PAM and Configuration File (Demo)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey Cybrarians and welcome back to
00:00
the Linux+ Course here at Cybrary.
00:00
I'm your instructor Rob Goelz.
00:00
In today's lesson we're going to be discussing PAM.
00:00
We're going to have an overview of
00:00
pluggable authentication modules.
00:00
Upon completion of this lesson,
00:00
you're going to be able to understand
00:00
the purpose of pluggable authentication modules,
00:00
which we abbreviate as PAM.
00:00
Now we're also going to describe how
00:00
these PAM configuration files are structured,
00:00
and then we'll look at and examine where we can find
00:00
these PAM configuration files during our demo.
00:00
Pluggable authentication modules are what are used
00:00
to provide centralized authentication services.
00:00
Now this was created by Sun Microsystems in 1997.
00:00
PAM is still found on
00:00
most distributions and use generally
00:00
by Linux applications and
00:00
utilities that need to authenticate users.
00:00
PAM controls the authentication of users for login.
00:00
For example, it can be used for applications
00:00
like SSH or SU.
00:00
It provides a modular or pleasurable method
00:00
of authentication.
00:00
Pluggable method of authentication,
00:00
pluggable authentication modules,
00:00
PAM, you get it.
00:00
Sysadmins decide what modules or mechanisms are used.
00:00
Because it's a modular system,
00:00
that means that that can be added without replacing
00:00
backends for existing applications and services.
00:00
Really what this means is we can go
00:00
to those configuration files that we'll
00:00
see in a minute here and
00:00
change the way that they operate.
00:00
Change what modules or mechanisms are used just in
00:00
the configuration file without
00:00
having to re-install anything.
00:00
Programs that use PAM for
00:00
authentication are called PAM-aware applications.
00:00
The reason for this is because they are compiled with
00:00
the PAM library, which is libpam.so.
00:00
Because they're compiled with PAM,
00:00
they have PAM configuration files.
00:00
Now all of those configuration files live in
00:00
the same place, the /etc/pam.d directory.
00:00
There are separate files for
00:00
>> each service that uses PAM.
00:00
>> For example, SSH has a file in etc/pam.d/sshd.
00:00
Now, each one of these files
00:00
is a very specific structure,
00:00
and the structure of that configuration file
00:00
determines the authentication task,
00:00
their control, and the module
00:00
or mechanism used for the task.
00:00
The format for a PAM configuration file line
00:00
is going to look something like TYPE, again,
00:00
that's going to be the authentication task,
00:00
the CONTROL-FLAG,
00:00
and then the PAM module,
00:00
and then optionally some PAM module options at the end.
00:00
We'll see a little bit more about all this in the demo
00:00
and we're going to go into a little bit more detail
00:00
in the lesson here as well.
00:00
TYPE is the first column,
00:00
and there are four types that are used in PAM.
00:00
There's the account type,
00:00
the auth type, the password type, and the session type.
00:00
Account is used for account verification.
00:00
This does things like count expiration checking,
00:00
and make sure that we're not
00:00
logging in at the wrong time a day.
00:00
We look checks to make sure that there are
00:00
no time of day restrictions.
00:00
Auth is used for authentication management.
00:00
This is doing stuff like requesting
00:00
the password when you try and sign in
00:00
and then verifying the password
00:00
against what's stored for the account.
00:00
Password which you would think
00:00
would be used for password management
00:00
isn't necessarily exactly is for password management.
00:00
It's more used for looking at password complexity,
00:00
password policies,
00:00
and limiting incorrect password attempts.
00:00
Then finally session, well,
00:00
that's just uses session management.
00:00
It handles the setup and closing of a session and it logs
00:00
the session start time may
00:00
also mount a user home directory.
00:00
Now, when we get into
00:00
the second column here the CONTROL-FLAG,
00:00
this is where things get into
00:00
the weeds a little bit right.
00:00
The first thing that we have is a TYPE.
00:00
It's going to be an authentication
00:00
or account related or password related or session.
00:00
Then the next thing determines how important that
00:00
particular TYPE is and
00:00
the particular module that it's going to
00:00
be working on are going to be.
00:00
Basically it just says, hey,
00:00
is this application going to succeed and its
00:00
purposes for whatever is trying to
00:00
do if this loads properly.
00:00
Or are we going to have a problem
00:00
if it doesn't load properly.
00:00
It just controls whether or not
00:00
the application can do authentication.
00:00
That's why it's called the CONTROL-FLAG.
00:00
Just as an example, we have required,
00:00
requisites, efficient, and optional.
