Security Handbook/PAM

From Gentoo Wiki
Jump to:navigation Jump to:search
Security Handbook
Security Concepts
General Security Guidance
Boot Path Security
Information Security
Mounting partitions
User and group limitations
File permissions
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

PAM is a suite of shared libraries that provide an alternate way of providing user authentication in programs. The pam USE flag is enabled by default in Gentoo. Although the default PAM settings in Gentoo are reasonable, there is always room for improvement.

First install sys-libs/cracklib to allow password policies to be set:

root #emerge --ask sys-libs/cracklib
FILE /etc/pam.d/passwd
auth     required shadow nullok
account  required
password required difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2
password required md5 use_authtok
session  required

This will add the cracklib which will ensure that the user passwords are at least 8 characters and contain a minimum of 2 digits, 2 other characters, and are more than 3 characters different from the last password. The PAM cracklib documentation can be reviewed for more available options.

FILE /etc/pam.d/sshd
auth     required nullok
auth     required
auth     required
auth     required
account  required
password required difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 use_authtok
password required shadow md5
session  required
session  required

Every service not configured with a PAM file in /etc/pam.d will use the rules in /etc/pam.d/other. The defaults are set to deny, as they should be.

Also, can be added to generate more elaborate logging. And pam_limits can be used, which is controlled by /etc/security/limits.conf. See the /etc/security/limits.conf section for more on these settings.

FILE /etc/pam.d/other
auth     required
auth     required
account  required
account  required
password required
password required
session  required
session  required

See also

  • PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.