PAM安全配置

PAM安全配置

###LinuxCBT PAM Edition - Notes###

Topology:

Features:1. PAM is a central, modular authentication framework a. Obviates the need for separate authentication schemes. i.e. per application auth b. Supports numerous dynamically loaded modules and methods. i.e. SiteMinder, Apache, SSH, etc. c. Exports methods of the various libraries under its auspices to calling applications

2. PAM abstracts underlying authentication methods a. MD5 - Encryption b. Blowfish - Encryption c. LDAP d. Shadow - /etc/passwd and /etc/shadow e. etc. - SiteMinder, MS Active Directory(AD)PAM separates application authentication from auth mechanisms

3. PAM requires that application supports PAM (PAM-aware) - Coded into application4. Authentication Flow a. Application -> PAM -> Underlying authentication source (local/LDAP/Windows/etc.)

5. Handles 4 types of management tasks a. Authentication - proving identity (username/password(credentials)) or BioMetrics b. Account Management - object access check, expiry c. Password Management - facilitates password management - change, updates, etc. d. Session Management - before and after user connects to service

6. Stores configuration in /etc/pam.d OR /etc/pam.conf7. SUSE 10 stores global settings for modules in /etc/security8. Popular PAM Modules: a. pam_warn.so - logs to Syslog using 'auth.notice' b. pam_deny.so - denies access without logging c. pam_unix*.so - provides /etc/shadow & /etc/passwd lookups

9. Each application (SSH/VSFTPD/Telnet/Login/etc.) has its own configuration file beneath /etc/pam.d. i.e. /etc/pam.d/login

Format of PAM Files:Files are located in: /etc/pam.d for each service governed by PAM. i.e. (SSH/VSFTPD/etc.)Note: /etc/pam.d/other handles authentication for services with NO file in /etc/pam.dNote: Default configuration denies service via the /etc/pam.d/other fileNote: /etc/pam.d/common-* handle commonalities across servicesNote: Files are lower-case

Each file in /etc/pam.d contains 4 tokens: 1. Type 2. Control 3. Module Path 4. Module Arguments

1. Type = (account | auth | password | session)2. Control = (include | Requisite | Required | Sufficient | Optional)3. Module Path = relative to /lib[64]/security - indicates module to be loaded4. Module Arguments = arguments to be passed to PAM module  a. Generally denoted using 'name=value' pairs and separted using whitespace b. escape space in value(h  of name=value) using [name=value 1]

/etc/pam.d/other:#%PAM-1.0auth     required       pam_warn.soNote: PAM will consult 'pam_warn.so' when unrecognized service attempts to authenticateauth     required       pam_deny.soNote: PAM DENIES access to the unrecognized service

account  required       pam_warn.soaccount  required       pam_deny.so

password required       pam_warn.sopassword required       pam_deny.so

session  required       pam_warn.sosession  required       pam_deny.so

Note: PAM supports stacking of types and modulesNote: pam_deny.so does NOT log via Syslog, but rather simply denies accessNote: /etc/pam.d/other provides a trap or catchall to log and deny access for ALL 4 management types supported by PAM: 1.h   auth 2. account 3. password 4. sessionNote: /etc/pam.d/other is the fallback file, if PAM does NOT find a service specific file

/etc/pam.d/sshd:#%PAM-1.0auth     include        common-authauth     required       pam_nologin.so

account  include        common-account

password include        common-password

session  include        common-session# Enable the following line to get resmgr support for# ssh sessions (see /usr/share/doc/packages/resmgr/README)#session  optional      pam_resmgr.so fake_ttyname

