our Workstation with a Linux / UNIX operating system on a daily basis and we rarely stop to study how the authentication mechanism occurs each time we start a session. Do we know of the existence of the archives / Etc / passwdand / Etc / shadow that constitute the main database of the Authentication Credentials of the local users. We hope that after reading this post you will have -at least- a clear idea of ​​how PAM works.

Authentication

Authentication - for practical purposes - is the way in which a user is verified against a system. The authentication process requires the presence of a set of identity and credentials - username and password - which are compared with the information stored in a database. If the credentials presented are the same as those stored and the user's account is active, the user is said to be authentic successfully or successfully passed the authentication.

Once the user is authenticated, that information is passed to the access control service to determine what that user can do in the system and what resources they have due authorization to access them.

Information to verify the user can be stored in local databases on the system, or the local system can refer to an existing database on a remote system, such as LDAP, Kerberos, NIS databases, and so on.

Most UNIX® / Linux operating systems have the necessary tools to configure the client / server authentication service for the most common types of user databases. Some of these systems have very complete graphical tools such as Red Hat / CentOS, SUSE / openSUSE, and other distributions.

PAM: Pluggable Authentication Module

Each filtering bag Modules that are Inserted for Authentication We use them daily when we log on to our Desktop with a Linux / UNIX-based operating system, and on many other occasions when we access local or remote services that have a specific local PAM module inserted for authentication against that service.

A practical idea of ​​how the PAM Modules are inserted can be obtained through the state sequence of authentication en a Debian team and en another with CentOS that we develop next.

Debian

Documentation

If we install the package libpam-doc we will have a very good documentation located in the directory / usr / share / doc / libpam-doc / html.

root @ linuxbox: ~ # aptitude install libpam-doc
root @ linuxbox: ~ # ls -l / usr / share / doc / libpam-doc /

There is also more documentation on PAM in the directories:

root @ linuxbox: ~ # ls -l / usr / share / doc / | grep pam
drwxr-xr-x 2 root root 4096 Apr 5 21:11 libpam0g drwxr-xr-x 4 root root 4096 Apr 7 16:31 libpam-doc drwxr-xr-x 2 root root 4096 Apr 5 21:30 libpam-gnome- keyring drwxr-xr-x 3 root root 4096 Apr 5 21:11 libpam-modules drwxr-xr-x 2 root root 4096 Apr 5 21:11 libpam-modules-bin drwxr-xr-x 2 root root 4096 Apr 5 21: 11 libpam-runtime drwxr-xr-x 2 root root 4096 Apr 5 21:26 libpam-systemd drwxr-xr-x 3 root root 4096 Apr 5 21:31 python-pam

We believe that before looking for documentation on the Internet, we should review the one that is already installed or the one that we can install directly from the program repositories that exist for something and on many occasions we copy them to our hard drive. Sample of this is the following:

root @ linuxbox: ~ # less / usr / share / doc / libpam-gnome-keyring / README
gnome-keyring is a program that keep password and other secrets for users. It is run as a daemon in the session, similar to ssh-agent, and other applications locate it via an environment variable or a D-Bus. The program can manage several keyrings, each with its own master password, and there is also a session keyring which is never stored to disk, but forgotten when the session ends. The library libgnome-keyring is used by applications to integrate with the GNOME keyring system.

That translated very freely wants to express:

  • gnome-keyring is the program in charge of keeping passwords and other secrets for users. In each session it runs as a daemon, similar to the ssh-agent, and to other applications that are located through an environment variable - environment or via D-Bus. The program can handle several keyrings, each with its own master password. There is also a keyring session that is never stored on the hard disk and is forgotten when the session ends. Applications use the libgnome-keyring library to integrate with the GNOME keyring system.

Debian with the Base Operating System

We start from a computer to which we just installed Debian 8 "Jessie" as Operating System and during its installation process we select only the "Basic system utilities", without marking any other option to install tasks - tasks or predefined packages like the OpenSSH server. If after starting the first session we execute:

root @ master: ~ # pam-auth-update

we will obtain the following outputs: PAM Authentication - 01 PAM Authentication - 02

 

 

Which shows us that the only PAM Module in use up to that moment is UNIX Authentication. Utility pam-auth-update It allows us to configure the central authentication policy for a system by using Predefined Profiles provided by the PAM Modules. For more information see man pam-auth-update.

