Linux-PAM Pluggable Authentication Module Pluggable Authentication Module Collection of libraries (modules) that allow a system administrator to decide how applications will authenticate users Collection of libraries (modules) that allow a system administrator to decide how applications will authenticate users Separates task of authentication from privilege-granting programs Separates task of authentication from privilege-granting programs

Linux-PAM in Action

PAM Example login program login program –Allows access to a Linux system 1. Started on each tty (console) 2. User types username 3. Request authentication (password) 4. Verify user is who they claim to be (check /etc/passwd) 5. Start shell –PAM provides 3 & 4

Linux-PAM Operation Programs must be built to utilize PAM Programs must be built to utilize PAM PAM tells program what it needs PAM tells program what it needs Separates authentication task into four groups: Separates authentication task into four groups: –Account management –Authentication management –Password management –Session management

PAM Groups Account mgmt Account mgmt –Used to perform account management functions. Ex: Has user’s password expired? Is user allowed to access this service? Authentication mgmt Authentication mgmt –Verify the user is who they claim to be

PAM Groups (cont) Password mgmt Password mgmt –Involves updating authentication tokens (passwords, tickets) Session mgmt Session mgmt –Cover tasks that should be done prior to a service being granted and after it is revoked (mounting/unmounting home directories)

PAM Organization /lib/security/pam_*.so – the PAMs /lib/security/pam_*.so – the PAMs /lib/libpam.so.* - the PAM library /lib/libpam.so.* - the PAM library /etc/pam.conf /etc/pam.conf –Configuration file to specify how services will authenticate users –Alternatively, one config file per service in /etc/pam.d directory /etc/pam.d/login /etc/pam.d/login

Config File Structure Each line of file has these elements: Each line of file has these elements: –service-name : name of service (login) Can be omitted if second method is used Can be omitted if second method is used A special service name – OTHER – is reserved for services with no configuration present A special service name – OTHER – is reserved for services with no configuration present –module-type : PAM group this module operates in (acct, auth, password, session) –control-flag : indicates how PAM will react to success/failure of module –module-path : path to the PAM –args : arguments to the module

Module Stacking Several modules of same type (group) can be executed sequentially Several modules of same type (group) can be executed sequentially Each module contributes to success/failure of group Each module contributes to success/failure of group Known as stacking Known as stacking Ex: (auth) Ex: (auth) –Get password –Laser beams of death –Fingerprint scan

Module Stacking (cont) Control flag values: Control flag values: –required : success of module is required for the group to succeed. Failure of module will not be noticed until all modules have been executed –requisite : same as required, but if module fails no more modules are executed – control returns to application –sufficient : indicates that success of this module is sufficient for the whole group –optional : success of module is optional

Example Config File /etc/pam.d/login /etc/pam.d/login auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so

PAMified Programs RH 7.3 RH 7.3 –login: sign onto system –su: substitute user –passwd: change passwords –halt: halt the system –reboot: reboot the system

Using PAM Restricting su Restricting su –Add to /etc/pam.d/su: auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=wheel

Using PAM (cont) Password strength Password strength –Add to /etc/pam.d/passwd password required /lib/security/pam_cracklib.so retry=3 minlen=8

Using PAM (cont) Enforcing resource limits Enforcing resource limits –Add to /etc/pam.d/login session required /lib/security/pam_limits.so –Edit /etc/security/limits.conf file –Can specify limits on number of processes, memory usage, and size of core dumps

Using PAM (cont) Strong default configuration Strong default configuration –/etc/pam.d/other: auth required pam_deny.so auth required pam_warn.so account required pam_deny.so account required pam_warn.so password required pam_deny.so password required pam_warn.so session required pam_deny.so session required pam_warn.so

Kernel Tuning /proc filesystem /proc filesystem –“virtual” filesystem – exists only in memory –Can view info on running processes Environment Environment Path to executable Path to executable Memory usage Memory usage –Interface into kernel – source of information –Can be used to configure kernel dynamically

Contents of /proc filesystems – file which lists filesystems supported by kernel filesystems – file which lists filesystems supported by kernel net – directory containing files which give info about network net – directory containing files which give info about network pci – file which contains list of PCI devices and their configuration pci – file which contains list of PCI devices and their configuration sys – contains variables which can be modified to alter kernel behavior sys – contains variables which can be modified to alter kernel behavior

Changing Variables Two ways: Two ways: 1.Since files in /proc/sys are text, can pipe output of standard text commands, i.e. echo Changes disappear upon reboot Changes disappear upon reboot 2. sysctl command /etc/sysctl.conf file – stores variable/value pairs /etc/sysctl.conf file – stores variable/value pairs Read at boot by startup script Read at boot by startup script

TCP SYN Cookies SYN floods – DoS attack which fills SYN queue SYN floods – DoS attack which fills SYN queue –Host cannot accept any more connections Defense – SYN Cookies Defense – SYN Cookies 1.Host receives SYN packet from initiator 2.Computes SYN cookie – function of source/dest IP addr, ports, time & secret 3.Sends SYN cookie value as ISN of SYN/ACK reply 4.If original SYN was syncere (hah!), initiator will reply with ACK packet - acknowledgement number will be SYN cookie 5.Host recomputes SYN cookie using values from ACK packet and recent values of time 6.If new SYN cookie matches acknowledgement number – connection established

Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies - or - sysctl –w net.ipv4.tcp_syncookies=1 sysctl –w net.ipv4.tcp_syncookies=1 –Also, add following line to /etc/sysctl.conf net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1

Source-routing Packet contains details of path to destination Packet contains details of path to destination Reply must also follow path Reply must also follow path Attacker can forge packets to include his/her machine in the return path Attacker can forge packets to include his/her machine in the return path –Can intercept traffic Solution: do not accept source-routed packets Solution: do not accept source-routed packets

Reject source-routed packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route for f in /proc/sys/net/ipv4/conf/*/accept_source_routedo echo 0 > $f done - or - sysctl –w net.ipv4.conf.all.accept_source_route=0 sysctl –w net.ipv4.conf.all.accept_source_route=0 sysctl –w net.ipv4.conf.default.accept_source_route=0 sysctl –w net.ipv4.conf.eth0.accept_source_route=0 sysctl –w net.ipv4.conf.lo.accept_source_route=0

Ignore ICMP Echo Requests echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all - or - sysctl –w net.ipv4.icmp_echo_ignore_all=1 sysctl –w net.ipv4.icmp_echo_ignore_all=1

Ignore ICMP Broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - or - sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1

Ignore ICMP Redirect Used to inform hosts of non-functioning or non-optimal route Used to inform hosts of non-functioning or non-optimal route Can be used by attackers to alter routing tables Can be used by attackers to alter routing tables To disable: To disable: for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $f done

Sources Securing and Optimizing Red-Hat Linux Securing and Optimizing Red-Hat Linux The Linux Administrator’s Security Guide The Linux Administrator’s Security Guide Skoudis, Ed. Counter Hack. Prentice Hall, New Jersey; pp. Skoudis, Ed. Counter Hack. Prentice Hall, New Jersey; pp. Linux man pages. Linux man pages.

Questions?