LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
How would you rate the importance of default settings in security?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
Emily Ratliff: OS Security
DanWalsh LiveJournal
Security Bloggers Network
Latest Newsletters
Linux Advisory Watch: August 8th, 2008
Linux Security Week: August 4th, 2008
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
User Authentication HOWTO

User Authentication HOWTO

Peter Hernberg

2000-05-02

Revision History
Revision 0.92004-04-03Revised by: fl
updated external links
Revision 0.82003-02-20Revised by: fl
language changes, various small fixes
Revision 0.52000-05-15Revised by: ph
added section on securing pam, added resources section
Revision 0.12000-05-02Revised by: ph
initial version

Explains how user and group information is stored and how users are authenticated on a Linux system (PAM), and how to secure you system's user authentication.

Table of Contents
1. Introduction
1.1. How this document came to be
1.2. New versions
1.3. Feedback
1.4. Copyrights and Trademarks
1.5. Acknowledgements and Thanks
1.6. Assumptions about the reader
2. How User Information is Stored on Your System
2.1. /etc/passwd
2.2. Shadow passwords
2.3. /etc/group and /etc/gshadow
2.4. MD5 encrypted passwords
2.5. Sifting through the mess
3. PAM (Pluggable Authentication Modules)
3.1. Why
3.2. What
3.2.1. Distributions that support pam.
3.2.2. Installing PAM
3.3. How
3.3.1. PAM configuration files
3.3.2. A little something
3.3.3. Configuration syntax
3.3.4. pam.conf configuration
3.4. Getting more information
4. Securing User Authentication
4.1. A strong /etc/pam.d/other
4.1.1. A paranoid configuration
4.1.2. A kinder configuration
4.1.3. Choosing a /etc/pam.d/other
4.2. Disabling logins for user with null passwords
4.3. Disable unused services
4.4. Password-cracking tools
4.5. Shadow and MD5 passwords
5. Tying it all together
5.1. Apache + mod_auth_pam
5.2. Our example
5.3. Installing mod_auth_pam
5.4. Configuring PAM
5.4.1. Deciding how to configure PAM
5.5. Configuring Apache
5.6. Testing our setup
6. Resources
6.1. PAM
6.2. General Security
6.3. Offline Documentation
7. Conclusion

1. Introduction

1.1. How this document came to be

When trying to add a number of (mostly unnecessary :) network services to my existing home network, I kept running into the problem of authentication, so I decided to figure out how authentication works on linux systems, write a HOWTO, and call it my senior project. I hope this document helps you understand this often-forgotten, but very important, aspect of system administration.

1.2. New versions

Unitl I get my domain up and running properly, the newest version of this document will be available from http://www.linuxdoc.org/.

1.3. Feedback

Comments, corrections, suggestions, flames, and flying saucer sightings can be sent to petehern@yahoo.com.

1.4. Copyrights and Trademarks

(c) 2000 Peter Hernberg

This manual may be reproduced in whole or in part, without fee, subject to the following restrictions:

  • The copyright notice above and this permission notice must be preserved complete on all complete or partial copies

  • Any translation or derived work must be approved by the author in writing before distribution.

  • If you distribute this work in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.

  • Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given. Exceptions to these rules may be granted for academic purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to restrict you as learners and educators. Any source code (aside from the SGML this document was written in) in this document is placed under the GNU General Public License, available via anonymous FTP from the GNU archive.

1.5. Acknowledgements and Thanks

Thanks to my family for putting up with me for 18 years. Thanks to the Debian folks for making such a sweet distro for me to play with. Thanks to CGR for paying me to be a geek. Thanks to Sandy Harris for his helpful suggestions. Finally, I'd like thank the makers of ramen noodles, because I don't know how I'd live without them.

1.6. Assumptions about the reader

For the purpose of this document, it is assumed that the reader is comfortably with executing commands at the command line and editing text configuration files.

  
  How User Information is Stored on Your System
    
Partner:

 
Latest Features
Security Features of Firefox 3.0
Review: The Book of Wireless
April 2008 Open Source Tool of the Month: sudo
Open Source Tool of March: ZoneMinder
Meet the Anti-Nmap: PSAD
Open Source Tool of February: Nmap!
HowTo: Secure your Ubuntu Apache Web Server
Yesterday's Edition
Web 2.0, DNS Flaws Revealed at Black Hat

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
  Security Projects ,   Latest News ,  Newsletters ,  SELinux ,  Privacy ,  Home,
 Hardening ,   About Us,   Advertise,   Legal Notice,   RSS,   Guardian Digital

(c)Copyright 2008 Guardian Digital, Inc. All rights reserved.