Gaming Linux® From Scratch (System V Edition) - Version #8718

Chapter 4. Security

Linux-PAM-1.7.1

Introduction to Linux PAM

The Linux PAM package contains Pluggable Authentication Modules used by the local system administrator to control how application programs authenticate users.

Additional Downloads

Optional Documentation

Kernel Configuration

For the PAM module pam_loginuid.so (referred by the PAM configuration file system-session if elogind-255.17 is built later) to work, a kernel configuration parameter need to be set or the module will just do nothing: 

General setup --->
  [*] Auditing support                                                   [AUDIT]

Installation of Linux PAM

Compile and link Linux PAM by running the following commands: 

mkdir build &&
cd    build &&

meson setup ..        \
  --prefix=/usr       \
  --buildtype=release \
  -D docs=disabled &&

ninja
[Caution]

Reinstallation or Upgrade of Linux PAM

If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable.

You should also be aware that ninja install overwrites the configuration files in /etc/security as well as /etc/environment. If you have modified those files, be sure to back them up.

Now, as the root user: 

ninja install &&
chmod -v 4755 /usr/sbin/unix_chkpwd

Now remove an unneeded directory as the root user: 

rm -rf /usr/lib/systemd

If you downloaded the optional documentation, run the following command as the root user: 

tar -C / -xvf ../../Linux-PAM-1.7.1-docs.tar.xz

lib32 Installation of Linux PAM

Install lib32-Linux-PAM by running the following commands: 

rm -rf * &&
CC="gcc -m32" CXX="g++ -m32"           \
PKG_CONFIG_PATH="/usr/lib32/pkgconfig" \
meson setup ..                         \
  --prefix=/usr                        \
  --libdir=/usr/lib32                  \
  --buildtype=release                  \
  -D docs=disabled &&

ninja

Now, as the root user: 

DESTDIR=$PWD/DESTDIR ninja install    &&
cp -vR DESTDIR/usr/lib32/* /usr/lib32 &&
rm -rf DESTDIR                        &&
ldconfig

Command Explanations

[Note]

Note

Inspect meson_options.txt or meson.options for a full list of options.

-D docs=disabled: This options disables building documentation that requires Docbook XML and XSLT packages.

Configuring Linux-PAM

Configuration Files

/etc/security/* and /etc/pam.d/*

Configuration Information

Configuration information is placed in /etc/pam.d/. Here is a sample file: 

# Begin /etc/pam.d/other

auth            required        pam_unix.so     nullok
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so     nullok

# End /etc/pam.d/other

Now create some generic configuration files. As the root user: 

install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account

account   required    pam_unix.so

# End /etc/pam.d/system-account
EOF

cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      required    pam_unix.so

# End /etc/pam.d/system-auth
EOF

cat > /etc/pam.d/system-session << "EOF" &&
# Begin /etc/pam.d/system-session

session   required    pam_unix.so

# End /etc/pam.d/system-session
EOF

cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password  required    pam_unix.so       yescrypt shadow try_first_pass

# End /etc/pam.d/system-password
EOF

Next, add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application exists. 

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_warn.so
auth        required        pam_deny.so
account     required        pam_warn.so
account     required        pam_deny.so
password    required        pam_warn.so
password    required        pam_deny.so
session     required        pam_warn.so
session     required        pam_deny.so

# End /etc/pam.d/other
EOF

The PAM man page (man pam) provides a good starting point to learn about the several fields, and allowable entries. The Linux-PAM System Administrators' Guide at /usr/share/doc/Linux-PAM-1.7.0/Linux-PAM_SAG.txt is recommended for additional information.

[Important]

Important

You should now reinstall the Shadow-4.18.0 package.

Contents

Installed Program: faillock, mkhomedir_helper, pam_namespace_helper, pam_timestamp_check, pwhistory_helper, unix_chkpwd and unix_update
Installed Libraries: libpam, libpamc, and libpam_misc
Installed Directories: /etc/security, /usr/lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-1.7.1

Short Descriptions

faillock

displays and modifies the authentication failure record files

mkhomedir_helper

is a helper binary that creates home directories

pam_namespace_helper

is a helper program used to configure a private namespace for a user session

pwhistory_helper

is a helper program that transfers password hashes from passwd or shadow to opasswd

pam_timestamp_check

is used to check if the default timestamp is valid

unix_chkpwd

is a helper binary that verifies the password of the current user

unix_update

is a helper binary that updates the password of a given user

libpam

provides the interfaces between applications and the PAM modules