As we have not yet installed the OpenSSH server, we will not find its PAM module in the directory /etc/pam.d/, which will contain the PAM modules and profiles loaded up to these moments:

root @ master: ~ # ls -l /etc/pam.d/
total 76 -rw-r - r-- 1 root root 235 Sep 30 2014 atd -rw-r - r-- 1 root root 1208 Apr 6 22:06 common-account -rw-r - r-- 1 root root 1221 Apr 6 22:06 common-auth -rw-r - r-- 1 root root 1440 Apr 6 22:06 common-password -rw-r - r-- 1 root root 1156 Apr 6 22:06 common-session -rw-r - r-- 1 root root 1154 Apr 6 22:06 common-session-noninteractive -rw-r - r-- 1 root root 606 Jun 11 2015 cron -rw-r - r - 1 root root 384 Nov 19 2014 chfn -rw-r - r-- 1 root root 92 Nov 19 2014 chpasswd -rw-r - r-- 1 root root 581 Nov 19 2014 chsh -rw-r-- r-- 1 root root 4756 Nov 19 2014 login -rw-r - r-- 1 root root 92 Nov 19 2014 newusers -rw-r - r-- 1 root root 520 Jan 6 2016 other -rw-r- -r-- 1 root root 92 Nov 19 2014 passwd -rw-r - r-- 1 root root 143 Mar 29 2015 runuser -rw-r - r-- 1 root root 138 Mar 29 2015 runuser-l -rw -r - r-- 1 root root 2257 Nov 19 2014 su -rw-r - r-- 1 root root 220 Sep 2 2016 systemd-user

For example, using the PAM module /etc/pam.d/chfn the system configures the service Shadow, while through /etc/pam.d/cron the daemon is configured cron. To learn a little more we can read the content of each of these files which is very instructive. As a sample we give below the content of the module /etc/pam.d/cron:

root @ master: ~ # less /etc/pam.d/cron
# The PAM configuration file for the cron daemon

@include common-auth

# Sets the loginuid process attribute session required pam_loginuid.so # Read environment variables from pam_env's default files, / etc / environment # and /etc/security/pam_env.conf. session required pam_env.so # In addition, read system locale information session required pam_env.so envfile = / etc / default / locale

@include common-account
@include common-session-noninteractive 

# Sets up user limits, please define limits for cron tasks # through /etc/security/limits.conf session required pam_limits.so

The order of the statements within each of the files is important. In general terms, we do not recommend modifying any of them unless we know very well what we are doing.

Debian with base OS + OpenSSH

root @ master: ~ # aptitude install task-ssh-server
The following NEW packages will be installed: openssh-server {a} openssh-sftp-server {a} task-ssh-server

We will verify that the PAM module was added and configured correctly sshd:

root @ master: ~ # ls -l /etc/pam.d/sshd 
-rw-r - r-- 1 root root 2133 Jul 22 2016 /etc/pam.d/sshd

If we want to know the content of that profile:

root @ master: ~ # less /etc/pam.d/sshd

In other words, when we try to start a remote session from another computer using ssh, authentication on the local computer is done through the PAM module sshd mainly, without forgetting the other authorization and security aspects involved in the ssh service as such.

In passing, we add that the main configuration file of this service is / Etc / ssh / sshd_config, and that at least in Debian it is installed by default without allowing interactive user login root. To allow it, we must modify the file / Etc / ssh / sshd_config and change the line:

PermitRootLogin without-password

by

PermitRootLogin yes

and then restart and check the status of the service by:

root @ master: ~ # systemctl restart ssh
root @ master: ~ # systemctl status ssh

Debian with the LXDE desktop

We continue with the same team - we change their name or hostname by "linuxbox»For future use- to which we finished installing the LXDE Desktop. Let's run pam-auth-update and we will obtain the following outputs: PAM Authentication - 03 PAM Authentication - 04

 

The system has already enabled all the Profiles -Modules- necessary for correct authentication during the installation of the LXDE desktop, which are the following:

  • UNIX Authentication Module.
  • Module that records user sessions in the Hierarchical Control Group of the systemd.
  • GNOME Keyring Daemon Module
  • We take this opportunity to recommend that in all cases, when we are asked "PAM profiles to enable", we select the option unless we know very well what we are doing. If we change the PAM configuration that is automatically made by the Operating System itself, we can easily disable the login on the computer.

In the above cases we are talking about Local Authentication or Authentication against the local computer as happens when we initiate a remote session through ssh.

If we implement a method of Remote Authentication in the local team For users with their credentials stored in a remote OpenLDAP server or in an Active Directory, the system will take into account the new form of authentication and will add the necessary PAM modules.

