Difference between revisions of "PAM Library"
(13 intermediate revisions by 4 users not shown) | |||
Line 2: | Line 2: | ||
|-valign="top" | |-valign="top" | ||
!Download Source: | !Download Source: | ||
− | | ftp://ftp.kernel.org/pub/linux/libs/pam | + | | ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-{{PAM_Library-Version}}.tar.bz2 |
|-valign="top" | |-valign="top" | ||
!Required Patch: | !Required Patch: | ||
− | | http://svn.cross-lfs.org/svn/repos/patches/Linux-PAM/Linux-PAM- | + | | http://svn.cross-lfs.org/svn/repos/patches/Linux-PAM/Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch |
|} | |} | ||
Line 20: | Line 20: | ||
* [[Prelude]] | * [[Prelude]] | ||
* [[sgmltools-lite]] | * [[sgmltools-lite]] | ||
+ | * [[SELinux]] | ||
{{Note|Autoconf-2.60 or greater is required to execute the following instructions. Build instructions for an acceptable version of Autoconf may be found in the development version of [http://cross-lfs.org/view/svn/ CLFS].}} | {{Note|Autoconf-2.60 or greater is required to execute the following instructions. Build instructions for an acceptable version of Autoconf may be found in the development version of [http://cross-lfs.org/view/svn/ CLFS].}} | ||
Line 28: | Line 29: | ||
patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | ||
− | autoreconf | + | autoreconf && |
./configure --libdir=/usr/lib --sbindir=/lib/security \ | ./configure --libdir=/usr/lib --sbindir=/lib/security \ | ||
--enable-securedir=/lib/security \ | --enable-securedir=/lib/security \ | ||
− | - | + | --docdir=/usr/share/doc/Linux-PAM-{{PAM_Library-Version}} \ |
+ | --enable-shared \ | ||
--enable-read-both-confs && | --enable-read-both-confs && | ||
make | make | ||
Line 41: | Line 43: | ||
mv -v /lib/security/pam_tally /sbin && | mv -v /lib/security/pam_tally /sbin && | ||
mv -v /usr/lib/libpam*.so.0* /lib && | mv -v /usr/lib/libpam*.so.0* /lib && | ||
− | + | ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so && | |
− | ln - | + | ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so && |
− | + | ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so | |
− | ln - | ||
− | |||
− | ln - | ||
− | |||
== Multilib == | == Multilib == | ||
Line 56: | Line 54: | ||
patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | ||
− | autoreconf | + | autoreconf && |
CC="gcc ${BUILD32}" ./configure --libdir=/usr/lib --sbindir=/lib/security \ | CC="gcc ${BUILD32}" ./configure --libdir=/usr/lib --sbindir=/lib/security \ | ||
--enable-securedir=/lib/security \ | --enable-securedir=/lib/security \ | ||
− | - | + | --docdir=/usr/share/doc/Linux-PAM-{{PAM_Library-Version}} \ |
+ | --enable-shared \ | ||
--enable-read-both-confs && | --enable-read-both-confs && | ||
make | make | ||
Line 69: | Line 68: | ||
mv -v /lib/security/pam_tally /sbin && | mv -v /lib/security/pam_tally /sbin && | ||
mv -v /usr/lib/libpam*.so.0* /lib && | mv -v /usr/lib/libpam*.so.0* /lib && | ||
− | + | ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so && | |
− | ln - | + | ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so && |
− | + | ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so | |
− | ln - | ||
− | |||
− | ln - | ||
=== N32 === | === N32 === | ||
Line 81: | Line 77: | ||
patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | ||
− | autoreconf | + | autoreconf && |
CC="gcc ${BUILDN32}" ./configure --libdir=/usr/lib32 --sbindir=/lib32/security \ | CC="gcc ${BUILDN32}" ./configure --libdir=/usr/lib32 --sbindir=/lib32/security \ | ||
--enable-securedir=/lib32/security \ | --enable-securedir=/lib32/security \ | ||
− | - | + | --docdir=/usr/share/doc/Linux-PAM-{{PAM_Library-Version}} \ |
