422-424.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Using Linux:Managing Users and Groups</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0789716232//-->
<!--TITLE=Using Linux//-->
<!--AUTHOR=William Ball//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Que//-->
<!--CHAPTER=25//-->
<!--PAGES=422-424//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="420-422.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="425-427.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading28"></A><FONT COLOR="#000077">Improving System Security Using PAM</FONT></H4>
<P>In an effort to separate authentication techniques from applications, the Linux development community took hints from the Solaris operating system and created its own implementation of PAM, Pluggable Authentication Modules. By separating the method of authentication from applications, it is possible for system administrators to implement their own authentication techniques and have application software automatically use them.
</P>
<P>This section explains the key components of the PAM system, its installation, configuration file, and some modules that come with Red Hat Linux.</P>
<P><FONT SIZE="+1"><B>Installing PAM</B></FONT></P>
<P>If you chose a standard installation procedure with Red Hat Linux, you probably have PAM already installed. If you don&#146;t have it installed, don&#146;t worry, it&#146;s very straightforward.
</P>
<P>Begin by acquiring the RPM package for PAM. This should be on the distribution you installed with. If not, you can always download it from Red Hat&#146;s Web site at <A HREF="http://www.redhat.com">http://www.redhat.com</A>. Our distribution for this section is version 0.57 with configuration file version 0.51. We would use the following commands to install the RPMs:</P>
<!-- CODE SNIP //-->
<PRE>
[root&#64;insoc /root]# rpm -i pam-0.57-2.i386.rpm
[root&#64;insoc /root]# rpm -i pamconfig-0.51-2.i386.rpm
</PRE>
<!-- END CODE SNIP //-->
<P>If you already had the packages installed, <TT>rpm</TT> should have told you. If they are older versions, be sure to specify the <TT>-U</TT> option with <TT>rpm</TT> so that it will upgrade.</P>
<P><FONT SIZE="+1"><B>The PAM Configuration Files</B></FONT></P>
<P>As of version 0.56, PAM prefers to use the directory-based approach for managing its configuration files. These files are located in the <TT>/etc/pam.d</TT> directory, and each filename represents a particular service. For example, <TT>ftpd</TT> and <TT>login</TT> are considered services.</P>

<TABLE BORDER="2" BORDERCOLOR="#0000" ALIGN="CENTER">
<TR><TD><FONT SIZE="+1"><B>SetGID</B></FONT>
<BR>SetGID works similarly to SetUID. Programs that are SetGID are executed with the permissions of the group that owns the program rather than the group of the user. You can set a file to be SetGID by prefixing the permissions with the number 2. For example:
<!-- CODE SNIP //-->
<PRE>
<B>[root&#64;insoc /root]# chmod 2755 /usr/local/backups/back_level_0</B>
</PRE>
<!-- END CODE SNIP //-->
<P>When listing a file with the <TT><B>ls -l</B></TT> command, you can visually see whether a file is SetUID or SetGID.SetUID files have an &#235;s&#146; where the first &#235;ex&#146; should be, and setGID files have an &#235;es&#146; where the second &#235;ex should be.</TABLE>

</P>
<P>Each file consists of lines in the following format:</P>
<!-- CODE SNIP //-->
<PRE>
module_type    control_flag    module_path    arguments
</PRE>
<!-- END CODE SNIP //-->
<P>where <TT><I>module type</I></TT> represents one of four types of modules, <TT>auth</TT>, <TT>account</TT>, <TT>session</TT>, or <TT>password</TT>. Comments must begin with the hash (<TT>#</TT>) character.</P>
<TABLE WIDTH="100%"><TR>
<TD WIDTH="20%" VALIGN="TOP"><TT>auth</TT>
<TD WIDTH="80%">Instructs the application program to prompt the user for a password and then grants not only user privileges but group privileges too.
<TR>
<TD VALIGN="TOP"><TT>account</TT>
<TD>Performs no authentication, but determines access based on other factors, such as time of day or location of the user. For example, the root login can be given only console access this way.
<TR>
<TD VALIGN="TOP"><TT>session</TT>
<TD>Specifies what, if any, actions need to be performed before or after a user is logged in&#151;for example, logging the connection.
<TR>
<TD VALIGN="TOP"><TT>password</TT>
<TD>Specifies the module that allows users to change their password (if appropriate).
<TR>
<TD VALIGN="TOP"><TT>control_flag</TT>
<TD>Allows you to specify how you want to deal with the success or failure of a particular authentication module.
<TR>
<TD VALIGN="TOP"><TT>required</TT>
<TD>The module must succeed in authenticating the individual. If it fails, the returned summary value must be failure.
<TR>
<TD VALIGN="TOP"><TT>requisite</TT>
<TD>Similar to required; however, if this module fails authentication, modules listed after this one in the configuration file are not called, and a failure is immediately returned to the application. This allows you to require that certain conditions hold true before even accepting a login attempt. (For example, the user must be on the local area network and cannot come in from over the Internet.)
<TR>
<TD VALIGN="TOP"><TT>sufficient</TT>
<TD>If the module returns a success and there are no more <TT>required</TT> or <TT>sufficient control_flags</TT> in the configuration file, PAM returns a success to the calling application.
<TR>
<TD VALIGN="TOP"><TT>optional</TT>
<TD>This flag allows PAM to continue checking other modules even if this one has failed. You will want to use this when the user is allowed to log in even if a particular module has failed.
</TABLE>
<P>The <TT>module_path</TT> specifies the actual directory path of the module that performs the authentication task. For a full list of modules that came with PAM, check out the file <TT>/usr/doc/pam-0.59/html/pam-6.html</TT> using your favorite web browser. Text versions of the document are also available in the <TT>/usr/doc/pam-0.59</TT> directory.</P>
<P><TT>arguments</TT> are the parameters passed to the authentication module. Although the parameters are specific to each module, some generic options can be applied to all modules. They are</P>
<TABLE WIDTH="100%"><TR>
<TD WIDTH="30%" VALIGN="TOP"><TT>debug</TT>
<TD WIDTH="70%">Send debugging information to the system logs. (Usually located at <TT>/var/log</TT>&#151;check <TT>/etc/syslog.conf</TT> for details.)
<TR>
<TD VALIGN="TOP"><TT>no_warn</TT>
<TD>Do not give warning messages to the calling application.
<TR>
<TD VALIGN="TOP"><TT>use_first_pass</TT>
<TD>Do not prompt the user for a password a second time. Instead, use the password entered the first time to determine the user&#146;s eligibility to enter the system.
<TR>
<TD VALIGN="TOP"><TT>try_first_pass</TT>
<TD>Similar to <TT>use_first_pass</TT> where the user is not prompted for a password the second time; however, if the existing password causes a failure to be returned from the module, the user is then asked to enter a second password.
<TR>
<TD VALIGN="TOP"><TT>use_mapped_pass</TT>
<TD>Passes the password from a previous module into the current one much like <TT>use_first_pass</TT>; however, the password is then used to generate an encryption or decryption key.
</TABLE>

<TABLE BORDER="2" BORDERCOLOR="#0000" ALIGN="CENTER">
<TR><TD><FONT SIZE="+1"><B>Cryptography by law</B></FONT>
<BR>Due to the cryptography laws of the United States, this module is currently not supported by any of the modules in the Linux-PAM distribution. (The U.S. Government considers cryptography a type of munitions, which cannot be exported.)</TABLE>

<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="420-422.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="425-427.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>