Main files

  • / Etc / passwd: User Account Information
  • / Etc / shadow: Secure Information of User Accounts
  • /etc/pam.conf: File that should only be used if the directory does not exist /etc/pam.d/
  • /etc/pam.d/: Directory where programs and services install their PAM modules
  • /etc/pam.d/passwd: PAM configuration for Passwd.
  • /etc/pam.d/common-account: Authorization parameters common to all services
  • /etc/pam.d/common-auth: Authentication parameters common to all services
  • /etc/pam.d/common-password: PAM modules common to all services related to passwords - passwords
  • /etc/pam.d/common-session: PAM modules common to all services related to user sessions
  • /etc/pam.d/common-session-noninteractive: PAM modules common to all services related to non-interactive sessions or that do not require user intervention, such as tasks that are executed at the beginning and end of non-interactive sessions.
  • / usr / share / doc / passwd /: Documentation directory.

We recommend reading the manual pages of Passwd y shadow through man passwd y man shadow. It is also healthy to read the contents of the files common-account, common-auth, common-passwrod, common-session y common-session-noninteractive.

PAM modules available

To get an idea of ​​the PAM modules available a priori In the standard Debian repository, we run:

buzz @ linuxbox: ~ $ aptitude search libpam

The list is long and we will only reflect the modules that show how extensive it is:

libpam-afs-session          - PAM module to set up a PAG and obtain AFS tokens                    
libpam-alreadyloggedin      - PAM module to skip password authentication for logged users
libpam-apparmor             - changehat AppArmor library as a PAM module
libpam-barada               - PAM module to provide two-factor authentication based on HOTP
libpam-blue                 - PAM module for local authenticaction with bluetooth devices
libpam-ca                   - POSIX 1003.1e capabilities (PAM module)                             
libpam-ccreds               - Pam module to cache authentication credentials                      
libpam-cgrou                - control and monitor control groups (PAM)                            
libpam-chroot               - Chroot Pluggable Authentication Module for PAM                      
libpam-ck-connector         - ConsoleKit PAM module                 
libpam-cracklib             - PAM module to enable cracklib support 
libpam-dbus                 - A PAM module which asks the logged in user for confirmation         
libpam-duo                  - PAM module for Duo Security two-factor authentication               
libpam-dynalogin            - two-factor HOTP/TOTP authentication - implementation libs           
libpam-encfs                - PAM module to automatically mount encfs filesystems on login        
libpam-fprintd              - PAM module for fingerprint authentication trough fprintd            
libpam-geo                  - PAM module checking access of source IPs with a GeoIP database      
libpam-gnome-keyring        - PAM module to unlock the GNOME keyring upon login                   
libpam-google-authenticator - Two-step verification                 
libpam-heimdal              - PAM module for Heimdal Kerberos       
libpam-krb5                 - PAM module for MIT Kerberos           
libpam-krb5-migrate-heimdal - PAM module for migrating to Kerberos  
libpam-lda                  - Pluggable Authentication Module for LDA                         
libpam-ldapd                - PAM module for using LDAP as an authentication service              
libpam-mkhomedir            -         
libpam-mklocaluser          - Configure PAM to create a local user if it do not exist already     
libpam-modules              - Pluggable Authentication Modules for PAM                            
libpam-modules-bin          - Pluggable Authentication Modules for PAM - helper binaries          
libpam-mount                - PAM module that can mount volumes for a user session                
libpam-mysql                - PAM module allowing authentication from a MySQL server              
libpam-nufw                 - The authenticating firewall [PAM module]                            
libpam-oath                 - OATH Toolkit libpam_oath PAM module   
libpam-ocaml                - OCaml bindings for the PAM library (runtime)                        
libpam-openafs-kaserver     - AFS distributed filesystem kaserver PAM module                      
libpam-otpw                 - Use OTPW for PAM authentication       
libpam-p11                  - PAM module for using PKCS#11 smart cards                            
libpam-passwdqc             - PAM module for password strength policy enforcement                 
libpam-pgsql                - PAM module to authenticate using a PostgreSQL database              
libpam-pkcs11               - Fully featured PAM module for using PKCS#11 smart cards             
libpam-pold                 - PAM module allowing authentication using a OpenPGP smartcard        
libpam-pwdfile              - PAM module allowing authentication via an /etc/passwd-like file     
libpam-pwquality            - PAM module to check password strength 
libpam-python               - Enables PAM modules to be written in Python                         
libpam-python-doc           - Documentation for the bindings provided by libpam-python            
libpam-radius-auth          - The PAM RADIUS authentication module  
libpam-runtime              - Runtime support for the PAM library   
libpam-script               - PAM module which allows executing a script                          
libpam-shield               - locks out remote attackers trying password guessing                 
libpam-shish                - PAM module for Shishi Kerberos v5     
libpam-slurm                - PAM module to authenticate using the SLURM resource manager         
libpam-smbpass              - pluggable authentication module for Samba                           
libpam-snapper              - PAM module for Linux filesystem snapshot management tool            
libpam-ssh                  - Authenticate using SSH keys           
libpam-sshauth              - authenticate using an SSH server      
libpam-sss                  - Pam module for the System Security Services Daemon                  
libpam-systemd              - system and service manager - PAM module                             
libpam-tacplus              - PAM module for using TACACS+ as an authentication service           
libpam-tmpdir               - automatic per-user temporary directories                            
libpam-usb                  - PAM module for authentication with removable USB block devices      
libpam-winbind              - Windows domain authentication integration plugin                    
libpam-yubico               - two-factor password and YubiKey OTP PAM module                      
libpam0g                    - Pluggable Authentication Modules library                            
libpam0g-dev                - Development files for PAM             
libpam4j-java               - Java binding for libpam.so            
libpam4j-java-doc           - Documentation for Java binding for libpam.so

