Last update: 12 January 2020
In This article, I'm going to explain how the authentication mechanism in GNU/Linux systems works, and how you can use PAM to enhance security in your Linux machines. Let's get started !
NSS is part of glibc and it's used to indicates the sources from which a variety of information can be obtained.
The configuration file /etc/nsswitch.conf
lists the different supported databases
example:
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
The first column is the database name. The other columns are service specifications.
Let's explain the following line for example:
hosts: files dns
the hosts
database is responsible for name resolution.
Whenever a program perform a name resolution query, the system will first look at /etc/hosts
(that's what files mean) and if it can not find the answer then it will query a DNS server specified in /etc/resolv.conf
(that's what dns means).
passwd database is where users information can be retrieved. In the example above the first source to look at is /etc/passwd
.
getent
command is used to query different databases. The syntax is as follows:
$ getent database_name entity
Examples:
# Name resolution
$ getent hosts spacex.com
50.112.120.214 spacex.com
# User information
$ getent passwd root
root:x:0:0:root:/root:/bin/bash
For more information, check the man page
$ man nsswitch.conf
PAM is a framework for user authentication. It provides to the admin the freedom to choose the authentication mechanism of his choice and put a variety of constraints on authentication process. Linux PAM deals with 4 separate types of modules:
Whenever a program wants to perform authentication actions, it delegates that to to PAM, which
checks the contents of the PAM configuration files and loads the necessary modules. These modules fall into one of four types listed above and are stacked in the order they appear in the configuration file. These modules, when called by PAM, perform various authentication tasks for the program.
To check if a program is PAM aware, you use the ldd
command to see if it's dynamically linked to libpam.
$ ldd /bin/su
linux-vdso.so.1 (0x00007fff575b2000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007efe8e3c4000)
libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007efe8e1c0000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007efe8df97000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efe8dba6000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007efe8d9a2000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007efe8d79d000)
/lib64/ld-linux-x86-64.so.2 (0x00007efe8e7e1000)
The config files are located in /etc/pam.conf
and /etc/pam.d/*
The syntax is as follows
module_type control_flags module_path module_args
module_type: Module type: auth, account, session, password
control_flags :
module_path: Module name to use and where to find it.
module_args: Module arguments.
A typical PAM configuration for su
command would look like this:
# Allow root without password
auth sufficient pam_rootok.so
# Set the environment variables from /etc/security/pam_env.conf
session required pam_env.so readenv=1
# Set the environment variables from /etc/default/locale
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Notify when new mail is available, nopen means "do not print mail information on login"
session optional pam_mail.so nopen
# Set limits on the system resources.
session required pam_limits.so
# Include common configurations
@include common-auth
@include common-account
@include common-session
pam_cracklib: Used for strength checking for passwords. Example:
# retry=3 The user have 3 attempt to enter the right password
# minclass=3 The password has to include at least 3 different classes of characters
# minlen=12 The password size has to be at least 12 characters
# maxrepeat=3 The password shouldn't have more than 3 consecutive characters
password required pam_cracklib.so retry=3 minclass=3 minlen=12 maxrepeat=3
pam_tally2: Used to count the access attempts. Example:
# deny=3 Lock the account after 3 failed attempts
# lock_time=3600 Unlock the account after 1h
auth required pam_tally2.so deny=3 unlock_time=3600
pam_pwhistory:Used to save the last passwords for each user to prevent users alternating between the same set of passwords.
Example:
# remember=5 Save the last 5 password for each user in /etc/security/opasswd
# enforce_for_root Include the root too
password required pam_pwhistory.so remember=5 enforce_for_root
To learn more about PAM, check the official documentation here
SSSD provides access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. SSSD supports many providers like Kerberos for authentication and LDAP for identity service.
To learn more about SSSD check the official documentation here
Read more ...