29 - Linux authentication. PAM system

Linux is a multi-user environment and in order for the user to start working in the system he needs to go through an authentication procedure. PAM ( Pluggable Authentication Modules ) is a system (mechanism) that takes over the work of implementing authentication procedures. Before the advent of PAM , software developers who were somehow related to authentication had to adapt their program to existing authentication mechanisms. Accordingly, if the authentication mechanisms changed, then it was necessary to change the programs that used them. Therefore, the PAM system was developed, which is a “layer” between programs and authentication mechanisms. That is, now authentication programs (for example, the login program) should only be able to work with the PAM system. The program transfers the PAM parameters (for example, login and password) and its (program) is no longer “interested” in what method of authentication is implemented in the system - password or smart card authentication or another method. PAM works further and returns success or failure to the program.

Let's look at the PAM system in more detail. The main functions, or actions, or tasks that the PAM system performs - are divided into four groups that have certain names:

The auth group is an action directly related to authentication. That is, the actions or functions that allow you to determine that you are you. This can be password authentication, smart card authentication, biometric authentication (fingerprint, etc.) and others.

account group are actions related to account management. For example, even if you are authenticated in the system, your account can be banned from working at a certain time of day. Or allow to enter in the console mode, but forbid to enter in the graphic mode. Etc.

session group - the actions of this group allocate resources necessary for the user to work. The simplest example is permission to mount directories.

Password group - actions that implement changing user authentication data. Most often, this is a user password management action.

All these actions or procedures (functions) are implemented as separate modules that are located in the / lib / security / directory. That is to say, there are modules of the auth group, modules of the account group, etc. Accordingly, the PAM system is modular and if you need to implement biometric authentication, then you just need to install a module that can perform this procedure.

The main configuration file of the PAM system is the /etc/pam.conf file . In addition to the /etc/pam.conf file , the PAM settings are stored in the /etc/pam.d/ directory files. Inside the directory are text files that contain a sequence of actions (a certain algorithm) for programs that use PAM . For example, the /etc/pam.d/login file contains the PAM system algorithm for the login program, and the /etc/pam.d/passwd file for the passwd program.

Consider first the format of the /etc/pam.conf file . The file consists of lines. A file can consist of a single line, or it can consist of several lines in a chain of sequential actions. Each line describes one rule or one step of such a chain (algorithm). The string consists of four fields. The first field is the name of the program to which this step belongs. The second field is the type of action ( auth , account , session , password ). The third field is the field in which the behavior of the PAM system is set after the completion of this step at this step of the algorithm (we’ll discuss in more detail below this question). The fourth field is the file name of the module. Also in the line may be some parameters passed to the module.

The structure of files located in the /etc/pam.d/ directory is the same. The only difference is the absence of the first field - the name. Since the program name is taken from the name of the file itself. Let's look at an example of such a file. Let's call it testpam .

Consider the first line. The auth field says that the first step is authentication. The third field is the module that will perform the authentication and return the result of the execution. In this example, the pam_rootok.so module checks if the account is root . If yes, success will be returned (true), if not, an error or failure will be returned (false). The second field is the reaction or influence of the result obtained on the chain as a whole.

The response can be of four types: required , requisite , optional , sufficient . Using the example of the auth sufficient pam_rootok.so line, consider what these values ​​mean.

If the second field is set to requisite , this means that if the pam_rootok.so module has completed with an error, the further execution of the testpam file is interrupted and PAM returns an error to the application. If the module returns a positive result, the execution of the chain continues.

required is similar to requisite . If the pam_rootok.so module has completed with an error, PAM will also return an error, but after the remaining modules are executed, that is, the chain is not interrupted. If the module returns a positive result, the execution of the chain continues.

sufficient - if the pam_rootok.so module returns success, the PAM system returns success to the application, and further execution of the chain is interrupted. If it fails, the execution of the chain continues.

optional - this parameter does not affect the course of the chain. Indicated for those modules that do not perform any verification actions. If the file contains only lines with the optional parameter, then PAM will return success to the application.

More information about the PAM system and the purpose of a particular library can be found at http://kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html. Now let's do a little practical exercise that allows us to better understand how the PAM system works and how to compile configuration files.

Change directory to /etc/pam.d/ . Copy the su file to your home directory (so that you can restore it) and delete the file in su from the /etc/pam.d/ directory. Try to execute com at *** in the terminal now to switch to superuser mode. After entering the password, the system will generate an authentication error, as there is no configuration file for the su program.

Create the file /etc/pam.d/su and write the following line in it:

Save the file. We try again to execute com *** at su , and see that now we become the superuser without asking for a password. This happened because the pam_permit.so module always returns a positive result, sufficient immediately terminates the execution of the chain, and the PAM system returns a positive result. Edit the file to the following form:

The pam_deny.so module always returns an error. What will be the result? Check it out. And if you replace the required requisite ?
Now we will write the following rule in the file:

Now after the su command is executed, the root user password will be requested. If the password is entered correctly, then you will become root, if the password is incorrect, you will remain a regular user. Now add another line to the file so that the following rules are obtained:

The pam_wheel.so module returns success if the user account belongs to the wheel group. If you try to execute a com *** at su now , then it will immediately end with an error. That is, now the *** su team can only be executed by users who belong to the wheel group and know the root account password. If you create a wheel group and add your account there, then com *** and su will work.

Here is another example:

Try to answer who will be able to successfully execute com *** at su and what will you need to do for this?
This concludes the practical exercise (do not forget to replace the original su file).

I want to emphasize once again that configuration files in the /etc/pam.d/ directory can be created only for files that use the PAM system. For example, if you create the file /etc/pam.d/ls with the auth line requisite pam_deny.so , then the *** and ls will still be executed as it does not use the PAM system. To check if the *** is using a com and the PAM system, you can use a *** from ldd , which is given the full path to the command file as a parameter. For example:

Com *** and ldd will show which libraries the program uses and if libpam.so.0 is in the list, libpam_misc.so.0 means the program uses the PAM system.

Finally I want to mention another file like /etc/nsswitch.conf . The first three lines of this file define exactly what authentication system will work in the system:

The compat keyword just “says” that the PAM system will be used as the authentication system.

And further. Be careful about experimenting with PAM . Out of ignorance or carelessness, you can easily lock your system. Therefore, before changing anything, be sure to save the original configuration files so that in case of problems you can quickly restore them.