## /etc/pam.d/common-auth - authentication settings common to all services## This file is included from other service-specific PAM config files,# and should contain a list of the authentication modules that define# the central authentication scheme for use the system# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the# traditional Unix authentication mechanisms.#auth    required        pam_env.soauth    required        pam_unix2.so

account required        pam_unix2.so

password required       pam_pwcheck.so  nullokpassword required       pam_unix2.so    nullok use_first_pass use_authtok

session required        pam_limits.sosession required        pam_unix2.so

Common PAMs:pam_echo - prints messages man pam_echo

session optional pam_echo.so file=/etc/pam.d/sshd_text

Note: Changes take effect upon next instance of process

pam_warn - logs connection attempts via Syslog using 'auth.notice' facility.level

pam_deny - denies access(authentication) but does NOT log

pam_unix2 - provide authentication against: 1. /etc/passwd 2. /etc/shadow 3. NIS[+] 4. LDAPUses: /etc/security/pam_unix2.conf - Global configuration directives

pam_env - (un)sets environmental variablesUses: /etc/security/pam_env.conf - by default

pam_ftp - handles anonymous access for FTPD i.e. VSFTPD, ProFTPD, etc.Called from: /etc/pam.d/vsftpd

pam_lastlog - Displays time and host of last login by user

pam_limits - /etc/pam.d/common* Uses: /etc/security/limits.conf Limits include:  a. RAM  b. CPU  c. Core file size  d. File sizes

pam_listfile - /etc/pam.d/vsftpd - grants or denies access based a list

pam_nologin - /etc/pam.d/[login|sshd|ppp] /etc/nologin - prevents non-root access to the system

Account Policies with PAM

Authentication flow in Linux | UnixUser -> Application(SSH|VSFTPD|Apache) -> PAM -> /etc/nsswitch.conf -> DB(/etc/passwd|shadow | LDAP | Kerberos | etc)

Default Account Policies for SUSE and RedHat Linux: /etc/login.defs - read by PAM_pwcheck OR /lib/security/pam_pwcheck.so  -contains myriad directives associated with account policies   - Default_Home - default = yes - set to no to tighten security   - Default Path - defaults to /usr/local/bin:/bin:/usr/bin   - Root Path   - FAIL_DELAY - number of seconds between failed authentication attempts   - LASTLOG_ENAB - whether to display user's last login to the system   - LOG_UNKFAIL_ENAB - whether to log incorrect usernames   - LOGIN_RETRIES - max login attempts   - MOTD_FILE - reads /etc/motd by default and displays info. to connected user   - PASS_MAX_DAYS   45 - enforces maximum number of days password can be used   - PASS_MIN_DAYS   3 - ensures that user MUST hold password for 3 days   - PASS_WARN_AGE   7 -    - SYSTEM_UID_MIN            100   - SYSTEM_UID_MAX            499   - UID_MIN                  1000   - UID_MAX                 60000   - UMASK 022 - influences the default permissions assigned to files and directories    -Files - defaults to 644 OR rw-r--r--    -Directories - defaults to 755 or rwxr-x-r-x    Note: UMASK is based a MAX value of 0777. i.e. 777 - 022 = 755(directories)

YaST - permits configuration of various account policy checks  - Password History - MAX of 400   -/etc/security/opasswd - default storage location - encrypted   -/etc/security/pam_pwcheck.conf - password history directive and others are configured   -password:       remember=400 minlen=8 cracklib nullok

Note: To set password minimum length, update /etc/security/pam_pwcheck.confpassword:       remember=400 minlen=8 cracklib nullokNote: Default is to perform 'obscure_checks'

'chage' - change password aging utility chage -l username chage -l linuxcbt chage -m 3 -M 45 linuxcbt - changes minimum and maximum password ages

Recap:Important Account Policy Files: - /etc/security/pam_pwcheck.conf - read by pam_pwcheck.so module - Min Lenght, Remember, etc. - /etc/security/opasswd - stores password history - /etc/login.defs - stores myriad account policy defaults

PAM Tally: Features:  1. The ability to tally failed login attempts and take action  2. Denies user access to the system based number of failed login attemptsNote: This feature/modules is NOT enabled by default

/var/log/faillog - logs failed loginsprovides 'pam_tally' utility to manipulate failed login counters