+ | --enable-shared \ | ||
--enable-read-both-confs && | --enable-read-both-confs && | ||
make | make | ||
Line 94: | Line 91: | ||
mv -v /lib32/security/pam_tally /sbin && | mv -v /lib32/security/pam_tally /sbin && | ||
mv -v /usr/lib32/libpam*.so.0* /lib32 && | mv -v /usr/lib32/libpam*.so.0* /lib32 && | ||
− | + | ln -svf ../../lib32/libpam.so.0 /usr/lib32/libpam.so && | |
− | ln - | + | ln -svf ../../lib32/libpamc.so.0 /usr/lib32/libpamc.so && |
− | + | ln -svf ../../lib32/libpam_misc.so.0 /usr/lib32/libpam_misc.so | |
− | ln - | ||
− | |||
− | ln - | ||
=== 64Bit === | === 64Bit === | ||
Line 106: | Line 100: | ||
patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | patch -Np1 -i ../Linux-PAM-{{PAM_Library-Version}}-pam_console-1.patch && | ||
− | autoreconf | + | autoreconf && |
CC="gcc ${BUILD64}" ./configure --libdir=/usr/lib64 --sbindir=/lib64/security \ | CC="gcc ${BUILD64}" ./configure --libdir=/usr/lib64 --sbindir=/lib64/security \ | ||
--enable-securedir=/lib64/security \ | --enable-securedir=/lib64/security \ | ||
− | - | + | --docdir=/usr/share/doc/Linux-PAM-{{PAM_Library-Version}} \ |
+ | --enable-shared \ | ||
--enable-read-both-confs && | --enable-read-both-confs && | ||
make | make | ||
Line 119: | Line 114: | ||
mv -v /lib64/security/pam_tally /sbin && | mv -v /lib64/security/pam_tally /sbin && | ||
mv -v /usr/lib64/libpam*.so.0* /lib64 && | mv -v /usr/lib64/libpam*.so.0* /lib64 && | ||
− | + | ln -svf ../../lib64/libpam.so.0 /usr/lib64/libpam.so && | |
− | ln - | + | ln -svf ../../lib64/libpamc.so.0 /usr/lib64/libpamc.so && |
− | + | ln -svf ../../lib64/libpam_misc.so.0 /usr/lib64/libpam_misc.so | |
− | ln - | + | |
− | + | == Configuring == | |
− | ln - | ||
− | == Configuring pam_console == | + | === Configuring pam_console === |
The altering of device permissions is unnecessary. In this case, only the console locking actions are needed. Replace one of the '''pam_console''' configuration files to achieve this. | The altering of device permissions is unnecessary. In this case, only the console locking actions are needed. Replace one of the '''pam_console''' configuration files to achieve this. | ||
Line 134: | Line 128: | ||
console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] | console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] | ||
EOF | EOF | ||
+ | |||
+ | === /etc/securetty === | ||
+ | |||
+ | cat > /etc/securetty << "EOF" | ||
+ | # /etc/securetty: list of terminals on which root is allowed to login. | ||
+ | # See securetty(5) and login(1). | ||
+ | console | ||
+ | tty0 | ||
+ | tty1 | ||
+ | tty2 | ||
+ | tty3 | ||
+ | tty4 | ||
+ | tty5 | ||
+ | tty6 | ||
+ | tty7 | ||
+ | tty8 | ||
+ | tty9 | ||
+ | tty10 | ||
+ | tty11 | ||
+ | tty12 | ||
+ | ttyp0 | ||
+ | ttyp1 | ||
+ | ttyp2 | ||
+ | ttyp3 | ||
+ | ttyp4 | ||
+ | ttyp5 | ||
+ | ttyp6 | ||
+ | ttyp7 | ||
+ | ttyp8 | ||
+ | ttyp9 | ||
+ | ttyp10 | ||
+ | ttyp11 | ||
+ | ttyp12 | ||
+ | ttyS0 | ||
+ | EOF | ||
+ | |||
+ | === /etc/environment === | ||
+ | |||
+ | We create a blank file here for pam_env.so, without this file an error will occur during bootup: | ||
+ | |||
+ | echo > /etc/environment | ||
+ | |||
+ | === /etc/shells === | ||
+ | |||
+ | Pam will only let users login if their shell appears in /etc/shells. Now would be a good time to create this file: | ||
+ | |||
+ | cat > /etc/shells << "EOF" | ||
+ | # Begin /etc/shells | ||
+ | |||
+ | /bin/sh | ||
+ | /bin/bash | ||
+ | |||
+ | # End /etc/shells | ||
+ | EOF | ||
+ | |||
+ | === /etc/pam.d === | ||
+ | |||
+ | This is where all the pam service configuration happens | ||
+ | |||
+ | install -d /etc/pam.d | ||
