|
1.
PAM
PAM is a suite of shared libraries that provide an alternative way providing
user authentication in programs. The pam USE flag is turned on by
default. Thus the PAM settings on Gentoo Linux are pretty reasonable, but there
is always room for improvement. First install cracklib.
Code Listing 1.1: Installing cracklib |
# emerge cracklib
|
Code Listing 1.1: /etc/pam.d/passwd |
auth required pam_unix.so shadow nullok
account required pam_unix.so
password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2
password required pam_unix.so md5 use_authtok
session required pam_unix.so
|
This will add the cracklib which will ensure that the user passwords are at
least 8 characters and contain a minimum of 2 digits, 2 other characters, and
are more than 3 characters different from the last password. This forces the
user to choose a good password (password policy). Check the PAM
documentation for more options.
Code Listing 1.1: /etc/pam.d/sshd |
auth required pam_unix.so nullok
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix.so
password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 use_authtok
password required pam_unix.so shadow md5
session required pam_unix.so
session required pam_limits.so
|
Every service not configured with a PAM file in /etc/pam.d will
use the rules in /etc/pam.d/other. The defaults are set to
deny, as they should be. But I like to have a lot of logs, which is why
I added pam_warn.so. The last configuration is pam_limits, which
is controlled by /etc/security/limits.conf. See the (/etc/security/limits.conf) section
for more on these settings.
Code Listing 1.1: /etc/pam.d/other |
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so
|
|
