Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Using PAM Print E-mail
User Rating:      How can I rate this item?
Source: Dave Wreski - Posted by Dave Wreski   
Learn tips and tricks Pluggable Authentication Modules is a method for authenticating users.

Pluggable Authentication Modules is a method for authenticating users. Using PAM, programmers can provide a more easy and verstile means of performing authentication functions. The ability to change from basic password authentication to the use of smart cards or even biometrics can be changed without having to recompile programs or require serious modifications.

Additionally, PAM can be used to modify the terms of access by users as well as system resources.

Just a few of the things you can do with PAM:

  • Use a different encryption method for passwords such as MD5, making them harder to brute force decode;
  • Set resource limits on all your users so they can't perform denial of service attacks (number of processes, amount of memory, etc)
  • Enable shadow passwords on the fly
  • Allow specific users to login only at specific times from specific places

Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user's home directories by adding these lines to /etc/pam.d/login:

         # Disable rsh/rlogin/rexec for users
         login auth required no_rhosts

Set filesystem limits instead of allowing unlimited as is the default. You can control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf. For example, limits for group 'users' might look like this:

         @users     hard  core    0
         @users     hard  nproc   50
         @users     hard  rss     5000

This says to limit the creation of core files to zero bytes, restrict the number of processes to 50, and restrict memory usage per user to 5 Meg.


The main Linux-PAM has a great deal of (sometimes out-of-date) information on configuring and using PAM.

The Linux-PAM System Administrators' Guide is a "draft" document that describes the usage of the default PAM modules.

This Red Hat whitepaper on Enhanced Console Access describes how you can configure PAM to authorize ordinary users to access system devices such as the floppy.

The Red Hat User Guide contains a section on User Authentication with PAM that explains the basics of PAM as well as some more advanced techniques.

Keep in mind that there is the potential to create a situation whereby even root doesn't have access to the system, creating all kinds of configuration headaches. Use caution.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.