PAM—Securing Linux Boxes Everywhere

In a world without Windows, PAM guards the doors.
Secure Remote Access

To get a handle on all this, let's consider an actual application. I wanted to be able to access my machine remotely with SSH, but I didn't want to allow any other users (Listing 4). So, I configured my /etc/pam.d/sshd file. See the Modules, Modules Everywhere sidebar for more details on these and other modules. Here are some of the modules I used:

  • pam_unix2.so: provides traditional password, rights, session and password-changing methods, in the classic UNIX way.

  • pam_nologin.so: disallows login if the file /etc/nologin exists.

  • pam_access.so: implements extra rules for access control (more later in this article on how I used this).

  • pam_limits.so: enforces limits for users or groups according to the file /etc/security/limits.conf.

  • pam_umask.so: sets the file mode creation mask for the current environment (do info umask for more information).

  • pam_pwcheck: enforces password-strength checks (more details on further uses of this module later in this article).

If you check your own /etc/pam.d/sshd file, it probably will look like this, except for the pam_access module, which is the interesting part. This module implements added security controls based on the /etc/security/access.conf file. I edited it in order to specify who could access my machine (Listing 5). The first line means that anybody (ALL) can log in to my machine from within the internal network at home. The second line allows the remoteKereki user to access my machine from anywhere in the world, and the final line is a catchall that disables access to anybody not included specifically in these lines. I created the remoteKereki user with minimum rights to allow myself entry to the machine, and then I execute su and work as myself or even as root, if needed. If people guess the correct password for remoteKereki, it won't help them much, because attackers still will have to guess the password for the other, more useful, users. As it is, it provides an extra barrier before intruders can do serious damage.

I had to modify /etc/ssh/sshd_config by adding a line UsePAM yes, so sshd would use the PAM configuration. I had to restart SSH with /etc/init.d/sshd restart so the configuration would be used. For even more secure connections, you also could change the SSH standard port (22) to a different value, forbid root remote logins and limit retries to hinder brute-force attacks, but those topics are beyond the scope of this article. Do man ssh_config for more details.

Requiring Good Passwords

Left on their own, most users will (trustingly and unknowingly) use easily guessable and never-changed passwords, simplifying the job for intruders. With PAM, you can enforce several good practices for password management by using the password stack and the pam_pwcheck.so module. This module does several checks on the strength of your password:

  • Is the new password too short?

  • Is the new password too similar to the old one?

  • Is the new password merely the old password, reversed or rotated (for example, safe123 and 123safe)?

  • Is the new password the same as the old one, with only case changes (such as sEcReT and SEcrET)?

  • Was the new password already used before? (Old passwords are stored in the /etc/security/opasswd file.)

You can add several parameters to the module (do man pam_pwcheck for complete documentation) for extra rules, such as:

  • minlen=aNumber: specifies the minimum length (by default, five characters) for the new password. If you set it to zero, all password lengths are accepted.

  • cracklib=pathToDictionaries: allows use of the cracklib library for password checks. If the new password is in a dictionary, a simple brute-force attack quickly will guess it.

  • tries=aNumber: sets how many attempts to allow, if previous attempts were rejected because they were too easy.

  • remember=aNumber: defines how many previous passwords will be remembered.

Another module provides similar functionality, pam_cracklib.so, but it has some different parameters. For example, you might specify how many characters must differ between your old and new password and whether you want to include digits, uppercase, lowercase and nonalphabetic characters. Do man pam_cracklib for more information.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hardware Authentication Open Source Pam Module

luc's picture

Hi,

I just wanted to point out the availability of the swekey pam module.

This module lets you secure you ssh access with a $15 highly secure USB token.

Thanks,

Luc

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix