Difference between revisions of "PAM Library"

From CBLFS
Jump to navigationJump to search
m
 
(10 intermediate revisions by 3 users not shown)
Line 20: Line 20:
 
* [[Prelude]]
 
* [[Prelude]]
 
* [[sgmltools-lite]]
 
* [[sgmltools-lite]]
 +
* [[SELinux]]
  
 
{{Note|Autoconf-2.60 or greater is required to execute the following instructions.  Build instructions for an acceptable version of Autoconf may be found in the development version of [http://cross-lfs.org/view/svn/ CLFS].}}
 
{{Note|Autoconf-2.60 or greater is required to execute the following instructions.  Build instructions for an acceptable version of Autoconf may be found in the development version of [http://cross-lfs.org/view/svn/ CLFS].}}
Line 28: Line 29:
  
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
  autoreconf -v &&
+
  autoreconf &&
 
  ./configure --libdir=/usr/lib --sbindir=/lib/security \
 
  ./configure --libdir=/usr/lib --sbindir=/lib/security \
 
             --enable-securedir=/lib/security \
 
             --enable-securedir=/lib/security \
Line 42: Line 43:
 
  mv -v /lib/security/pam_tally /sbin &&
 
  mv -v /lib/security/pam_tally /sbin &&
 
  mv -v /usr/lib/libpam*.so.0* /lib &&
 
  mv -v /usr/lib/libpam*.so.0* /lib &&
LIBNAME=$(cat libpam/libpam.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so &&
  ln -svf ../../lib/$LIBNAME /usr/lib/libpam.so &&
+
  ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so &&
LIBNAME=$(cat libpamc/libpamc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so
  ln -svf ../../lib/$LIBNAME /usr/lib/libpamc.so &&
 
LIBNAME=$(cat libpam_misc/libpam_misc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
 
  ln -svf ../../lib/$LIBNAME /usr/lib/libpam_misc.so
 
 
 
  
 
== Multilib ==
 
== Multilib ==
Line 57: Line 54:
  
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
  autoreconf -v &&
+
  autoreconf &&
 
  CC="gcc ${BUILD32}" ./configure --libdir=/usr/lib --sbindir=/lib/security \
 
  CC="gcc ${BUILD32}" ./configure --libdir=/usr/lib --sbindir=/lib/security \
 
             --enable-securedir=/lib/security \
 
             --enable-securedir=/lib/security \
Line 71: Line 68:
 
  mv -v /lib/security/pam_tally /sbin &&
 
  mv -v /lib/security/pam_tally /sbin &&
 
  mv -v /usr/lib/libpam*.so.0* /lib &&
 
  mv -v /usr/lib/libpam*.so.0* /lib &&
LIBNAME=$(cat libpam/libpam.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so &&
  ln -svf ../../lib/$LIBNAME /usr/lib/libpam.so &&
+
  ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so &&
LIBNAME=$(cat libpamc/libpamc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so
  ln -svf ../../lib/$LIBNAME /usr/lib/libpamc.so &&
 
LIBNAME=$(cat libpam_misc/libpam_misc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
 
  ln -svf ../../lib/$LIBNAME /usr/lib/libpam_misc.so
 
  
 
=== N32 ===
 
=== N32 ===
Line 83: Line 77:
  
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
  autoreconf -v &&
+
  autoreconf &&
 
  CC="gcc ${BUILDN32}" ./configure --libdir=/usr/lib32 --sbindir=/lib32/security \
 
  CC="gcc ${BUILDN32}" ./configure --libdir=/usr/lib32 --sbindir=/lib32/security \
 
             --enable-securedir=/lib32/security \
 
             --enable-securedir=/lib32/security \
Line 97: Line 91:
 
  mv -v /lib32/security/pam_tally /sbin &&
 
  mv -v /lib32/security/pam_tally /sbin &&
 
  mv -v /usr/lib32/libpam*.so.0* /lib32 &&
 
  mv -v /usr/lib32/libpam*.so.0* /lib32 &&
LIBNAME=$(cat libpam/libpam.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib32/libpam.so.0 /usr/lib32/libpam.so &&
  ln -svf ../../lib32/$LIBNAME /usr/lib32/libpam.so &&
+
  ln -svf ../../lib32/libpamc.so.0 /usr/lib32/libpamc.so &&
LIBNAME=$(cat libpamc/libpamc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib32/libpam_misc.so.0 /usr/lib32/libpam_misc.so
  ln -svf ../../lib32/$LIBNAME /usr/lib32/libpamc.so &&
 