+ | |||
+ | === /etc/pam.d/system-auth === | ||
+ | |||
+ | This is a common shared file for system authentication. | ||
+ | |||
+ | ==== For systems with Cracklib ==== | ||
+ | cat > /etc/pam.d/system-auth << "EOF" | ||
+ | #%PAM-1.0 | ||
+ | # | ||
+ | # The PAM configuration file for system authentication | ||
+ | # | ||
+ | |||
+ | auth required pam_env.so | ||
+ | auth sufficient pam_unix.so try_first_pass nullok | ||
+ | auth required pam_deny.so | ||
+ | |||
+ | account required pam_unix.so | ||
+ | |||
+ | password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 | ||
+ | password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow | ||
+ | password required pam_deny.so | ||
+ | |||
+ | session required pam_limits.so | ||
+ | session required pam_unix.so | ||
+ | EOF | ||
+ | |||
+ | ==== For systems without Cracklib ==== | ||
+ | cat > /etc/pam.d/system-auth << "EOF" | ||
+ | #%PAM-1.0 | ||
+ | # | ||
+ | # The PAM configuration file for system authentication | ||
+ | # | ||
+ | |||
+ | auth required pam_env.so | ||
+ | auth sufficient pam_unix.so try_first_pass nullok | ||
+ | auth required pam_deny.so | ||
+ | |||
+ | account required pam_unix.so | ||
+ | |||
+ | password sufficient pam_unix.so try_first_pass nullok md5 shadow | ||
+ | password required pam_deny.so | ||
+ | |||
+ | session required pam_limits.so | ||
+ | session required pam_unix.so | ||
+ | EOF | ||
+ | |||
+ | === pam_console support === | ||
+ | If you built the '''pam_console''' module append system-auth with the following line: | ||
+ | |||
+ | cat >> /etc/pam.d/system-auth << "EOF" | ||
+ | session optional pam_console.so | ||
+ | EOF | ||
+ | |||
+ | ==== /etc/pam.d/other ==== | ||
+ | |||
+ | This is file explicitiy denies access to a program that is PAM aware. | ||
+ | |||
+ | cat > /etc/pam.d/other << "EOF" | ||
+ | #%PAM-1.0 | ||
+ | # | ||
+ | # The PAM configuration file for other | ||
+ | # | ||
+ | |||
+ | auth required pam_deny.so | ||
+ | auth required pam_warn.so | ||
+ | |||
+ | account required pam_deny.so | ||
+ | account required pam_warn.so | ||
+ | |||
+ | password required pam_deny.so | ||
+ | password required pam_warn.so | ||
+ | |||
+ | session required pam_deny.so | ||
+ | session required pam_warn.so | ||
+ | EOF | ||
+ | |||
+ | ==== /etc/pam.d/{halt poweroff reboot} ==== | ||
+ | |||
+ | These are the files that control the system shutdown | ||
+ | |||
+ | for file in halt poweroff reboot; do | ||
+ | cat > /etc/pam.d/$file << "EOF" | ||
+ | #%PAM-1.0 | ||
+ | # | ||
+ | # The common PAM configuration file for shutdown operations | ||
+ | # | ||
+ | auth sufficient pam_rootok.so | ||
+ | auth required pam_console.so | ||
+ | |||
+ | account required pam_permit.so | ||
+ | EOF | ||
+ | done | ||
= Contents = | = Contents = |
Latest revision as of 19:29, 26 January 2011
Download Source: | ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-1.1.3.tar.bz2 |
---|---|
Required Patch: | http://svn.cross-lfs.org/svn/repos/patches/Linux-PAM/Linux-PAM-1.1.3-pam_console-1.patch |
Contents
Introduction to PAM Library
The PAM Library package contains Pluggable Authentication Modules. This is useful for enabling the local system administrator to choose how applications authenticate users.
RedHat develops a set of external modules for use with Linux-PAM. This includes the pam_console module which can be used by some programs such as HAL and gnome-volume-manager. The purpose of pam_console is to indicate which user is active at the console and take appropriate actions. It does this by listing active users in the /var/run/console directory and assigning one to the console.lock file.