Draw your own conclusions.

CentOS

If during the installation process we select the option «Server with GUI«, We will obtain a good platform to implement different services for the SME Network. Unlike Debian, CentOS / Red Hat® offers a series of console and graphical tools that make life easier for a System or Network Administrator.

Documentation

Installed by default, we find it in the directory:

[root @ linuxbox ~] # ls -l /usr/share/doc/pam-1.1.8/
total 256 -rw-r - r--. 1 root root 2045 Jun 18 2013 Copyright drwxr-xr-x. 2 root root 4096 Apr 9 06:28 html
-rw-r - r--. 1 root root 175382 Nov 5 19:13 Linux-PAM_SAG.txt -rw-r - r--. 1 root root 67948 Jun 18 2013 rfc86.0.txt drwxr-xr-x. 2 root root 4096 Apr 9 06:28 txts
[root @ linuxbox ~] # ls /usr/share/doc/pam-1.1.8/txts/
README.pam_access README.pam_exec README.pam_lastlog README.pam_namespace README.pam_selinux README.pam_timestamp README.pam_console README.pam_faildelay README.pam_limits README.pam_nologin README.pam_sepermit README.pam_tty_audit README.pam_cracklib README.pam_faillock README.pam_listfile README.pam_permit README. pam_shells README.pam_umask README.pam_chroot README.pam_filter README.pam_localuser README.pam_postgresok README.pam_stress README.pam_unix README.pam_debug README.pam_ftp README.pam_loginuid README.pam_pwhistory README.pam_succeed_if README.pam_userdb README.pam_deny README.pam_group README.pam_mail README .pam_rhosts README.pam_tally README.pam_warn README.pam_echo README README.pam_issue README.pam_mkhomedir README.pam_rootok README.pam_tally2 README.pam_wheel README.pam_ADMEADME_auto README.pam_ADMEADME_ADME.pamcurepam_ADMEADME.

Yes, we also call the CentOS team "linuxbox" as with Debian, which will serve us for future articles on SMB Networks.

CentOS with GNOME3 GUI

When we select during the installation the option «Server with GUI«, The GNOME3 Desktop and other utilities and base programs are installed to develop a server. At the console level, to know the authentication status we execute:

[root @ linuxbox ~] # authconfig-tui

PAM Authentication - 05
We verify that only the PAM modules necessary for the current server configuration are enabled, even a module to read fingerprints, an authentication system that we find in some models of Laptops.

CentOS with GNOME3 GUI joined to a Microsoft Active Directory

PAM Authentication - 06 As we can see, the necessary modules have been added and enabled -winbind- for authentication against an Active Directory, while we purposely disable the module to read fingerprints, because it is not necessary.

In a future article we will cover in detail how to join a CentOS 7 client to a Microsoft Active Directory. We only anticipate that using the tool authoconfig-gtk The installation of necessary packages, the configuration of the automatic creation of the directories of users of the domain that authenticate locally, and the process itself of joining the client to the Domain of an Active Directory is tremendously automated. Perhaps after the union, it will only be necessary to restart the computer.