LIBNAME=$(cat libpam_misc/libpam_misc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
 
  ln -svf ../../lib32/$LIBNAME /usr/lib32/libpam_misc.so
 
  
 
=== 64Bit ===
 
=== 64Bit ===
Line 109: Line 100:
  
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
 
  patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch &&
  autoreconf -v &&
+
  autoreconf &&
 
  CC="gcc ${BUILD64}" ./configure --libdir=/usr/lib64 --sbindir=/lib64/security \
 
  CC="gcc ${BUILD64}" ./configure --libdir=/usr/lib64 --sbindir=/lib64/security \
 
             --enable-securedir=/lib64/security \
 
             --enable-securedir=/lib64/security \
Line 123: Line 114:
 
  mv -v /lib64/security/pam_tally /sbin &&
 
  mv -v /lib64/security/pam_tally /sbin &&
 
  mv -v /usr/lib64/libpam*.so.0* /lib64 &&
 
  mv -v /usr/lib64/libpam*.so.0* /lib64 &&
LIBNAME=$(cat libpam/libpam.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib64/libpam.so.0 /usr/lib64/libpam.so &&
  ln -svf ../../lib64/$LIBNAME /usr/lib64/libpam.so &&
+
  ln -svf ../../lib64/libpamc.so.0 /usr/lib64/libpamc.so &&
LIBNAME=$(cat libpamc/libpamc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
  ln -svf ../../lib64/libpam_misc.so.0 /usr/lib64/libpam_misc.so
  ln -svf ../../lib64/$LIBNAME /usr/lib64/libpamc.so &&
+
 
LIBNAME=$(cat libpam_misc/libpam_misc.la | grep library_names | cut -f2 -d"'" | cut -f1 -d" ") &&
+
== Configuring ==
  ln -svf ../../lib64/$LIBNAME /usr/lib64/libpam_misc.so
 
  
== Configuring pam_console ==
+
=== Configuring pam_console ===
  
 
The altering of device permissions is unnecessary. In this case, only the console locking actions are needed. Replace one of the '''pam_console''' configuration files to achieve this.
 
The altering of device permissions is unnecessary. In this case, only the console locking actions are needed. Replace one of the '''pam_console''' configuration files to achieve this.
Line 138: Line 128:
 
