Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux-PAM Pluggable Authentication Module Pluggable Authentication Module Collection of libraries (modules) that allow a system administrator to decide.

Published bySusanna Ford Modified over 8 years ago

Similar presentations

Presentation on theme: "Linux-PAM Pluggable Authentication Module Pluggable Authentication Module Collection of libraries (modules) that allow a system administrator to decide."— Presentation transcript:

1 Linux-PAM Pluggable Authentication Module Pluggable Authentication Module Collection of libraries (modules) that allow a system administrator to decide how applications will authenticate users Collection of libraries (modules) that allow a system administrator to decide how applications will authenticate users Separates task of authentication from privilege-granting programs Separates task of authentication from privilege-granting programs

2 Linux-PAM in Action

3 PAM Example login program login program –Allows access to a Linux system 1. Started on each tty (console) 2. User types username 3. Request authentication (password) 4. Verify user is who they claim to be (check /etc/passwd) 5. Start shell –PAM provides 3 & 4

4 Linux-PAM Operation Programs must be built to utilize PAM Programs must be built to utilize PAM PAM tells program what it needs PAM tells program what it needs Separates authentication task into four groups: Separates authentication task into four groups: –Account management –Authentication management –Password management –Session management

5 PAM Groups Account mgmt Account mgmt –Used to perform account management functions. Ex: Has user’s password expired? Is user allowed to access this service? Authentication mgmt Authentication mgmt –Verify the user is who they claim to be

6 PAM Groups (cont) Password mgmt Password mgmt –Involves updating authentication tokens (passwords, tickets) Session mgmt Session mgmt –Cover tasks that should be done prior to a service being granted and after it is revoked (mounting/unmounting home directories)

7 PAM Organization /lib/security/pam_*.so – the PAMs /lib/security/pam_*.so – the PAMs /lib/libpam.so.* - the PAM library /lib/libpam.so.* - the PAM library /etc/pam.conf /etc/pam.conf –Configuration file to specify how services will authenticate users –Alternatively, one config file per service in /etc/pam.d directory /etc/pam.d/login /etc/pam.d/login

8 Config File Structure Each line of file has these elements: Each line of file has these elements: –service-name : name of service (login) Can be omitted if second method is used Can be omitted if second method is used A special service name – OTHER – is reserved for services with no configuration present A special service name – OTHER – is reserved for services with no configuration present –module-type : PAM group this module operates in (acct, auth, password, session) –control-flag : indicates how PAM will react to success/failure of module –module-path : path to the PAM –args : arguments to the module

9 Module Stacking Several modules of same type (group) can be executed sequentially Several modules of same type (group) can be executed sequentially Each module contributes to success/failure of group Each module contributes to success/failure of group Known as stacking Known as stacking Ex: (auth) Ex: (auth) –Get password –Laser beams of death –Fingerprint scan

10 Module Stacking (cont) Control flag values: Control flag values: –required : success of module is required for the group to succeed. Failure of module will not be noticed until all modules have been executed –requisite : same as required, but if module fails no more modules are executed – control returns to application –sufficient : indicates that success of this module is sufficient for the whole group –optional : success of module is optional

11 Example Config File /etc/pam.d/login /etc/pam.d/login auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so

12 PAMified Programs RH 7.3 RH 7.3 –login: sign onto system –su: substitute user –passwd: change passwords –halt: halt the system –reboot: reboot the system

13 Using PAM Restricting su Restricting su –Add to /etc/pam.d/su: auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=wheel

14 Using PAM (cont) Password strength Password strength –Add to /etc/pam.d/passwd password required /lib/security/pam_cracklib.so retry=3 minlen=8

15 Using PAM (cont) Enforcing resource limits Enforcing resource limits –Add to /etc/pam.d/login session required /lib/security/pam_limits.so –Edit /etc/security/limits.conf file –Can specify limits on number of processes, memory usage, and size of core dumps

16 Using PAM (cont) Strong default configuration Strong default configuration –/etc/pam.d/other: auth required pam_deny.so auth required pam_warn.so account required pam_deny.so account required pam_warn.so password required pam_deny.so password required pam_warn.so session required pam_deny.so session required pam_warn.so

