LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: October 24th, 2014
Linux Security Week: October 20th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Using PAM Print E-mail
User Rating:      How can I rate this item?
Source: Dave Wreski - Posted by Dave Wreski   
Learn tips and tricks Pluggable Authentication Modules is a method for authenticating users.

Pluggable Authentication Modules is a method for authenticating users. Using PAM, programmers can provide a more easy and verstile means of performing authentication functions. The ability to change from basic password authentication to the use of smart cards or even biometrics can be changed without having to recompile programs or require serious modifications.

Additionally, PAM can be used to modify the terms of access by users as well as system resources.

Just a few of the things you can do with PAM:

  • Use a different encryption method for passwords such as MD5, making them harder to brute force decode;
  • Set resource limits on all your users so they can't perform denial of service attacks (number of processes, amount of memory, etc)
  • Enable shadow passwords on the fly
  • Allow specific users to login only at specific times from specific places

Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user's home directories by adding these lines to /etc/pam.d/login:

    
         #
         # Disable rsh/rlogin/rexec for users
         #
         login auth required pam_rhosts_auth.so no_rhosts

Set filesystem limits instead of allowing unlimited as is the default. You can control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf. For example, limits for group 'users' might look like this:

    
         @users     hard  core    0
         @users     hard  nproc   50
         @users     hard  rss     5000

This says to limit the creation of core files to zero bytes, restrict the number of processes to 50, and restrict memory usage per user to 5 Meg.

References

The main Linux-PAM has a great deal of (sometimes out-of-date) information on configuring and using PAM.

The Linux-PAM System Administrators' Guide is a "draft" document that describes the usage of the default PAM modules.

This Red Hat whitepaper on Enhanced Console Access describes how you can configure PAM to authorize ordinary users to access system devices such as the floppy.

The Red Hat User Guide contains a section on User Authentication with PAM that explains the basics of PAM as well as some more advanced techniques.

Keep in mind that there is the potential to create a situation whereby even root doesn't have access to the system, creating all kinds of configuration headaches. Use caution.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Disaster as CryptoWall encrypts US firm's entire server installation
Now Everyone Wants to Sell You a Magical Anonymity Router. Choose Wisely
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.