/var/log/messages contains failed login attempts in clear text unless redirected via Syslog

'faillog' utility performs similarly to 'pam_tally'

Usage: - pam_tally --user linuxcbt - displays the count of user 'linuxcbt' - pam_tally --user linuxcbt --reset=5 - increases failed login count to 5 - pam_tally --user linuxcbt --reset=0 - sets failed login count to 0 - pam_tally - enumerates tallies for ALL users the system

Update ALL services to use pam_tally - configure common-auth (referenced by ALL PAM services) /etc/pam.d/common-auth  auth required pam_tally.so deny=3 unlock_time=60 - locks for 60 secondsauth required pam_tally.so deny=3 unlock_time=1800 - locks for 1800

faillog - dumps ALL failed attemptsfaillog -u linuxcbt - dumps failed attempts for the user 'linuxcbt'

Syslog Configuration to re-route PAM_Tally message - Failed Login Attempts

Syslog-NG:filter f_auth { facility(authpriv); };destination f_auth_dest { file("/var/log/pam_auth"); };log { source(src); filter(f_auth); destination(f_auth_dest); };

Note: Exclude 'authpriv' facility from 'f_messages' filter to avoid duplicate logs

Password Policy Control using - pam_passwdqc - Quality Checking Password module/lib/security/pam_passwdqc.so - belongs to pam-modules* package

Features: 1. Good module to enforce password policies 2. Allows us to define minimu/maximum lengths for passwords 3. Enforces character classes 1 - 4  4. Enforces complexity based character classes and passphrases 5. Suggests strong passwords 6. Compares proposed new password with existing password 7. Ability to enforce policy users and everyone or noone(generates warning but takes no action)

Character Classes include: 1. Upper - U 2. Lower - u 3. Digits - 0-9 4. Other characters - punctuations, non-printing characters and symbols

Note: pam_passwdqc does NOT support password historiesNote: min=N0,N1,N2,N3,N4N0 = 1 character class i.e. abcN1 = 2 character classes i.e. abc123N2 = pass phrases i.e. 'testing 1 2 3' - defaults to 3 wordsN3 = 3 character classes i.e. Abc123N4 = 4 character classes i.e. Abc123$.

password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=none

Note: Update minimum password hold in /etc/login.defs

password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=users

Examples of passwords: 1. testingthenewwayoftheworld07 2. testingthenewwayoft07 3. tEsting200703 4. abc123

password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=everyone max=40

password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=everyone max=40 ask_oldauthtok

PAM TimeFeatures: 1. The ability to control access to services (governed by PAM), based time and optionally TTY, user and/or group 2. Reads, by default, /etc/security/time.conf rules file

Usage: Syntax:  1. 4-fields in the /etc/security/time.conf rules file  i.e. services; ttys; users; times  2. * wildcard is supported  3. Delineate or separate fields using logical '&'(AND) or logical '|'(OR)  4. ! negates rule or component of rule

sshd & vsftp & login;

###Rule to deny SSH access from the user 'linuxcbt'sshd;tty*;linuxcbt;!Al0000-2400 - denies user 'linuxcbt' access to SSHD ALL THE TIME

Note: No need to include pam_time.so in any of the configuration files because pam_time.so rules, located in /etc/security/time.conf, are ALWAYS processed

Note: Use PAM_time to effect session connection restrictions during maintenance windows

PAM_Nologin: Features: 1. Prevents non-root users from logging  2. Obivates the need to shut services 3. Displays the contents of /etc/nologin

Usage: auth required pam_nologin.so

Note: pam_nologin.so is referenced by the following PAM files in SUSE10 Ent. Linux: /etc/pam.d  1. ppp   a. Dial-up - modem   b. PPTP    c. IPSEC   d. other remote connectivity to the system

2. login   a. used to permit access to a shell via the system console    i.e. tty1-6  Note: Typical tty invocation is as follows:   a. init (first process) is called   b. init reads /etc/inittab   c. /etc/inittab instructs the init process to spawn 6 ttys   d. 6 ttys are accessible by using CTRL-ALT-F1-F6

3. sshd   a. SSH client connections to psuedo-terminals   b. Also denies access if connection is made using SFTP

Additional Usage: Create /etc/nologin  - touch /etc/nologin

Note: /etc/nologin and /lib[64]/security/pam_nologin.so do NOT apply to root or root-level users.