17 Kernel Tuning /proc filesystem /proc filesystem –“virtual” filesystem – exists only in memory –Can view info on running processes Environment Environment Path to executable Path to executable Memory usage Memory usage –Interface into kernel – source of information –Can be used to configure kernel dynamically

18 Contents of /proc filesystems – file which lists filesystems supported by kernel filesystems – file which lists filesystems supported by kernel net – directory containing files which give info about network net – directory containing files which give info about network pci – file which contains list of PCI devices and their configuration pci – file which contains list of PCI devices and their configuration sys – contains variables which can be modified to alter kernel behavior sys – contains variables which can be modified to alter kernel behavior

19 Changing Variables Two ways: Two ways: 1.Since files in /proc/sys are text, can pipe output of standard text commands, i.e. echo Changes disappear upon reboot Changes disappear upon reboot 2. sysctl command /etc/sysctl.conf file – stores variable/value pairs /etc/sysctl.conf file – stores variable/value pairs Read at boot by startup script Read at boot by startup script

20 TCP SYN Cookies SYN floods – DoS attack which fills SYN queue SYN floods – DoS attack which fills SYN queue –Host cannot accept any more connections Defense – SYN Cookies Defense – SYN Cookies 1.Host receives SYN packet from initiator 2.Computes SYN cookie – function of source/dest IP addr, ports, time & secret 3.Sends SYN cookie value as ISN of SYN/ACK reply 4.If original SYN was syncere (hah!), initiator will reply with ACK packet - acknowledgement number will be SYN cookie 5.Host recomputes SYN cookie using values from ACK packet and recent values of time 6.If new SYN cookie matches acknowledgement number – connection established

21 Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies - or - sysctl –w net.ipv4.tcp_syncookies=1 sysctl –w net.ipv4.tcp_syncookies=1 –Also, add following line to /etc/sysctl.conf net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1

22 Source-routing Packet contains details of path to destination Packet contains details of path to destination Reply must also follow path Reply must also follow path Attacker can forge packets to include his/her machine in the return path Attacker can forge packets to include his/her machine in the return path –Can intercept traffic Solution: do not accept source-routed packets Solution: do not accept source-routed packets

23 Reject source-routed packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route for f in /proc/sys/net/ipv4/conf/*/accept_source_routedo echo 0 > $f done - or - sysctl –w net.ipv4.conf.all.accept_source_route=0 sysctl –w net.ipv4.conf.all.accept_source_route=0 sysctl –w net.ipv4.conf.default.accept_source_route=0 sysctl –w net.ipv4.conf.eth0.accept_source_route=0 sysctl –w net.ipv4.conf.lo.accept_source_route=0

24 Ignore ICMP Echo Requests echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all - or - sysctl –w net.ipv4.icmp_echo_ignore_all=1 sysctl –w net.ipv4.icmp_echo_ignore_all=1

25 Ignore ICMP Broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts - or - sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1

26 Ignore ICMP Redirect Used to inform hosts of non-functioning or non-optimal route Used to inform hosts of non-functioning or non-optimal route Can be used by attackers to alter routing tables Can be used by attackers to alter routing tables To disable: To disable: for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $f done

27 Sources Securing and Optimizing Red-Hat Linux Securing and Optimizing Red-Hat Linux http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html The Linux Administrator’s Security Guide The Linux Administrator’s Security Guide http://www.seifried.org/lasg/ Skoudis, Ed. Counter Hack. Prentice Hall, New Jersey; 2002. 564 pp. Skoudis, Ed. Counter Hack. Prentice Hall, New Jersey; 2002. 564 pp. Linux man pages. Linux man pages.

28 Questions?

Download ppt "Linux-PAM Pluggable Authentication Module Pluggable Authentication Module Collection of libraries (modules) that allow a system administrator to decide."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Basic Unix system administration

Basic Unix system administration
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.

Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.
Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.

Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Port Scanning.

Port Scanning.
Linux Operations and Administration

Linux Operations and Administration

Similar presentations

Ads by Google