Last update: 12 January 2020
In This article, I'm going to explain how the authentication mechanism in GNU/Linux systems works, and how you can use PAM to enhance security in your Linux machines. Let's get started !
NSS is part of glibc and it's used to indicates the sources from which a variety of information can be obtained.
The configuration file
/etc/nsswitch.conf lists the different supported databases
passwd: compat systemd group: compat systemd shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files
The first column is the database name. The other columns are service specifications.
Let's explain the following line for example:
hosts: files dns
hosts database is responsible for name resolution.
Whenever a program perform a name resolution query, the system will first look at
/etc/hosts (that's what files mean) and if it can not find the answer then it will query a DNS server specified in
/etc/resolv.conf (that's what dns means).
passwd database is where users information can be retrieved. In the example above the first source to look at is
getent command is used to query different databases. The syntax is as follows:
$ getent database_name entity
# Name resolution $ getent hosts spacex.com 188.8.131.52 spacex.com # User information $ getent passwd root root:x:0:0:root:/root:/bin/bash
For more information, check the man page
$ man nsswitch.conf
PAM is a framework for user authentication. It provides to the admin the freedom to choose the authentication mechanism of his choice and put a variety of constraints on authentication process. Linux PAM deals with 4 separate types of modules: * auth: which verifies user identity. * account: which checks user account against configured constraints. * session: which runs actions at the beginning and the end of each session. * password: which updates passwords.
Whenever a program wants to perform authentication actions, it delegates that to to PAM, which
checks the contents of the PAM configuration files and loads the necessary modules. These modules fall into one of four types listed above and are stacked in the order they appear in the configuration file. These modules, when called by PAM, perform various authentication tasks for the program.
To check if a program is PAM aware, you use the
ldd command to see if it's dynamically linked to libpam.
$ ldd /bin/su linux-vdso.so.1 (0x00007fff575b2000) libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007efe8e3c4000) libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007efe8e1c0000) libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007efe8df97000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efe8dba6000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007efe8d9a2000) libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007efe8d79d000) /lib64/ld-linux-x86-64.so.2 (0x00007efe8e7e1000)
The config files are located in
The syntax is as follows
module_type control_flags module_path module_args
module_type: Module type: auth, account, session, password
control_flags : * required: the module must run successfully for the authentication to continue. If the module fails, the authentication process continue and the user is notified at the end when the other modules finished. * requisite: the module must run successfully to continue. If the module fails, the authentication process stops the user is notified immediately. * sufficient: The module result is ignored if it fails. If the modules runs successfully AND no prior required modules have failed then the authentication is granted without calling any further modules. * optional: The module result is ignored unless it's the only one on the stack. * include: Include configuration from another file.
module_path: Module name to use and where to find it. module_args: Module arguments.
A typical PAM configuration for
su command would look like this:
# Allow root without password auth sufficient pam_rootok.so # Set the environment variables from /etc/security/pam_env.conf session required pam_env.so readenv=1 # Set the environment variables from /etc/default/locale session required pam_env.so readenv=1 envfile=/etc/default/locale # Notify when new mail is available, nopen means "do not print mail information on login" session optional pam_mail.so nopen # Set limits on the system resources. session required pam_limits.so # Include common configurations @include common-auth @include common-account @include common-session
pam_cracklib: Used for strength checking for passwords. Example:
# retry=3 The user have 3 attempt to enter the right password # minclass=3 The password has to include at least 3 different classes of characters # minlen=12 The password size has to be at least 12 characters # maxrepeat=3 The password shouldn't have more than 3 consecutive characters password required pam_cracklib.so retry=3 minclass=3 minlen=12 maxrepeat=3
pam_tally2: Used to count the access attempts. Example:
# deny=3 Lock the account after 3 failed attempts # lock_time=3600 Unlock the account after 1h auth required pam_tally2.so deny=3 unlock_time=3600
pam_pwhistory:Used to save the last passwords for each user to prevent users alternating between the same set of passwords. Example:
# remember=5 Save the last 5 password for each user in /etc/security/opasswd # enforce_for_root Include the root too password required pam_pwhistory.so remember=5 enforce_for_root
To learn more about PAM, check the official documentation here
SSSD provides access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. SSSD supports many providers like Kerberos for authentication and LDAP for identity service.
To learn more about SSSD check the official documentation here