PAM Modules
by Jennifer Vesperman10/05/2001
Editor's note: This is the second in a series of article on Pluggable Authentication Modules. In part one, Jennifer introduced PAM and showed how to get started. In this article, she walks us through some of the more useful modules.
Traditional user authentication is programmed directly into applications. Using PAM (Pluggable Authentication Modules), applications can be developed with a PAM interface, and the system administrator can choose any number of PAM modules to do authentication and other tasks.
PAM was designed for authentication, and it remains the most common function of PAM modules. Programmers being programmers, there are now PAM modules to do much more than authentication. A variety of security tasks can be done through modules, and there are utilities for session management.
Highlighted modules
pam_cracklib.so should be used in most systems that are connected to a network. pam_env.so is an easily underestimated module that allows the system administrator to adjust the user environment.
pam_cracklib.so
pam_cracklib.so checks passwords for strength and security.
Use pam_cracklib.so in the password section of a PAM configuration file. The module uses the libcrack code to test whether the password is easily cracked, then runs additional tests against the old password and against system administrator determined parameters. pam_cracklib.so relies on /usr/lib/cracklib_dict, and has only a password component.
As well as the libcrack tests, pam_cracklib.so checks whether the new password is the old password with a change of case, whether it is a palindrome of the old password, whether it satisfies the difok argument, whether it passes the minimum length check, whether it's been recently used, and whether it's a simple rotation of the old password.
Useful arguments
difok = N- The number of characters in the new password which must not also be in the old password. The default is 10. If half the characters in the new password are new, the password passes this test.
minlen = N- Minimum length of the new password, plus one. Length credit is given for each different type of character in the new password (each case, symbols ("other") and digits). If using
md5passwords, a longer password is recommended. dcredit,ucredit,lcreditandocredit- The amount of length credit given for each type of character in the password (digits, each case, "other").
Example use
#
# /etc/pam.d/example
#
password required pam_cracklib.so minlen=15 ocredit=2
password required pam_unix.so use_authtok md5pam_env.so
pam_env.so allows you to set or unset environment variables using strings, existing variables, or PAM items.
The settings for this module are in /etc/security/pam_env.conf (though the argument conffile can override this). Syntax for this file is:
VARIABLE DEFAULT=value OVERRIDE=value
|
Previously in this series: Introduction to PAM -- Pluggable Authentication Modules provide a solution to the difficulties of user authentication. Jennifer Vesperman introduces PAM and helps you get started. |
The default settings are used if the override settings are not available. Environment variables can be referred to using ${variable}, and PAM items using @{variable}.
Valid PAM items for use with /etc/security/pam_env.conf are: PAM_USER, PAM_USER_PROMPT, PAM_TTY, PAM_RUSER, and PAM_RHOST. If pam_env.so is used on login, the ${USER} environment variable is not yet set. Use @{PAM_USER} instead.
The readenv argument toggles whether pam_env.so reads the environment file, /etc/environment, by default. The envfile argument allows you to use a different environment file. This file uses KEY=VALUE syntax to set the values of environment variables.
The pam_env.so module has only an auth component.
