PAM (Pluggable Authentication Module) Tricks
In this article we are going to look at configuring some PAM (Pluggable Authentication Module) modules which will help tighten security on your system. In this article we will look at; setting up password policies, placing limits on certain resources i.e. (CPU, maximum file size, etc) and setting time restrictions.
Setting resource limits
The system resources on SUSE can be controlled by a PAM module called: pam_limits, this module controls system wide, group and users limits. The pam_limits configuration file is located within the “/etc/security” directory and with the name of “limits.conf“, this configuration file allows you to set limits for multiple resources. Table 1 lists all the resources that can be managed.
|core||Limits the core file size (KB).|
|data||Maximum data size (KB).|
|fsize||Maximum filesize (KB).|
|memlock||Maximum locked-in-memory address space (KB).|
|nofile||Maximum number of open files.|
|rss||Maximum resident set size (KB).|
|stack||Maximum stack size (KB).|
|cpu||Maximum CPU time (MIN).|
|nproc||Maximum number of processes.|
|maxlogins||Maximum number of logins for this user.|
|maxsyslogins||Maximum number of logins on the system.|
|priority||The priority to run user process with.|
|locks||Maximum number of file locks the user can hold.|
|sigpending||Maximum number of pending signals.|
|msgqueue||Maximum memory used by POSIX message queues (bytes).|
|nice||Maximum nice priority allowed to raise to.|
|rtprio||Maximum realtime priority.|
Table 1: pam_limits directives.
The syntax for pam_limits is very simple to understand, however, in the article we will look at restricting a single user, a group of users and then everyone on the system.
Limiting a single user
The first resource limit that we will set is for the user “damian”, we will stop this user from creating file greater than 20KB. Figure 1 shows the rule which we will write to the “/etc/security/limits.conf” configuration file. Table 2 explains what each column means.
damian hard fsize 20
Figure 1: Limiting the file size to 20KB for the user “damian”.
|damian||This option specifies the user damian to which the rule will be applied too.|
|hard||This option means that once the limit has been met that it will refuse to go over the limit. There is also a “soft” option which would allow the user to go over the limit but display a warning message.|
|fsize||This option specifies the resource in which we want to limit, in this example we are limiting the file size.|
|20||This option specifies the limit, in this example we have limited the file size to 20KB.|
Table 2: Figure 1 rule explained.
Once the user limit have been configured you will need the user to logout if they are already logged in for the limits to take effect. Once you have logout and logged back in you can use the “dd” command to create a text file with the size of 20KB as shown in Figure 1.1.
damian@linux-uxp3:~> dd if=/dev/zero of=test.txt bs=1024 count=20 20+0 records in 20+0 records out 20480 bytes (20 kB) copied, 0.000721 seconds, 28.4 MB/s
Figure 1.1: Creating a 20KB file.
Once you have created a 20KB file and it was successfully created you can try and create a 21KB file which should be denied, as shown in Figure 1.2.
damian@linux-uxp3:~> dd if=/dev/zero of=test.txt bs=1024 count=21 File size limit exceeded
Figure 1.2: Testing 20KB limit.
Figure 1.2 shows that the limit was exceeded thus not creating the “test.txt” file.
Limiting a group of users
Limiting a group of users is similar to limiting a single user, the only difference is you need to specify the at symbol(@) followed by the group you would like to set limits for as shown in Figure 1.3.
@users hard fsize 20
Figure 1.3: Setting group limits.
Again for the limits to take effect each user from the “users” group will need to logout. Once the users of the group “users” log back into the system they will notice that they cannot create files greater than 20KB as shown in Figure 1.4.
jason@linux-uxp3:~> id uid=1001(jason) gid=100(users) groups=16(dialout),33(video),100(users) jason@linux-uxp3:~> dd if=/dev/zero of=test.txt bs=1024 count=21 File size limit exceeded
Figure 1.4: Creating a file larger than 20KB.
Limiting every user on a system including root is similar to setting up user and group limits, the only difference is you need to specify the asterisk (*) character as shown in Figure 1.5.
* hard fsize 20
Figure 1.5: Setting system wide limits.
The directives shown in Figure 1.5 have been set to deny all users including root from creating files greater than 20KB.
Setting time restrictions
In this section of the article we are going to place time restrictions on the SSH daemon. The configuration file for the “pam_time” module is located within the “/etc/security” directory and with the name of “time.conf”.
The SSH PAM configuration file requires the “pam_time” module to be loaded. The first step to enabling the time restrictions is open the SSH PAM configuration file located at: “/etc/pam.d/sshd” and adding the time module as shown in Figure 2.
#%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session required pam_time.so session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname
Figure 2: Enabling the pam_time module.
Once you have enabled the pam_time module in the “/etc/pam.d/sshd” configuration file you can edit the “time.conf” configuration file located within the “/etc/security” directory. In this article we will only allow the user “damian” to login on a Wednesday at 9AM until 3PM, Figure 2.1 shows the rule which we will use and Table 3 explains what each column does.
Figure 2.1: Only allow “damian” to login on Wednesday at 9AM until 3PM.
|sshd||This specifies the service in which you are wanting to set a time restriction for.|
|*||This specifies which terminal the rule should apply to. The asterisk means all terminals.|
|damian||This specifies the user for the rule to apply for.|
|We0900-1500||This specifies the day and week. The time is in 24 hour notation.|
Table 3: Figure 2.1 explained.
Once the rule has been applied and the date and time match the user will be granted access, however, if the date and time don’t match the users will be denied access to the SSH daemon.
Setting password policies
In this section of the article we are going to configure the pam_pwcheck module to provide stronger password policies. The pam_pwcheck module provides some plug-in strength for checking users passwords, this allows you to force your users to select sensible passwords and not simple passwords that can be easily cracked.
The pam_pwcheck configuration file is located at “/etc/security/pam_pwcheck.conf“. In this article we are going to force the user not to have a simple password such as a dictionary word. Figure 3 shows a password policy which stops users for supplying simple passwords. Table 4 explains each column.
password: use_cracklib minlen=5 maxlen=10 tries=3 remeber=20
Figure 3: “/etc/security/pam_pwcheck.conf” configuration file.
|use_cracklib||This directive tells PAM to use the cracklib module.|
|minlen=10||This directive specifies the minimum number of alphanumeric characters allowed.|
|maxlen=10||This directive specifies the maximum number of alphanumeric characters allowed.|
|tries||This directive specifies how many attempts the users is allowed before denying them to change their password.|
|remember||This directive specifies how many passwords to remember so that the user cannot use them passwords.|
Table 4: Figure 3 explained.
In this article we only touched on a few of the PAM modules. I would strongly recommend visiting the PAM website  to read more about each module in depth, the modules that we covered in this article provide an extra layer of security to help defend against malicious users.