Gentoo Logo

[ << ] [ < ] [ Home ] [ > ] [ >> ]


7. PAM

7.a. PAM

PAM is a suite of shared libraries that provide an alternative way providing user authentication in programs. The pam USE flag is turned on by default. Thus the PAM settings on Gentoo Linux are pretty reasonable, but there is always room for improvement. First install cracklib.

Code Listing 1.1: Installing cracklib

# emerge cracklib

Code Listing 1.2: /etc/pam.d/passwd

auth     required pam_unix.so shadow nullok
account  required pam_unix.so
password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2
password required pam_unix.so md5 use_authtok
session  required pam_unix.so

This will add the cracklib which will ensure that the user passwords are at least 8 characters and contain a minimum of 2 digits, 2 other characters, and are more than 3 characters different from the last password. This forces the user to choose a good password (password policy). Check the PAM documentation for more options.

Code Listing 1.3: /etc/pam.d/sshd

auth     required pam_unix.so nullok
auth     required pam_shells.so
auth     required pam_nologin.so
auth     required pam_env.so
account  required pam_unix.so
password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 use_authtok
password required pam_unix.so shadow md5
session  required pam_unix.so
session  required pam_limits.so

Every service not configured with a PAM file in /etc/pam.d will use the rules in /etc/pam.d/other. The defaults are set to deny, as they should be. But I like to have a lot of logs, which is why I added pam_warn.so. The last configuration is pam_limits, which is controlled by /etc/security/limits.conf. See the /etc/security/limits.conf section for more on these settings.

Code Listing 1.4: /etc/pam.d/other

auth     required pam_deny.so
auth     required pam_warn.so
account  required pam_deny.so
account  required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session  required pam_deny.so
session  required pam_warn.so

[ << ] [ < ] [ Home ] [ > ] [ >> ]


Print

View all

Page updated June 1, 2014

Summary: Pluggable Authentication Modules.

Kim Nielsen
Author

John P. Davis
Editor

Eric R. Stockbridge
Editor

Carl Anderson
Editor

Jorge Paulo
Editor

Sven Vermeulen
Editor

Benny Chuang
Editor

Sune Jeppesen
Editor

Tiemo Kieft
Editor

Zack Gilburd
Editor

Dan Margolis
Editor

Joshua Saddler
Editor

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.