  console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
 
  console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
 
  EOF
 
  EOF
 +
 +
=== /etc/securetty ===
 +
 +
cat > /etc/securetty << "EOF"
 +
# /etc/securetty: list of terminals on which root is allowed to login.
 +
# See securetty(5) and login(1).
 +
console
 +
tty0
 +
tty1
 +
tty2
 +
tty3
 +
tty4
 +
tty5
 +
tty6
 +
tty7
 +
tty8
 +
tty9
 +
tty10
 +
tty11
 +
tty12
 +
ttyp0
 +
ttyp1
 +
ttyp2
 +
ttyp3
 +
ttyp4
 +
ttyp5
 +
ttyp6
 +
ttyp7
 +
ttyp8
 +
ttyp9
 +
ttyp10
 +
ttyp11
 +
ttyp12
 +
ttyS0
 +
EOF
 +
 +
=== /etc/environment ===
 +
 +
We create a blank file here for pam_env.so, without this file an error will occur during bootup:
 +
 +
echo > /etc/environment
 +
 +
=== /etc/shells ===
 +
 +
Pam will only let users login if their shell appears in /etc/shells. Now would be a good time to create this file:
 +
 +
cat > /etc/shells << "EOF"
 +
# Begin /etc/shells
 +
 +
/bin/sh
 +
/bin/bash
 +
 +
# End /etc/shells
 +
EOF
 +
 +
=== /etc/pam.d ===
 +
 +
This is where all the pam service configuration happens
 +
 +
install -d /etc/pam.d
 +
 +
=== /etc/pam.d/system-auth ===
 +
 +
This is a common shared file for system authentication.
 +
 +
==== For systems with Cracklib ====
 +
cat > /etc/pam.d/system-auth << "EOF"
 +
#%PAM-1.0
 +
#
 +
# The PAM configuration file for system authentication
 +
#
 +
 +
auth      required    pam_env.so
 +
auth      sufficient  pam_unix.so try_first_pass nullok
 +
auth      required    pam_deny.so
 +
 +
account    required    pam_unix.so
 +
 +
password  required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 +
password  sufficient  pam_unix.so try_first_pass use_authtok nullok md5 shadow
 +
password  required    pam_deny.so
 +
 +
session    required    pam_limits.so
 +
session    required    pam_unix.so
 +
EOF
 +
 +
==== For systems without Cracklib ====
 +
cat > /etc/pam.d/system-auth << "EOF"
 +
#%PAM-1.0
 +
#
 +
# The PAM configuration file for system authentication
 +
#
 +
 +
auth      required    pam_env.so
 +
auth      sufficient  pam_unix.so try_first_pass nullok
 +
auth      required    pam_deny.so
 +
 +
account    required    pam_unix.so
 +
 +
password  sufficient  pam_unix.so try_first_pass nullok md5 shadow
 +
password  required    pam_deny.so
 +
 +
session    required    pam_limits.so
 +
session    required    pam_unix.so
 +
EOF
 +
 +
=== pam_console support ===
 +
If you built the '''pam_console''' module append system-auth with the following line:
 +
 +
cat >> /etc/pam.d/system-auth << "EOF"
 +
session    optional    pam_console.so
 +
EOF
 +
 +
==== /etc/pam.d/other ====
 +
 +
This is file explicitiy denies access to a program that is PAM aware.
 +
 +
cat > /etc/pam.d/other << "EOF"
 +
#%PAM-1.0
 +
#
 +
# The PAM configuration file for other
 +
#
 +
 +
auth      required    pam_deny.so
 +
auth      required    pam_warn.so
 +
 +
account    required    pam_deny.so
 +
account    required    pam_warn.so
 +
 +
password  required    pam_deny.so
 +
password  required    pam_warn.so
 +
 +
session    required    pam_deny.so
 +
session    required    pam_warn.so
 +
EOF
 +
 +
==== /etc/pam.d/{halt poweroff reboot} ====
 +
 +
These are the files that control the system shutdown
 +
 +
for file in halt poweroff reboot; do
 +
        cat > /etc/pam.d/$file << "EOF"
 +
#%PAM-1.0
 +
#
 +
# The common PAM configuration file for shutdown operations
 +
#
 +
auth      sufficient  pam_rootok.so
 +
auth      required    pam_console.so
 +
 +
account    required    pam_permit.so
 +
EOF
 +
done
  
 
= Contents =
 
= Contents =

Latest revision as of 19:29, 26 January 2011

Download Source: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-1.1.3.tar.bz2
Required Patch: http://svn.cross-lfs.org/svn/repos/patches/Linux-PAM/Linux-PAM-1.1.3-pam_console-1.patch

Introduction to PAM Library

The PAM Library package contains Pluggable Authentication Modules. This is useful for enabling the local system administrator to choose how applications authenticate users.

RedHat develops a set of external modules for use with Linux-PAM. This includes the pam_console module which can be used by some programs such as HAL and gnome-volume-manager. The purpose of pam_console is to indicate which user is active at the console and take appropriate actions. It does this by listing active users in the /var/run/console directory and assigning one to the console.lock file.

Project Homepage: http://www.kernel.org/pub/linux/libs/pam/

Dependencies

Optional

Caution.png

Note

Autoconf-2.60 or greater is required to execute the following instructions. Build instructions for an acceptable version of Autoconf may be found in the development version of CLFS.

Non-Multilib

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
./configure --libdir=/usr/lib --sbindir=/lib/security \
           --enable-securedir=/lib/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib/security/unix_chkpwd &&
mv -v /lib/security/pam_tally /sbin &&
mv -v /usr/lib/libpam*.so.0* /lib &&
ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so &&
ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so &&
ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so

Multilib

32Bit

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
CC="gcc ${BUILD32}" ./configure --libdir=/usr/lib --sbindir=/lib/security \
           --enable-securedir=/lib/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib/security/unix_chkpwd &&
mv -v /lib/security/pam_tally /sbin &&
mv -v /usr/lib/libpam*.so.0* /lib &&
ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so &&
ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so &&
ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so

