SUSE Conversations


PAM (Pluggable Authentication Module) Tricks



By: DamianMyerscough

February 14, 2008 6:50 am

Reads:315

Comments:0

Rating:0

PAM (Pluggable Authentication Module) Tricks

In this article we are going to look at configuring some PAM (Pluggable Authentication Module) modules which will help tighten security on your system. In this article we will look at; setting up password policies, placing limits on certain resources i.e. (CPU, maximum file size, etc) and setting time restrictions.

Setting resource limits

The system resources on SUSE can be controlled by a PAM module called: pam_limits, this module controls system wide, group and users limits. The pam_limits configuration file is located within the “/etc/security” directory and with the name of “limits.conf“, this configuration file allows you to set limits for multiple resources. Table 1 lists all the resources that can be managed.

Resource Description
core Limits the core file size (KB).
data Maximum data size (KB).
fsize Maximum filesize (KB).
memlock Maximum locked-in-memory address space (KB).
nofile Maximum number of open files.
rss Maximum resident set size (KB).
stack Maximum stack size (KB).
cpu Maximum CPU time (MIN).
nproc Maximum number of processes.
maxlogins Maximum number of logins for this user.
maxsyslogins Maximum number of logins on the system.
priority The priority to run user process with.
locks Maximum number of file locks the user can hold.
sigpending Maximum number of pending signals.
msgqueue Maximum memory used by POSIX message queues (bytes).
nice Maximum nice priority allowed to raise to.
rtprio Maximum realtime priority.

Table 1: pam_limits directives.

The syntax for pam_limits is very simple to understand, however, in the article we will look at restricting a single user, a group of users and then everyone on the system.

Limiting a single user

The first resource limit that we will set is for the user “damian”, we will stop this user from creating file greater than 20KB. Figure 1 shows the rule which we will write to the “/etc/security/limits.conf” configuration file. Table 2 explains what each column means.

damian          hard    fsize   20

Figure 1: Limiting the file size to 20KB for the user “damian”.

Column Description
damian This option specifies the user damian to which the rule will be applied too.
hard This option means that once the limit has been met that it will refuse to go over the limit. There is also a “soft” option which would allow the user to go over the limit but display a warning message.
fsize This option specifies the resource in which we want to limit, in this example we are limiting the file size.
20 This option specifies the limit, in this example we have limited the file size to 20KB.

Table 2: Figure 1 rule explained.

Once the user limit have been configured you will need the user to logout if they are already logged in for the limits to take effect. Once you have logout and logged back in you can use the “dd” command to create a text file with the size of 20KB as shown in Figure 1.1.

damian@linux-uxp3:~> dd if=/dev/zero of=test.txt bs=1024 count=20
20+0 records in 
20+0 records out 
20480 bytes (20 kB) copied, 0.000721 seconds, 28.4 MB/s

Figure 1.1: Creating a 20KB file.

Once you have created a 20KB file and it was successfully created you can try and create a 21KB file which should be denied, as shown in Figure 1.2.

damian@linux-uxp3:~> dd if=/dev/zero of=test.txt bs=1024 count=21 
File size limit exceeded

Figure 1.2: Testing 20KB limit.

Figure 1.2 shows that the limit was exceeded thus not creating the “test.txt” file.

Limiting a group of users

Limiting a group of users is similar to limiting a single user, the only difference is you need to specify the at symbol(@) followed by the group you would like to set limits for as shown in Figure 1.3.

@users          hard    fsize   20

Figure 1.3: Setting group limits.

Again for the limits to take effect each user from the “users” group will need to logout. Once the users of the group “users” log back into the system they will notice that they cannot create files greater than 20KB as shown in Figure 1.4.

jason@linux-uxp3:~> id 
uid=1001(jason) gid=100(users) groups=16(dialout),33(video),100(users) 
jason@linux-uxp3:~> dd if=/dev/zero of=test.txt bs=1024 count=21 
File size limit exceeded

Figure 1.4: Creating a file larger than 20KB.

Limiting everyone

Limiting every user on a system including root is similar to setting up user and group limits, the only difference is you need to specify the asterisk (*) character as shown in Figure 1.5.

*               hard    fsize   20

Figure 1.5: Setting system wide limits.

The directives shown in Figure 1.5 have been set to deny all users including root from creating files greater than 20KB.

Setting time restrictions

In this section of the article we are going to place time restrictions on the SSH daemon. The configuration file for the “pam_time” module is located within the “/etc/security” directory and with the name of “time.conf”.

The SSH PAM configuration file requires the “pam_time” module to be loaded. The first step to enabling the time restrictions is open the SSH PAM configuration file located at: “/etc/pam.d/sshd” and adding the time module as shown in Figure 2.

#%PAM-1.0 
auth     include        common-auth 
auth     required       pam_nologin.so 
account  include        common-account 
password include        common-password 
session  required       pam_time.so 
session  include        common-session 
# Enable the following line to get resmgr support for 
# ssh sessions (see /usr/share/doc/packages/resmgr/README) 
#session  optional      pam_resmgr.so fake_ttyname

Figure 2: Enabling the pam_time module.

Once you have enabled the pam_time module in the “/etc/pam.d/sshd” configuration file you can edit the “time.conf” configuration file located within the “/etc/security” directory. In this article we will only allow the user “damian” to login on a Wednesday at 9AM until 3PM, Figure 2.1 shows the rule which we will use and Table 3 explains what each column does.

sshd;*;damian;We0900-1500

Figure 2.1: Only allow “damian” to login on Wednesday at 9AM until 3PM.

Column Description
sshd This specifies the service in which you are wanting to set a time restriction for.
* This specifies which terminal the rule should apply to. The asterisk means all terminals.
damian This specifies the user for the rule to apply for.
We0900-1500 This specifies the day and week. The time is in 24 hour notation.

Table 3: Figure 2.1 explained.

Once the rule has been applied and the date and time match the user will be granted access, however, if the date and time don’t match the users will be denied access to the SSH daemon.

Setting password policies

In this section of the article we are going to configure the pam_pwcheck module to provide stronger password policies. The pam_pwcheck module provides some plug-in strength for checking users passwords, this allows you to force your users to select sensible passwords and not simple passwords that can be easily cracked.

The pam_pwcheck configuration file is located at “/etc/security/pam_pwcheck.conf“. In this article we are going to force the user not to have a simple password such as a dictionary word. Figure 3 shows a password policy which stops users for supplying simple passwords. Table 4 explains each column.

password:       use_cracklib minlen=5 maxlen=10 tries=3 remeber=20

Figure 3: “/etc/security/pam_pwcheck.conf” configuration file.

Column Description
use_cracklib This directive tells PAM to use the cracklib module.
minlen=10 This directive specifies the minimum number of alphanumeric characters allowed.
maxlen=10 This directive specifies the maximum number of alphanumeric characters allowed.
tries This directive specifies how many attempts the users is allowed before denying them to change their password.
remember This directive specifies how many passwords to remember so that the user cannot use them passwords.

Table 4: Figure 3 explained.

Final Thoughts

In this article we only touched on a few of the PAM modules. I would strongly recommend visiting the PAM website [1] to read more about each module in depth, the modules that we covered in this article provide an extra layer of security to help defend against malicious users.

Reference

[1] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS