Installation of Linux PAM
If you downloaded the documentation, unpack the tarball by issuing
the following command.
tar -xf ../Linux-PAM-1.5.2-docs.tar.xz --strip-components=1
If you instead want to regenerate the documentation, fix the
configure script so
that it detects lynx if installed:
sed -e 's/dummy elinks/dummy lynx/' \
-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
-i configure
Install Linux PAM by running the
following commands:
./configure --prefix=/usr \
--sbindir=/usr/sbin \
--sysconfdir=/etc \
--libdir=/usr/lib \
--enable-securedir=/usr/lib/security \
--docdir=/usr/share/doc/Linux-PAM-1.5.2 &&
make
To test the results, a suitable /etc/pam.d/other
configuration file must exist.
Reinstallation or upgrade of Linux PAM
If you have a system with Linux PAM installed and working, be
careful when modifying the files in /etc/pam.d
, since your system may become
totally unusable. If you want to run the tests, you do not need
to create another /etc/pam.d/other
file. The installed one can be used for that purpose.
You should also be aware that make
install overwrites the configuration files in
/etc/security
as well as
/etc/environment
. In case you have
modified those files, be sure to back them up.
For a first installation, create the configuration file by issuing
the following commands as the root
user:
install -v -m755 -d /etc/pam.d &&
cat > /etc/pam.d/other << "EOF"
auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so
EOF
Now run the tests by issuing make
check. Ensure there are no errors produced by the
tests before continuing the installation. Note that the checks are
quite long. It may be useful to redirect the output to a log file
in order to inspect it thoroughly.
Only in case of a first installation, remove the configuration file
created earlier by issuing the following command as the
root
user:
rm -fv /etc/pam.d/other
Now, as the root
user:
make install &&
chmod -v 4755 /usr/sbin/unix_chkpwd
Command Explanations
--enable-securedir=/usr/lib/security
:
This switch sets the installation location for the PAM modules.
--disable-regenerate-docu
: If the
needed dependencies (docbook-xml-4.5, docbook-xsl-nons-1.79.2, libxslt-1.1.36, and Lynx-2.8.9rel.1
or W3m) are
installed, the manual pages, and the html and text documentations
are (re)generated and installed. Furthermore, if fop-2.7 is installed,
the PDF documentation is generated and installed. Use this switch
if you do not want to rebuild the documentation.
chmod -v 4755
/usr/sbin/unix_chkpwd: The unix_chkpwd helper program must
be setuid so that non-root
processes can access the shadow file.
Configuring Linux-PAM
Config Files
/etc/security/*
and /etc/pam.d/*
Configuration Information
Configuration information is placed in /etc/pam.d/
. Below is an example file:
# Begin /etc/pam.d/other
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so nullok
# End /etc/pam.d/other
Now set up some generic files. As the root
user:
install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account
account required pam_unix.so
# End /etc/pam.d/system-account
EOF
cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth
auth required pam_unix.so
# End /etc/pam.d/system-auth
EOF
cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session
session required pam_unix.so
# End /etc/pam.d/system-session
EOF
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password required pam_unix.so sha512 shadow try_first_pass
# End /etc/pam.d/system-password
EOF
If you wish to enable strong password support, install libpwquality-1.4.4, and follow the
instructions in that page to configure the pam_pwquality PAM
module with strong password support.
Now add a restrictive /etc/pam.d/other
configuration file. With this
file, programs that are PAM aware will not run unless a
configuration file specifically for that application is created.
cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
# End /etc/pam.d/other
EOF
The PAM man page (man pam) provides a good
starting point for descriptions of fields and allowable entries.
The Linux-PAM
System Administrators' Guide is recommended for additional
information.