Controlling Authentication with PAM

Posted on by

Manage security on a RHEL system by controlling authentication with Pluggable Authentication Modules (PAM).

Before We Begin

The following PAM modules are used in this article:

  1. pam_time
  2. pam_access
  3. pam_sepermit
  4. pam_pwquality
  5. pam_faillock
  6. pam_faildelay
  7. pam_tty_audit

Backup PAM Config

Before you do anything, backup your PAM configuration:

# authconfig --savebackup=/root/pam_backup

Allow both Manual and authconfig Configuration

We prefer to use authconfig but also want to allow manual configuration.

Note that authconfig modifies the /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac files.

# cd /etc/pam.d
# cp system-auth-ac system-auth-local
# cp password-auth-ac password-auth-local
# rm -f system-auth password-auth
# ln -s system-auth-local system-auth
# ln -s password-auth-local password-auth

We can now use the custom *-local files for manual configuration, but include the *-ac files for the configuration we do through authconfig.

# cat system-auth-local
auth      include    system-auth-ac
account   include    system-auth-ac
password  include    system-auth-ac
session   include    system-auth-ac
# cat password-auth-local
auth      include    password-auth-ac
account   include    password-auth-ac
password  include    password-auth-ac
session   include    password-auth-ac

Configure pam_time

The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines.

Configure PAM Rule Order

Only the account type is provided.

Edit system-auth-local and password-auth-local files and add the new rule before the other account rules.

# cat system-auth-local
auth      include    system-auth-ac
account   required   pam_time.so
account   include    system-auth-ac
password  include    system-auth-ac
session   include    system-auth-ac
# cat password-auth-local
auth      include    password-auth-ac
account   required   pam_time.so
account   include    password-auth-ac
password  include    password-auth-ac
session   include    password-auth-ac

Set Time Restriction

Prevent users from logging in using SSH between 5 PM and 10PM on Fridays and Saturdays. This restriction does not apply to root, alice and vince. Note that the configuration requires 24-hour format.

Add the following to /etc/security/time.conf:

sshd;*;!root&alice&vince;!FrSa1700-2200

Configure pam_access

The pam_access PAM module is mainly for access management.

Enable pam_access

All module types (auth, account, password and session) are provided.

# authconfig --help|grep access
    --enablepamaccess       check access.conf during account authorization
    --disablepamaccess      do not check access.conf during account authorization
# authconfig --enablepamaccess --update

Set Access Restriction

  1. Prevent vince access from IP 10.11.1.10.
  2. Allow root, alice, sandy and vince to log in from anywhere.
  3. Other users are not allowed to log in.

Edit the /etc/security/access.conf configuration file and add the following:

-:vince:10.11.1.10
+:root alice sandy vince:ALL
-:ALL:ALL

Configure pam_sepermit

The pam_sepermit module allows or denies login depending on SELinux enforcement state.

We’re going to configure the module for sshd.

# grep sepermit /etc/pam.d/*
/etc/pam.d/sshd:auth	   required	pam_sepermit.so

Only single login session will be allowed for the SELinux staff_u user, and the user’s processes will be killed on logout.

# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
vince                staff_u              s0-s0:c0.c1023       *

Edit /etc/security/sepermit.conf configuration file and add the following:

%staff_u:exclusive

Configure pam_pwquality

This module can be plugged into the password stack of a given service to provide some plug-in strength-checking for passwords.

Only the password module type is provided.

To define advanced password requirements, edit the /etc/security/pwquality.conf file.

Set the password length to 12 characters, require at least three lowercase letters, one uppercase letter, at least two numbers, and at least one special character:

minlen = 12
lcredit = -3
ucredit = -1
dcredit = -2
ocredit = -1

Note that negative values indicate the minimum number of characters required for each class.

Configure pam_faillock

This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications.

To enable and configure pam_faillock, we can manually edit the PAM configuration files, but the authconfig tool offers a much easier way.

# authconfig --enablefaillock \
  --faillockargs="deny=5 fail_interval=90 unlock_time=300" \
  --update

By default, pam_faillock does not lock the root account. To change that, use even_deny_root argument.

# authconfig --enablefaillock \
  --faillockargs="deny=5 fail_interval=90 unlock_time=300 even_deny_root" \
  --update

You can list failed login attempts with the faillock command. 

# faillock --user sandy
sandy:
When                Type  Source               Valid
2019-06-30 12:23:26 RHOST 10.11.1.10               V
2019-06-30 12:23:29 RHOST 10.11.1.10               V
2019-06-30 12:23:32 RHOST 10.11.1.10               V
2019-06-30 12:23:36 RHOST 10.11.1.10               V
2019-06-30 12:23:38 RHOST 10.11.1.10               V

Configure pam_faildelay

This module that can be used to set the delay on failure per-application.

Only the auth module type is provided.

To enable and configure pam_faildelay, we can manually edit the PAM configuration files, but it is sometimes easier to the FAIL_DELAY variable in the /etc/login.defs file:

FAIL_DELAY=5

The above will set the retry delay to 5 seconds.

Configure pam_tty_audit

The pam_tty_audit PAM module is used to enable or disable TTY auditing.

Only the session type is supported.

Enable the auditing of TTY for the alice user:

# cat /etc/pam.d/system-auth-local
auth      include    system-auth-ac
account   required   pam_time.so
account   include    system-auth-ac
password  include    system-auth-ac
session   include    system-auth-ac
session   required   pam_tty_audit.so disable=* enable=alice
# cat /etc/pam.d/password-auth-local
auth      include    password-auth-ac
account   required   pam_time.so
account   include    password-auth-ac
password  include    password-auth-ac
session   include    password-auth-ac
session   required   pam_tty_audit.so disable=* enable=alice

Verify the audit logs:

# aureport -i --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 30/06/19 12:31:33 3061 alice ? 208 bash "ls -l /tmp"
2. 30/06/19 12:33:29 3092 alice ? 209 top "q"

References

$ man pam_faildelay
$ man pam_time      ;# (see /etc/security/time.conf)
$ man pam_access    ;# (see /etc/security/access.conf)
$ man pam_pwquality ;# (see /etc/security/pwquality.conf)
$ man pam_sepermit  ;# (see /etc/security/sepermit.conf)
$ man sepermit.conf
$ man pam_faillock  ;# (does not a have a dedicated configuration file)
$ man pam_tty_audit

Leave a Reply

Your email address will not be published. Required fields are marked *