PythOps

Linux User Authentication

Last update: 12 January 2020

In This article, I'm going to explain how the authentication mechanism in GNU/Linux systems works, and how you can use PAM to enhance security in your Linux machines.
Let's get started !

NSS (Name Service Switch)

NSS is part of glibc and it's used to indicates the sources from which a variety of information can be obtained.
The configuration file /etc/nsswitch.conf lists the different supported databases
example:

passwd:         compat systemd
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

The first column is the database name. The other columns are service specifications.

Let's explain the following line for example:

hosts:          files dns

the hosts database is responsible for name resolution.
Whenever a program perform a name resolution query, the system will first look at /etc/hosts (that's what files mean) and if it can not find the answer then it will query a DNS server specified in /etc/resolv.conf (that's what dns means).

passwd database is where users information can be retrieved. In the example above the first source to look at is /etc/passwd.

Query the databases

getent command is used to query different databases. The syntax is as follows:

$ getent database_name entity

Examples:

# Name resolution
$ getent hosts spacex.com
50.112.120.214  spacex.com

# User information
$ getent passwd root
root:x:0:0:root:/root:/bin/bash


For more information, check the man page

$ man nsswitch.conf


PAM (Pluggable Authentication Modules )

PAM is a framework for user authentication. It provides to the admin the freedom to choose the authentication mechanism of his choice and put a variety of constraints on authentication process.
Linux PAM deals with 4 separate types of modules:

Whenever a program wants to perform authentication actions, it delegates that to to PAM, which
checks the contents of the PAM configuration files and loads the necessary modules. These modules fall into one of four types listed above and are stacked in the order they appear in the configuration file. These modules, when called by PAM, perform various authentication tasks for the program.
To check if a program is PAM aware, you use the ldd command to see if it's dynamically linked to libpam.

$ ldd /bin/su
    linux-vdso.so.1 (0x00007fff575b2000)
    libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007efe8e3c4000)
    libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007efe8e1c0000)
    libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007efe8df97000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efe8dba6000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007efe8d9a2000)
    libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007efe8d79d000)
    /lib64/ld-linux-x86-64.so.2 (0x00007efe8e7e1000)


Config files

The config files are located in /etc/pam.conf and /etc/pam.d/*
The syntax is as follows

module_type control_flags module_path module_args

module_type: Module type: auth, account, session, password

control_flags :

module_path: Module name to use and where to find it.
module_args: Module arguments.

Example:

A typical PAM configuration for su command would look like this:

# Allow root without password
auth       sufficient pam_rootok.so

# Set the environment variables from /etc/security/pam_env.conf
session    required   pam_env.so readenv=1

# Set the environment variables from /etc/default/locale
session    required   pam_env.so readenv=1 envfile=/etc/default/locale

# Notify when new mail is available, nopen means "do not print mail information on login" 
session    optional   pam_mail.so nopen

# Set limits on the system resources. 
session    required   pam_limits.so

# Include common configurations 
@include common-auth
@include common-account
@include common-session


Some useful PAM modules:

pam_cracklib: Used for strength checking for passwords.
Example:

# retry=3        The user have 3 attempt to enter the right password
# minclass=3     The password has to include at least 3 different classes of characters 
# minlen=12      The password size has to be at least 12 characters 
# maxrepeat=3    The password shouldn't have more than 3 consecutive characters
password required pam_cracklib.so retry=3 minclass=3 minlen=12 maxrepeat=3


pam_tally2: Used to count the access attempts.
Example:

# deny=3             Lock the account after 3 failed attempts
# lock_time=3600     Unlock the account after 1h
auth required pam_tally2.so deny=3 unlock_time=3600



pam_pwhistory:Used to save the last passwords for each user to prevent users alternating between the same set of passwords.
Example:

# remember=5         Save the last 5 password for each user in /etc/security/opasswd
# enforce_for_root   Include the root too
password required pam_pwhistory.so  remember=5 enforce_for_root



To learn more about PAM, check the official documentation here

SSSD (System Security Services Daemon)

SSSD provides access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system.
SSSD supports many providers like Kerberos for authentication and LDAP for identity service.


To learn more about SSSD check the official documentation here

Recommended reading