N32

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
CC="gcc ${BUILDN32}" ./configure --libdir=/usr/lib32 --sbindir=/lib32/security \
           --enable-securedir=/lib32/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib32/security/unix_chkpwd &&
mv -v /lib32/security/pam_tally /sbin &&
mv -v /usr/lib32/libpam*.so.0* /lib32 &&
ln -svf ../../lib32/libpam.so.0 /usr/lib32/libpam.so &&
ln -svf ../../lib32/libpamc.so.0 /usr/lib32/libpamc.so &&
ln -svf ../../lib32/libpam_misc.so.0 /usr/lib32/libpam_misc.so

64Bit

Configure and compile the package:

patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch &&
autoreconf &&
CC="gcc ${BUILD64}" ./configure --libdir=/usr/lib64 --sbindir=/lib64/security \
           --enable-securedir=/lib64/security \
           --docdir=/usr/share/doc/Linux-PAM-1.1.3 \
           --enable-shared \
           --enable-read-both-confs &&
make

Install the package:

make install &&
chmod -v 4755 /lib64/security/unix_chkpwd &&
mv -v /lib64/security/pam_tally /sbin &&
mv -v /usr/lib64/libpam*.so.0* /lib64 &&
ln -svf ../../lib64/libpam.so.0 /usr/lib64/libpam.so &&
ln -svf ../../lib64/libpamc.so.0 /usr/lib64/libpamc.so &&
ln -svf ../../lib64/libpam_misc.so.0 /usr/lib64/libpam_misc.so

Configuring

Configuring pam_console

The altering of device permissions is unnecessary. In this case, only the console locking actions are needed. Replace one of the pam_console configuration files to achieve this.

cat > /etc/security/console.handlers << "EOF"
# Begin /etc/security/console.handlers
console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
EOF

/etc/securetty

cat > /etc/securetty << "EOF"
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
tty0
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12
ttyp0
ttyp1
ttyp2
ttyp3
ttyp4
ttyp5
ttyp6
ttyp7
ttyp8
ttyp9
ttyp10
ttyp11
ttyp12
ttyS0
EOF

/etc/environment

We create a blank file here for pam_env.so, without this file an error will occur during bootup:

echo > /etc/environment

/etc/shells

Pam will only let users login if their shell appears in /etc/shells. Now would be a good time to create this file:

cat > /etc/shells << "EOF"
# Begin /etc/shells

/bin/sh
/bin/bash

# End /etc/shells
EOF

/etc/pam.d

This is where all the pam service configuration happens

install -d /etc/pam.d

/etc/pam.d/system-auth

This is a common shared file for system authentication.

For systems with Cracklib

cat > /etc/pam.d/system-auth << "EOF"
#%PAM-1.0
#
# The PAM configuration file for system authentication
#

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
EOF

For systems without Cracklib

cat > /etc/pam.d/system-auth << "EOF"
#%PAM-1.0
#
# The PAM configuration file for system authentication
#

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   sufficient   pam_unix.so try_first_pass nullok md5 shadow
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
EOF

pam_console support

If you built the pam_console module append system-auth with the following line:

cat >> /etc/pam.d/system-auth << "EOF"
session    optional     pam_console.so
EOF

/etc/pam.d/other

This is file explicitiy denies access to a program that is PAM aware.

cat > /etc/pam.d/other << "EOF"
#%PAM-1.0
#
# The PAM configuration file for other
#

auth       required     pam_deny.so
auth       required     pam_warn.so

account    required     pam_deny.so
account    required     pam_warn.so

password   required     pam_deny.so
password   required     pam_warn.so

session    required     pam_deny.so
session    required     pam_warn.so
EOF

/etc/pam.d/{halt poweroff reboot}

These are the files that control the system shutdown

for file in halt poweroff reboot; do
       cat > /etc/pam.d/$file << "EOF"
#%PAM-1.0
#
# The common PAM configuration file for shutdown operations
#
auth       sufficient   pam_rootok.so
auth       required     pam_console.so

account    required     pam_permit.so
EOF
done

Contents

Note:
The files that come with pam_console need to be added to this list.
Installed Programs: pam_tally
Installed Libraries: libpam.{so,a}, libpamc.{so,a}, libpam_misc.{so,a}
Installed Directories: /etc/pam.d, /etc/security, /lib/security, /usr/include/security

Short Descriptions

pam_tally is used to view or manipulate the faillog file.
libpam.{so,a} provide the interfaces between applications and the PAM modules.