Main files

The files related to CentOS Authentication are located in the directory /etc/pam.d/:

[root @ linuxbox ~] # ls /etc/pam.d/
atd liveinst smartcard-auth-ac authconfig login smtp authconfig-gtk other smtp.postfix authconfig-tui passwd sshd config-util password-auth su crond password-auth-ac sudo cups pluto sudo-i chfn polkit-1 su-l chsh postlogin system-auth fingerprint-auth postlogin-ac system-auth-ac fingerprint-auth-ac ppp system-config-authentication gdm-autologin remote systemd-user gdm-fingerprint runuser vlock gdm-launch-environment runuser-l vmtoolsd gdm-password samba xserver gdm-pin setup gdm-smartcard smartcard-auth

PAM modules available

We have the repositories base, centosplus, epel, y updates. In them we find -among others- the following modules using the commands yum search pam-yum search pam_and yum search libpam:

nss-pam-ldapd.i686: An nsswitch module which uses directory servers nss-pam-ldapd.x86_64: An nsswitch module which uses directory servers ovirt-guest-agent-pam-module.x86_64: PAM module for the oVirt Guest Agent pam -kwallet.x86_64: PAM module for KWallet pam_afs_session.x86_64: AFS PAG and AFS tokens on login pam_krb5.i686: A Pluggable Authentication Module for Kerberos 5 pam_krb5.x86_64: A Pluggable Authentication Module for Kerberos 5 pam_mapi via MAPI against a Zarafa server pam_oath.x86_64: A PAM module for pluggable login authentication for OATH pam_pkcs86.i64: PKCS # 11 / NSS PAM login module pam_pkcs686.x11_11: PKCS # 86 / NSS PAM login module pam_radius.x64_11: PAM Module for RADIUS Authentication pam_script.x86_64: PAM module for executing scripts pam_snapper.i86: PAM module for calling snapper pam_snapper.x64_686: PAM module for calling snapper pam_ssh.x86_64: PAM module for use with SSH keys and ssh-agent pam_ssh_agent_86 64: PAM module for authentication with ssh-agent pam_ssh_agent_auth.x686_86: PAM module for authentication with ssh-agent pam_url.x64_86: PAM module to authenticate with HTTP servers pam_wrapper.x64_86: A tool to test PAM applications and PAM modules pam_yubico.x64_86: A Pluggable Authentication Module for yubikeys libpamtest-doc.x64_86: The libpamtest API documentation python-libpamtest.x64_86: A python wrapper for libpamtest libpamtest.x64_86: A tool to test PAM applications and PAM modules libpamtest-devel.x64_86: A tool to test PAM applications and PAM modules

Your Order

It is important to have a minimum of knowledge about PAM if we want to understand in a general way how Authentication is carried out every time we log in to our Linux / UNIX computer. It is also important to know that only with Local Authentication we can provide services to other computers in a small SME network such as Proxy, Mail, FTP, etc., all concentrated on a single server. All the previous services -and many more as we saw previously- have their PAM module.

Sources consulted

PDF version

Download the PDF version here!.

Until the next article!

Author: Federico A. Valdes Toujague
federicotoujague@gmail.com
https://blog.desdelinux.net/author/fico


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

6 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   lizard said

    A very detailed article about authentication using PAM, I confess I did not know in detail the operation of authentication and the endless number of more detailed and secure applications that we could give you. This is a great article that allows you to visualize the scope of PAM Authentication, which can also have multiple objectives in SMEs.

    One more of your great contributions, thank you very much for such good Fico Material

  2.   Anonymous said

    Thank you for your comment, dear Luigys. The purpose of the article is to open the minds of readers regarding the PAM and its modules. I think the post succeeds.
    By the way I inform you that the comments are not reaching me by mail.

  3.   federico said

    lol, I forgot to write my email address in the previous comment. That's why Anonymous comes out. 😉

  4.   HO2GI said

    Great article, as always.

  5.   dhunter said

    Very instructive Federico, I have had to deal with PAM more than once and I admire the design, it is very useful to be able to insert functionality in the hooks that it allows, for example the last thing I did was a REST API in Python / Flask that collects the logins and logoff of the users of my domain (big brother style, to know everything), since they do not guess where I put the calls to curl to inform the api? Well yes, with PAM.

  6.   federico said

    Thanks HO2GI for the evaluation of the post.
    Dhunter: Greetings again. As always you are doing very interesting things. Nothing, this post is one of those that I catalog "to open minds."