Professional Documents
Culture Documents
1.1 Entities
1.1 Entities
INTRODUCTION
1.1 ENTITIES:
There are as many authentication methods as one might care to count. None of
them are perfect and none of them are invulnerable. In general, any given
authentication method becomes weaker over time. It is common then for new
authentication methods to be developed in response to newly discovered weaknesses
in the old authentication.
1.2 METHODS:
The problem with inventing new authentication methods is the fact that old
applications do not support them. This contributes to an inertia that discourages the
overhaul of weakly protected systems. Another problem is that individuals (people)
are frequently powerless to layer the protective authentication around their systems.
They are forced to rely on single (lowest common denominator) authentication
scheme seven in situations where this is far from appropriate.
PAM, as discussed in this document, is a generalization of the approach first
introduced in [1]. In short, it is a general framework of interfaces that abstract the
process of authentication.
1
CHAPTER 2
OVERVIEW
2
Figure 2.1 PAM FRAMEWORK
2.1 DEFINITIONS:
3
2.2 AUTHENTICATION PROCESS:
+-------+
+--------+
. . . . .| agent |
.| module |
+-------+
.+--------+
4
|
.|
V|
+---------+ +-------+
. +------+
| |libpamc|
. |libpam|
| +-------+
. +------+
|applicant|
.|
| +--------+
+----------+
+---------+ +--------+
+----------+
5
Solid lines connecting the boxes represent two-way interaction. The dotted-
directed lines indicate an optional connection between the plug in module (agent) and
the server (applicant). In the case of the module, this represents the module invoking
the 'conversation' callback function provided to lib pam by the server application
when it inititializes the lib pam library. In the case of the agent, this may be some out-
of-PAM API interaction (for example directly displaying a dialog box under X).
2.3 DEFINED DATA TYPES:
In this draft, we define two composite data types, the text string and the
binary prompt. They are the data types used to communicate authentication requests
and responses.
This application is completely responsible for the server end of the transport
layer connecting the server to the client. PAM makes no assumptions about how data
is encapsulated for exchanges between the server and the client, only that full octet
sequences can be freely exchanged without corruption. Client application providing
the direct/primary interface to applicant. This application is completely responsible
for the client end of the transport layer connecting the server to the client. PAM
makes no assumptions about how data is encapsulated for exchanges between the
server and the client, only that full octet sequences can be freely exchanged without
corruption.
6
CHAPTER 3
PAM MANAGEMENT SERVICES
3.1 AUTH:
Determines whether the user is who they claim to be, usually by a password,
but perhaps more sophistcated means, such as biometrics.
3.2 ACCOUNT:
Determines whether the user is allowed to access the service. This is different
from establishing whether the user is who they say they are. Account management
deals with enforcing the expiration of passwords and preventing logins during system
time.
3.3 PASSWORD:
Provides a mechanism for the user to change their authentication. Again, this
usually their password.
3.4 SESSION:
Things that should be done before and/or after the user is authenticed. This might
included things such as mounting/unmounting the user home directory, logging their
login/logout, and restricting/unrestricting the services available to the user.
7
3.5 SUFFICIENT:
Success of this module is sufficient for the stack of this module type to
succeed. If authentication by this module is successful, PAM will grant
authentication.
3.6 CONTROL:
PAM modules can be stacked – there can be any number of modules of the
same module type for a single application. The application is not told of the individual
success or failure of any module, only of the success or failure of the stack. The
control flags determine how each module affects the success or failure of the stack.
Modules in the stack are executed in the order they are listed in the configuration file.
The second field in the configuration file is the control token, which tells PAM what
should be done in if authentication by this module fails. PAM recognizes four control
types: required, requisite, sufficient, and optional.
3.7 REQUISITE:
The module must succeed for the stack of this module type to succeed. Failure
to authenticate via this module results in immediate denial of authentication.
3.8 REQUIRED:
The module must succeed for the stack of this module type to succeed.
Failure also results in denial of authentication, although PAM will still call all the
other modules listed for this service before denying authentication.
3.9 OPTIONAL:
Not critical to the success or failure of the stack. If at least one non-optional
module succeeds or fails, the result of this module is ignored when calculating the
success or failure of the stack. Whether this module succeeds or fails is only
significant if it is the only module of its type for this service.
