Hello once again everyone, In the section of the book for shadow, after installing PAM, there is a small problem I have noticed with the suggested pam.d/login. Here it is for reference:
> # Begin /etc/pam.d/login > > auth requisite pam_securetty.so > auth requisite pam_nologin.so > auth required pam_unix.so > account required pam_access.so > account required pam_unix.so > session required pam_env.so > session required pam_motd.so > session required pam_limits.so > session optional pam_mail.so dir=/var/mail standard > session optional pam_lastlog.so > session required pam_unix.so > password required pam_cracklib.so retry=3 difok=8 minlen=5 \ > dcredit=3 ocredit=3 \ > ucredit=2 lcredit=2 > password required pam_unix.so md5 shadow use_authtok > > # End /etc/pam.d/login The problem with this configuration is that it allows users to brute force for usernames at the login prompt. The breakdown is like this: - user enters an incorrect name - pam_securetty.so fails to validate the username, and returns incomplete. since it is a requisite, login fails right here. The way to make login behave as it did before installing PAM would be to make the following configuration: > # Begin /etc/pam.d/login > > auth requisite pam_nologin.so > auth required pam_securetty.so > auth required pam_unix.so > account required pam_access.so > account required pam_unix.so > session required pam_env.so > session required pam_motd.so > session required pam_limits.so > session optional pam_mail.so dir=/var/mail standard > session optional pam_lastlog.so > session required pam_unix.so > password required pam_cracklib.so retry=3 difok=8 minlen=5 \ > dcredit=3 ocredit=3 \ > ucredit=2 lcredit=2 > password required pam_unix.so md5 shadow use_authtok > > # End /etc/pam.d/login This makes PAM take whatever you entered for a username and still ask for a password. Of course, if the account cannot be verified at the next stage of authentication then access is denied, but now nobody learns anything about the system. Looking only at the auth portion of the configuration, it could also be arranged as such to get the same effect: > auth requisite pam_nologin.so > auth required pam_securetty.so > auth sufficient pam_unix.so > auth required pam_deny.so This still makes authentication with pam_unix required since pam_deny will fail if one sufficient has not been met. This leaves configuration open to other authentication schemes to be added in the future if the user chooses. If others are in agreement to my first change I'll add a ticket. Not for a few hours though, since I'm stuck in lynx at this computer and don't feel like attempting to navigate the wiki like this... *laughs* The second example is just what I've been using since it seems stable. I doubt that needs to be included for the book, although it does show off some of the abilities of pam_deny. Jonathan -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