To Remove /etc/nologin restrictions: 1. remove or rename /etc/nologin

Note: Effect changes to specific daemons, i.e. VSFTPD, by including an 'auth' directive in the daemon's PAM file:/etc/pam.d/vsftpd: auth pam_nologin.so

1. Topology2. Features of PAM3. Format of PAM files - syntax - 4 required fields in the config files    type=auth,account,password,session  control=required,requisite,optional,include  module=/lib[64]/security/module_name.so - use short name i.e. pam_limits.so  module arguments = execute man module name for more informationNote: Modules can be stacked and are processed top-down

4. Common PAMs5. Account Policies with PAM6. PAM_tally - tallies users' account login information7. PAM_passwdqc - enforces password complexity and other attributes8. PAM_time - restricts or grants access to service for user based time information9. PAM_nologin10. PAM_limits - imposes resource limits for services users and/or groups11. Apache with PAM

PAM Limits: Features:  1. Ability to limit resource utilization based connecting user and/or group  2. Controllable resources include:   a. RAM accessible to user/group   b. Storage used   c. Core files   d. # of processes that a user/group may create   e. # of open files   f. maximum file size   g. max # of logins per user

pam_limits.so - reads /etc/security/limits.confNote: PAM_limits does NOT impose limitations UID 0 (root) users

Required Fields in /etc/security/limits.conf:           

domain = user/group scope - supports * wildcardtype = soft | hard -(enforces soft & hard limits)item = pertains to resource we intend to limit i.e. memlock, data, core, nproc, nofile, fsize, maxlogins

value = value to assign to item to enforce the rule. Note: usually measured KBs

Note: PAM changes to limits take effect at next use of module - pam_limits.soNote: pam_limits will NOT terminate existing sessions. Changes affect new sessionsNote: pam_limits.so MUST be referenced from at least e PAM file in /etc/pam.d

###Limits imposed by Dean###linuxcbt        hard    maxlogins       7

maxlogins - enforces concurrency limitsNote: fsize item can be used in conjunction with quotas to achieve maximum disk utilization

Apache Configuration with PAM Support:

Features:  1. Ability for Apache to authenticate users via PAM  2. Obviates the need for separate credentials file(s) - i.e. created with htpasswd2 or htdigest2

Requirements:  1. Install Apache2-devel* package - provides 'apxs' utility  2. 'apxs' utility compiles Apache modules  3. Download Apache-PAM module, unless your distribution provides a binary package. i.e. RPM or DEB file  4. [url]- mod_auth_pam (name of Apache module, which uses PAM)

Installation:  1. tar -xzvf mod_auth_pam-2.0-1.1.1.tar.gz - creates top-level mod_auth_pam directory  2. Install Apache2-devel* RPM using YaST

Note: We have installed Apache another SUSE Ent. 10 box - 192.168.75.192

Note: Ensure that pam-devel* is installed as well as compiler tools

3. execute 'make' - compiles the source to binary

4. Copy modules(.libs) to Apache's modules directory: /usr/lib/apache2  5. Copy samples/to /etc/pam.d - this is an auth PAM file  6. Update Apache configuration - multi-step   a. /etc/sysconfig/apache2 - contains startup directives for Apache SUSE Linux    1. include 'mod_auth_pam' in list of modules to load at startup of Apache HTTPD2   b. /etc/apache2/default-server.conf - this is for default web site   c. If using Virtual Hosts update: /etc/apache2/vhosts.d/*.conf

Note: Confirm if PAM module is loaded using: '-D DUMP_MODULES'

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。