Project Homepage: http://www.kernel.org/pub/linux/libs/pam/
Dependencies
Optional
Non-Multilib
Configure and compile the package:
patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch && autoreconf && ./configure --libdir=/usr/lib --sbindir=/lib/security \ --enable-securedir=/lib/security \ --docdir=/usr/share/doc/Linux-PAM-1.1.3 \ --enable-shared \ --enable-read-both-confs && make
Install the package:
make install && chmod -v 4755 /lib/security/unix_chkpwd && mv -v /lib/security/pam_tally /sbin && mv -v /usr/lib/libpam*.so.0* /lib && ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so && ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so && ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so
Multilib
32Bit
Configure and compile the package:
patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch && autoreconf && CC="gcc ${BUILD32}" ./configure --libdir=/usr/lib --sbindir=/lib/security \ --enable-securedir=/lib/security \ --docdir=/usr/share/doc/Linux-PAM-1.1.3 \ --enable-shared \ --enable-read-both-confs && make
Install the package:
make install && chmod -v 4755 /lib/security/unix_chkpwd && mv -v /lib/security/pam_tally /sbin && mv -v /usr/lib/libpam*.so.0* /lib && ln -svf ../../lib/libpam.so.0 /usr/lib/libpam.so && ln -svf ../../lib/libpamc.so.0 /usr/lib/libpamc.so && ln -svf ../../lib/libpam_misc.so.0 /usr/lib/libpam_misc.so
N32
Configure and compile the package:
patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch && autoreconf && CC="gcc ${BUILDN32}" ./configure --libdir=/usr/lib32 --sbindir=/lib32/security \ --enable-securedir=/lib32/security \ --docdir=/usr/share/doc/Linux-PAM-1.1.3 \ --enable-shared \ --enable-read-both-confs && make
Install the package:
make install && chmod -v 4755 /lib32/security/unix_chkpwd && mv -v /lib32/security/pam_tally /sbin && mv -v /usr/lib32/libpam*.so.0* /lib32 && ln -svf ../../lib32/libpam.so.0 /usr/lib32/libpam.so && ln -svf ../../lib32/libpamc.so.0 /usr/lib32/libpamc.so && ln -svf ../../lib32/libpam_misc.so.0 /usr/lib32/libpam_misc.so
64Bit
Configure and compile the package:
patch -Np1 -i ../Linux-PAM-1.1.3-pam_console-1.patch && autoreconf && CC="gcc ${BUILD64}" ./configure --libdir=/usr/lib64 --sbindir=/lib64/security \ --enable-securedir=/lib64/security \ --docdir=/usr/share/doc/Linux-PAM-1.1.3 \ --enable-shared \ --enable-read-both-confs && make
Install the package:
make install && chmod -v 4755 /lib64/security/unix_chkpwd && mv -v /lib64/security/pam_tally /sbin && mv -v /usr/lib64/libpam*.so.0* /lib64 && ln -svf ../../lib64/libpam.so.0 /usr/lib64/libpam.so && ln -svf ../../lib64/libpamc.so.0 /usr/lib64/libpamc.so && ln -svf ../../lib64/libpam_misc.so.0 /usr/lib64/libpam_misc.so
Configuring
Configuring pam_console
The altering of device permissions is unnecessary. In this case, only the console locking actions are needed. Replace one of the pam_console configuration files to achieve this.
cat > /etc/security/console.handlers << "EOF" # Begin /etc/security/console.handlers console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] EOF
/etc/securetty
cat > /etc/securetty << "EOF" # /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). console tty0 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 tty12 ttyp0 ttyp1 ttyp2 ttyp3 ttyp4 ttyp5 ttyp6 ttyp7 ttyp8 ttyp9 ttyp10 ttyp11 ttyp12 ttyS0 EOF
/etc/environment
We create a blank file here for pam_env.so, without this file an error will occur during bootup:
echo > /etc/environment
/etc/shells
Pam will only let users login if their shell appears in /etc/shells. Now would be a good time to create this file:
cat > /etc/shells << "EOF" # Begin /etc/shells /bin/sh /bin/bash # End /etc/shells EOF
/etc/pam.d
This is where all the pam service configuration happens
install -d /etc/pam.d
/etc/pam.d/system-auth
This is a common shared file for system authentication.
For systems with Cracklib
cat > /etc/pam.d/system-auth << "EOF" #%PAM-1.0 # # The PAM configuration file for system authentication # auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so session required pam_limits.so session required pam_unix.so EOF
For systems without Cracklib
cat > /etc/pam.d/system-auth << "EOF" #%PAM-1.0 # # The PAM configuration file for system authentication # auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password sufficient pam_unix.so try_first_pass nullok md5 shadow password required pam_deny.so session required pam_limits.so session required pam_unix.so EOF
pam_console support
If you built the pam_console module append system-auth with the following line:
cat >> /etc/pam.d/system-auth << "EOF" session optional pam_console.so EOF
/etc/pam.d/other
This is file explicitiy denies access to a program that is PAM aware.
cat > /etc/pam.d/other << "EOF" #%PAM-1.0 # # The PAM configuration file for other # auth required pam_deny.so auth required pam_warn.so account required pam_deny.so account required pam_warn.so password required pam_deny.so password required pam_warn.so session required pam_deny.so session required pam_warn.so EOF
/etc/pam.d/{halt poweroff reboot}
These are the files that control the system shutdown
for file in halt poweroff reboot; do cat > /etc/pam.d/$file << "EOF" #%PAM-1.0 # # The common PAM configuration file for shutdown operations # auth sufficient pam_rootok.so auth required pam_console.so account required pam_permit.so EOF done
Contents
Note: The files that come with pam_console need to be added to this list.
Installed Programs: | pam_tally |
---|---|
Installed Libraries: | libpam.{so,a}, libpamc.{so,a}, libpam_misc.{so,a} |
Installed Directories: | /etc/pam.d, /etc/security, /lib/security, /usr/include/security |
Short Descriptions
pam_tally | is used to view or manipulate the faillog file. |
---|---|
libpam.{so,a} | provide the interfaces between applications and the PAM modules. |