00:00
If a module that has a require control fails,
00:00
everything will still run in the configuration file,
00:00
but the final result is going to be a failure.
00:00
Because we need this, it's required.
00:00
The other option here is requisite.
00:00
If we have a module that has this control failed,
00:00
it's game over. Nothing else runs.
00:00
If this happens at the top of the configuration file,
00:00
the whole thing exits and it just stops.
00:00
If it happens in the middle, same thing,
00:00
it'll load everything up until that point and it
00:00
just stops because it's requisite.
00:00
If it's not working,
00:00
nothing else is going to work so it's done.
00:00
By comparison in the opposite direction,
00:00
there's this concept called sufficient.
00:00
Basically what happens is when we get to this control,
00:00
if it succeeds and the module is
00:00
able to be loaded, then we're like, it's good,
00:00
it's fine to go and hands
00:00
the application back and says, you're off to the races.
00:00
No worries there. But that's
00:00
provided that nothing above it as failed.
00:00
If we have a required or requisite module
00:00
that's trying to load above it and that fails,
00:00
we might never get there.
00:00
But luckily, if we do get the sufficient,
00:00
nothing else needs to happen.
00:00
Then the very last CONTROL-FLAG type is optional.
00:00
That's just adds module status code,
00:00
it's the only record for the type.
00:00
It's just provides more information and
00:00
more log in detail in the configuration file.
00:00
With that, let's take a look at
00:00
all of these with some demo time.
00:00
Here we are back in our demo environment and in
00:00
today's demo we are going to be using Ubuntu.
00:00
The reason for this is that Ubuntu has
00:00
much better comments for the PAM configuration files.
00:00
It's really helpful for us to look at it when we're
00:00
working with PAM because it makes a little more sense.
00:00
Very first thing we're going to
00:00
do is actually look at this directory,
00:00
the pam.d directory because as I said,
00:00
this is where all of these individual
00:00
configuration files are stored.
00:00
What we see when we look in here are
00:00
all of the PAM-aware applications.
00:00
Each one of these applications
00:00
>> has its own entry in here,
00:00
>> has its own configuration file.
00:00
We see things like chain, shell, chsh.
00:00
We also see things like cron, and cups.
00:00
What we're actually going to look at
00:00
today though is the sshd,
00:00
as I promised earlier in the lesson.
00:00
Let's take a look at that.
00:00
We're going to less /etc/pam.d/sshd.
00:00
We open that up and we can
00:00
>> see the contents of this file.
00:00
>> Right away I want to bring
00:00
your attention to the very top of this file here,
00:00
to these two lines.
00:00
What we see here is that this line right
00:00
here which is called a record
00:00
in the configuration file has a comment above it.
00:00
For instance, with this one,
00:00
we can see that this is a count type and the control
00:00
is required for the module pam_nologin.so.
00:00
This means again that if this
00:00
fails because it's required,
00:00
everything else will run,
00:00
all of the remaining modules
00:00
down here will try and load,
00:00
as we go through here but
00:00
the final result of this will be that it fails.
00:00
But what does this module actually do?
00:00
Well, what this does,
00:00
it tells us here in the comment,
00:00
again, this is why I wanted to look at Ubuntu.
00:00
It disallows non-root logins when
00:00
/etc/nologin exists. What does that mean?
00:00
Well, this is a really nice and very
00:00
old sysadmin trick for when you're doing things like
00:00
patching systems or any work in a system
00:00
where you don't want users to log in and land on it.
00:00
It disables SSH for anybody who's not root.
00:00
If you go in and you say touch /etc/nologin is going to
00:00
create that file temporarily
00:00
and then while you're working on the system,
00:00
nobody can SSH and land on it.
00:00
You do your patch on, you
00:00
do your maintenance, you reboot,
00:00
and that will remove it when you're done by rebooting,
00:00
or you can just remove it
00:00
>> yourself and then everyone can
00:00
>> use the system again. Excellent fix.
00:00
There are a lot more things to go
00:00
through in terms of configuration files,
00:00
but this is just a broad overview of the layout of
00:00
a PAM configuration file
00:00
as well as the /etc/pam.d directory.
00:00
With that, we reached the end of this lesson.
00:00
In this lesson we covered the purpose of
00:00
PAM and how we can use it for authentication.
00:00
We talked about the structure of
00:00
the configuration files for PAM,
00:00
and then we located and examine some of
00:00
these PAM configuration files just briefly
00:00
there during our demo in Ubuntu.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next