PAM Utilities and Policy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey Cybrarians.
00:00
>> Welcome back to
00:00
>> the Linux+ course here at Cybrary.
00:00
I'm your instructor Rob Goelz.
00:00
In today's lesson, we're going to be covering
00:00
PAM utilities and policies.
00:00
Upon completion of today's lesson,
00:00
you are going to be able to understand
00:00
how PAM can be used when
00:00
resetting password policies or
00:00
if we want to integrate with LDAP.
00:00
We're also going to learn about how PAM can
00:00
limit the number of failed login attempts.
00:00
We're going to use the faillock utility
00:00
to view failed login attempts.
00:00
PAM uses a couple of different modules to
00:00
enforce password policies on the system.
00:00
When we use the pam_ unix.so
00:00
module to perform authentication using the data
00:00
that's already locally there so
00:00
/etc/password and the password data that's
00:00
stored in /etc/shadow pam_pwhistory.so checks
00:00
a user's new password against
00:00
the password history file and it
00:00
prevents you from reusing an old password.
00:00
When you log in and you try and
00:00
reset your password and says, hey,
00:00
you can't use this one because you use
00:00
it once before and you can only use
00:00
anything other than the past previous 10 passwords.
00:00
That's where that's configured.
00:00
Now, pam_pwquality.so well,
00:00
this is what enforces the password complexity rules.
00:00
These are the things we're seeing down
00:00
here at the bottom with this little GIF.
00:00
You need to have uppercase letters, lowercase letters,
00:00
special characters, numbers, and so on and so forth.
00:00
All it needs before the character is long.
00:00
Well, that's where that gets configured.
00:00
Is it pam_pwquality.so in that module.
00:00
Now, PAM can also be integrated
00:00
with network authentication systems.
00:00
A really common one that's used in
00:00
open-source environments is
00:00
the Lightweight Directory Access Protocol or LDAP.
00:00
Now, the module, pam_idap.so
00:00
is what is used for LDAP authentication.
00:00
It actually uses /etc/ldap.conf for configuration.
00:00
But to get this setup,
00:00
we have to modify some configuration files
00:00
that are specific to PAM.
00:00
For example, if we were in CentOS,
00:00
we would go and /etc/pam.d and then we modify system off.
00:00
But if we're in Ubuntu there's
00:00
actually a command you can use
00:00
for it, which is pam-auth-update.
00:00
That will allow us to reconfigure
00:00
those files to work with LDAP.
00:00
Now, when we're talking about
00:00
limiting or viewing failed login attempts,
00:00
there's a couple of things we should talk about.
00:00
The first one is the pam_tally2.so module.
00:00
This is used to configure PAM
00:00
to limit failed login attempts.
00:00
This is done by adding
00:00
the module and we add it as a required
00:00
off and account type in /etc/pam.d/sshd.
00:00
We can see that we talked about that before.
00:00
Our types are off an account and
00:00
our control or control type in this case is required.
00:00
Remember, this means that if these things don't succeed,
00:00
the whole thing overall fails.
00:00
Then we see it's going to load
00:00
the module pam_ tally2.so,
00:00
but we also see a deny equals five and an on
00:00
air equals fail on the auth type.
00:00
What does that mean? Well, the deny equal five
00:00
options sets the failed login limit to five attempts.
00:00
The on-air equals fail option is what actually locks
00:00
the account after those failures
00:00
that have happened five times.
00:00
You can now run the command pam_tally2,
00:00
to view the tally or count of the failed logins.
00:00
That command is actually found in sbin/ pam_ tally2.
00:00
Once this is set up, you can run that and you
00:00
can look at the number of failed login attempts.
00:00
Then it'll help you to
00:00
determine if you're having something like
00:00
a brute force attack or so I'm
00:00
trying to guess the root password, something like that.
00:00
Now, another way that we can view and look at
00:00
failed login attempts is with
00:00
faillock in the module for that is pam_faillock.so,
00:00
so that's just another option to
00:00
limit failed login attempts.
00:00
But unlike pam_ tally2,
00:00
it's actually configured in
00:00
/etc/ pam.d/system-auth and /etc/pam.d/passward-auth.
00:00
Then once the module is configured.
00:00
The command faillock can be run by root,
00:00
and that returns the number of failed login attempts,
00:00
just like what we saw with pam_tally2.
00:00
Really either of these options
00:00
can be used for that purpose.
00:00
They're just configured a little bit differently.
00:00
With that, in this lesson,
00:00
we covered PAM configuration
00:00
for password policy enforcement.
00:00
We also talked about LDAP integration with PAM,
00:00
and then we talked about limiting and viewing
00:00
failed login attempts using pam_tally2 and faillock.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next