PAM Library

From CBLFS
Jump to navigationJump to search
Download Source: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-1.1.3.tar.bz2
Required Patch: http://svn.cross-lfs.org/svn/repos/patches/Linux-PAM/Linux-PAM-1.1.3-pam_console-1.patch

Introduction to PAM Library

The PAM Library package contains Pluggable Authentication Modules. This is useful for enabling the local system administrator to choose how applications authenticate users.

RedHat develops a set of external modules for use with Linux-PAM. This includes the pam_console module which can be used by some programs such as HAL and gnome-volume-manager. The purpose of pam_console is to indicate which user is active at the console and take appropriate actions. It does this by listing active users in the /var/run/console directory and assigning one to the console.lock file.

Project Homepage: http://www.kernel.org/pub/linux/libs/pam/

Dependencies

Optional

Caution.png

Note

Autoconf-2.60 or greater is required to execute the following instructions. Build instructions for an acceptable version of Autoconf may be found in the development version of CLFS.

Non-Multilib

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
./configure --libdir=/usr/lib --sbindir=/lib/security \
           --enable-securedir=/lib/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib/security/unix_chkpwd &&
mv -v /lib/security/pam_tally /sbin &&
mv -v /usr/lib/libpam*.so.0* /lib &&
ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so &&
ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so &&
ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so

Multilib

32Bit

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
CC="gcc ${BUILD32}" ./configure --libdir=/usr/lib --sbindir=/lib/security \
           --enable-securedir=/lib/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib/security/unix_chkpwd &&
mv -v /lib/security/pam_tally /sbin &&
mv -v /usr/lib/libpam*.so.0* /lib &&
ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so &&
ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so &&
ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so

N32

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
CC="gcc ${BUILDN32}" ./configure --libdir=/usr/lib32 --sbindir=/lib32/security \
           --enable-securedir=/lib32/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib32/security/unix_chkpwd &&
mv -v /lib32/security/pam_tally /sbin &&
mv -v /usr/lib32/libpam*.so.0* /lib32 &&
ln -svf ../../lib32/libpam.so.0 /usr/lib32/libpam.so &&
ln -svf ../../lib32/libpamc.so.0 /usr/lib32/libpamc.so &&
ln -svf ../../lib32/libpam_misc.so.0 /usr/lib32/libpam_misc.so

64Bit

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
CC="gcc ${BUILD64}" ./configure --libdir=/usr/lib64 --sbindir=/lib64/security \
           --enable-securedir=/lib64/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib64/security/unix_chkpwd &&
mv -v /lib64/security/pam_tally /sbin &&
mv -v /usr/lib64/libpam*.so.0* /lib64 &&
ln -svf ../../lib64/libpam.so.0 /usr/lib64/libpam.so &&
ln -svf ../../lib64/libpamc.so.0 /usr/lib64/libpamc.so &&
ln -svf ../../lib64/libpam_misc.so.0 /usr/lib64/libpam_misc.so

Configuring

Configuring pam_console

The altering of device permissions is unnecessary. In this case, only the console locking actions are needed. Replace one of the pam_console configuration files to achieve this.

cat > /etc/security/console.handlers << "EOF"
# Begin /etc/security/console.handlers
console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
EOF

/etc/securetty

cat > /etc/securetty << "EOF"
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
tty0
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12
ttyp0
ttyp1
ttyp2
ttyp3
ttyp4
ttyp5
ttyp6
ttyp7
ttyp8
ttyp9
ttyp10
ttyp11
ttyp12
ttyS0
EOF

/etc/environment

We create a blank file here for pam_env.so, without this file an error will occur during bootup:

echo > /etc/environment

/etc/shells

Pam will only let users login if their shell appears in /etc/shells. Now would be a good time to create this file:

cat > /etc/shells << "EOF"
# Begin /etc/shells

/bin/sh
/bin/bash

# End /etc/shells
EOF

/etc/pam.d

This is where all the pam service configuration happens

install -d /etc/pam.d

/etc/pam.d/system-auth

This is a common shared file for system authentication.

For systems with Cracklib

cat > /etc/pam.d/system-auth << "EOF"
#%PAM-1.0
#
# The PAM configuration file for system authentication
#

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
EOF

For systems without Cracklib

cat > /etc/pam.d/system-auth << "EOF"
#%PAM-1.0
#
# The PAM configuration file for system authentication
#

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   sufficient   pam_unix.so try_first_pass nullok md5 shadow
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
EOF

pam_console support

If you built the pam_console module append system-auth with the following line:

cat >> /etc/pam.d/system-auth << "EOF"
session    optional     pam_console.so
EOF

/etc/pam.d/other

This is file explicitiy denies access to a program that is PAM aware.

cat > /etc/pam.d/other << "EOF"
#%PAM-1.0
#
# The PAM configuration file for other
#

auth       required     pam_deny.so
auth       required     pam_warn.so

account    required     pam_deny.so
account    required     pam_warn.so

password   required     pam_deny.so
password   required     pam_warn.so

session    required     pam_deny.so
session    required     pam_warn.so
EOF

/etc/pam.d/{halt poweroff reboot}

These are the files that control the system shutdown

for file in halt poweroff reboot; do
       cat > /etc/pam.d/$file << "EOF"
#%PAM-1.0
#
# The common PAM configuration file for shutdown operations
#
auth       sufficient   pam_rootok.so
auth       required     pam_console.so

account    required     pam_permit.so
EOF
done

Contents

Note:
The files that come with pam_console need to be added to this list.
Installed Programs: pam_tally
Installed Libraries: libpam.{so,a}, libpamc.{so,a}, libpam_misc.{so,a}
Installed Directories: /etc/pam.d, /etc/security, /lib/security, /usr/include/security

Short Descriptions

pam_tally is used to view or manipulate the faillog file.
libpam.{so,a} provide the interfaces between applications and the PAM modules.