8
3.10 MODULE PATH:
The module-path tells PAM which module to use and (optionally) where to
find it. Most configurations only contain the module’s name. Since Linux-PAM-0.56
was released there is support for a default authentication-module directory, and a full
path is no longer required, only the name of the module. PAM looks for the modules
in the default PAM module directory, normally /usr/lib/security.
9
CHAPTER 4
BASIC PAM MODULES
4.1 PAM_UNIX.SO:
Establishes the validity of the user’s account and password and may offer
advice on changing the user’s password, or force a password change. The actions this
module performs are controlled by the /etc/password and /etc/shadow files.
Arguments: audit, debug.
4.3 AUTH:
This component of the module checks the user’s password against the
password databases. Configuration for this component is done in /etc/ns switch. conf.
An additional binary, unix_chkpwd, is used to allow the component to read protected
databases without requiring the whole module to be set uid root. Arguments: audit,
debug, no delay, null ok, try_ first_ pass, use _first_ pass.
4.4 PASSWORD:
This component logs the user name and session type to syslog, at the start and
end of the user’s session. There are no arguments to this component.
10
4.5 AUDIT:
A more extensive form of debug o big crypt Use the DEC “C2″ extension to
crypt().
Not_ Set_ Pass – Don’t use the passwords from other stacked modules.
Try_ First_ Pass – Use the password from the previous stacked auth module, and
incorrect.
Use_ Authtok – Set the new password to the one provided by a previous module.
Use_ First_ Pass – Use the result from the previous stacked auth module, never
prompts the user for a password, fails if the result was a fail.
11
NETWORK PAM MODEL DIAGRAM:
12
CHAPTER 5
PAM CONNECTIVITY
13
The account modules checks for password aging, account expiration and
accesshour restrictions. Once the user is identified using the authentication
modules,the account modules will determine if the user can be given access.
The session modules primarily manage the opening and closing of
anauthentication session. They can log activity or can provide for clean-up after
the session is over.The password modules allow for changes to the password and the
password-related attributes.
PAM allows for authentication by multiple methods through stacking. When a
user is authenticated through PAM, multiple methods can be selected to fully identify
the user. Depending on the configuration, the user can be prompted for passwords for
each authentication method. Therefore, the user will not need to remember to execute
another command to get fully authenticated. The order that the methods are used is
determined through the configuration file,
/etc/pam.conf.
5.4 PAM_ISSUE.SO
This module allows you to prepend an issue file to the username prompt. It
also by default parses escape codes in the issue file similar to some common getty’s
(using \x format).
Recognized escapes:
•d – current date
•s – operating system name
•l – name of this tty
•m – architecture of this system (i686, sparc, powerpc, …)
•n – hostname of this system
14
•o – domainname of this system
•r – release number of the operation system (eg. 2.2.12)
•t – current time
•u – number of users currently logged in
•U – same as u, except it is suffixed with “user” or “users” (eg. “1 user” or “10 users”
•v – version/build-date of the operating system (eg. “#3 Mon Aug 23 14:38:16 EDT
1999″on Linux).
The behavior of this module can be modified with one of the following flags:
15
CHAPTER 6
PAM ADMINISTRATION
16
CHAPTER 7
PAM SOFTWARE
17
The pam_unix module
18
CHAPTER 8
CONCLUSOINS
With the above we are able to do authenticated smtp using standard out of the box
exim and the standard pam modules that come with linux. So no need for sassl authd
or pam_exim or anything else, it all just works. Hope this is cluefull to those of you
trying to do the same.
8.1 POINTS FOR CONSIDERATION
I found this helpful, but suggest that other readers should consider two points
re /etc/pam.d/exim file above:
Is null_ok right for your system (Do you want to allow accounts with no
password to relay mail)?
19
CHAPTER-9
LIST OF REFERENCES
http://www.kernel.org/pub/linux/libs/pam/
Making Login Services Independent of Authentication Technologies. Vipin
Samar and Charlie Lai. Sun Microsystems.
X/Open Single Sign-on Preliminary Specification.
Pluggable Authentication Modules. Andrew G. Morgan.
20