shadow: recommended pam.d/login

Hello once again everyone,

In the section of the book for shadow, after installing PAM,
there is
a small problem I have noticed with the suggested
pam.d/login.  Here
it is for reference:

> # Begin /etc/pam.d/login
>
> auth        requisite      pam_securetty.so
> auth        requisite      pam_nologin.so
> auth        required       pam_unix.so
> account     required       pam_access.so
> account     required       pam_unix.so
> session     required       pam_env.so
> session     required       pam_motd.so
> session     required       pam_limits.so
> session     optional       pam_mail.so     
dir=/var/mail standard
> session     optional       pam_lastlog.so
> session     required       pam_unix.so
> password    required       pam_cracklib.so  retry=3
difok=8 minlen=5 
>                                             dcredit=3
ocredit=3 
>                                             ucredit=2
lcredit=2
> password    required       pam_unix.so      md5 shadow
use_authtok
>
> # End /etc/pam.d/login

The problem with this configuration is that it allows users
to brute
force for usernames at the login prompt.  The breakdown is
like this:

- user enters an incorrect name
- pam_securetty.so fails to validate the username, and
returns
  incomplete.  since it is a requisite, login fails right
here.

The way to make login behave as it did before installing PAM
would be to
make the following configuration:

> # Begin /etc/pam.d/login
>
> auth        requisite     pam_nologin.so
> auth        required      pam_securetty.so
> auth        required      pam_unix.so
> account     required       pam_access.so
> account     required       pam_unix.so
> session     required       pam_env.so
> session     required       pam_motd.so
> session     required       pam_limits.so
> session     optional       pam_mail.so     
dir=/var/mail standard
> session     optional       pam_lastlog.so
> session     required       pam_unix.so
> password    required       pam_cracklib.so  retry=3
difok=8 minlen=5 
>                                             dcredit=3
ocredit=3 
>                                             ucredit=2
lcredit=2
> password    required       pam_unix.so      md5 shadow
use_authtok
>
> # End /etc/pam.d/login

This makes PAM take whatever you entered for a username and
still ask
for a password. Of course, if the account cannot be verified
at the
next stage of authentication then access is denied, but now
nobody
learns anything about the system.

Looking only at the auth portion of the configuration, it
could also
be arranged as such to get the same effect:

> auth    requisite   pam_nologin.so
> auth    required    pam_securetty.so
> auth    sufficient  pam_unix.so
> auth    required    pam_deny.so

This still makes authentication with pam_unix required since
pam_deny
will fail if one sufficient has not been met. This leaves
configuration
open to other authentication schemes to be added in the
future if the
user chooses.

If others are in agreement to my first change I'll add a
ticket. Not for
a few hours though, since I'm stuck in lynx at this computer
and don't
feel like attempting to navigate the wiki like this...
*laughs*

The second example is just what I've been using since it
seems stable.
I doubt that needs to be included for the book, although it
does show
off some of the abilities of pam_deny.

Jonathan
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://
www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

shadow: recommended pam.d/login

Thread: shadow: recommended pam.d/login