Complete PAM security


Complete PAM Security


PAM: Pluggable Authentication Modules ==> Developed my sun microsystems
Pam is a suite of shared libraries that grants privileges to PAM-aware
applications, This is much grander authentication scheme.
These PAM-aware programmes can enhance your system security by using both
shadow password scheme and virtually any other authentication scheme.

Process of PAM authentication:
1) User tries to access particular application
2) This PAM-aware application calls the underlying PAM libraries to perform the authentication
3) PAM libraries looks up an application-specific configuration file in /etc/pam.d/ directory
and it checks what type of authentication required for the application.
4) PAM  checks and loads the  required authentication modules
5) These modules make PAM To communicate with the conversation functions available in the application  & requests the password
and the user provides the password
6) PAM checks the authentication process and does one of the following
a) Grants the requested privileges
b) Informs the user that the process failed

Working with a PAM configuration file:

==> PAM-aware programmes include their own configuration file’s in /etc/pam.d directory & it checks for
    the pam modules present in /lib/security

==> PAM config file for an application will be having the following fields
    module-type     control-flag     module-path    module-args

:Module-type: 1) Auth – it does the authentication, this module requires password (or) any other identity from the user..
          2) Account – This module check whether the user access met all the guidelines (it checks whether the user is accessing the service
            from a secure host and specified time)
          3) Password – Sets password
          4) Session – Handles session management tasks
:Control-flags: 1) Required – This flag tells the PAM library to require the success of the module specified in the same, When the module returns a
        response indicating failure it fails & it continues with other modules
        2) Requisite – This flag tells the PAM library to abort the authentication process as soon as the PAM library receives
                failure response
        3) sufficient – This flag tells the PAM library to continue if it receives a success response & proceeds with other modules
        4) optional –  This flag is hardly used. It removes the emphasis on the success or failure response of the module

If no pam configuration file for an application is found, It uses the default  /etc/pam.d/other file which pam_deny module which
always returns failure status

Note: This configuration management issue has been addressed with the recent introduction of a PAM module called

Using various PAM Modules to enhance security

a) :: this module uses the /etc/security/access.conf file, It contains the following fields

                permission :   users     : origins
                  __ or +    username     tty or host

Useful    Examples  1) Disallow non-root logins on tty1
                -:ALL EXCEPT root:tty1
          2) Disable the console login for expcept few
                -: ALL EXCEPT john sam : LOCAL
          3)  User “root” should be allowed to get access from hosts with ip addresses.
               + : root :
               + : root :

b)  checks the password strenth of a password using the crack library

c) :: It always return false, it uses /etc/pam.d/other  configuration to deny access

d) :: this module checks the enviroinmental modules ( /etc/security/pam_env.conf )

e) :: this is a group access module that uses the /etc/security/group.conf file to provide group access to services

f) :: This modules sets resource  limits using  /etc/security/limit.conf

By impavan

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s