1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
This directory gives some pam-script examples. To use these scripts
they must be placed in the directory indicated by "configure --sysconfdir",
which is usually /etc/pam-script, and symbolic links need to be made to
conform to the acceptable list of scripts that are invoked by pam-script:
pam_script_auth
pam_script_acct
pam_script_passwd
pam_script_ses_open
pam_script_ses_close
Note that each example requires log or data files that are readable and
writeable at all levels of authorization, because not all services that
use PAM are run as the root user (e.g. gnome-screensaver, etc.) and may
not allow successful access otherwise. Therefore, be aware of the security
implications though.
logscript:
Simply records the PAM_* environment variables and the pam_script.so
arguments to /tmp/pam-script.log.
It's useful to observe which stages are executed and by whom.
However, if the script is modified to show PAM_AUTHTOK, this exposes
the raw password text.
The default behavior for pam-script is to fail if a needed script is
missing for the corresponding module-type.
To try out the pam-script.so module and the logscript program with the
various module-types, it's easiest to edit the individual common service
configuration files.
Make the following symbolic links in /etc/pam-script/
ln -s logscript pam_script_auth
ln -s logscript pam_script_acct
ln -s logscript pam_script_passwd
ln -s logscript pam_script_ses_open
ln -s logscript pam_script_ses_close
or do
env PAMSCRIPTDIR=. ./pam_script -v -x -s all logscript
For Ubuntu/Debian:
cat >>/etc/pam.d/common-account <<!
account optional pam_script.so
!
cat >>/etc/pam.d/common-auth <<!
auth optional pam_script.so
!
cat >>/etc/pam.d/common-password <<!
password optional pam_script.so
!
cat >>/etc/pam.d/common-session <<!
session optional pam_script.so
!
For RedHat/Fedora:
cat >> /etc/pam.d/system-auth <<!
account optional /lib/security/$ISA/pam_script.so
auth optional /lib/security/$ISA/pam_script.so
password optional /lib/security/$ISA/pam_script.so
session optional /lib/security/$ISA/pam_script.so
!
The RedHat system-auth is generated by authconfig, so these changes will
vanish unless measures are taken.
For this case, pam_script.so is optional so any failures should not affect
the rest of the PAM stack. However, be careful though. A mistake could
render your system inoperable and you may not be able to login easily to fix
the errant PAM configuration.
tally:
A pam-script version of the pam-tally module, supporting some of the same
options: deny, lock_time, unlock_time, magic_root, and even_deny_root_account.
The other options are ignored.
The script itself is written in perl and keeps the info in a database,
/tmp/pam-script-tally.*. Use the tally script to query, set, or reset
items. Run "tally -h" for further info.
Set the following symbolic links pointing to tally:
pam_script_auth
pam_script_acct
To try out the pam-script.so module and the tally program with the
auth and account module-types, it's easiest to edit the individual
common service configuration files.
Make the following symbolic links in /etc/pam-script/
ln -s tally pam_script_auth
ln -s tally pam_script_acct
or
env PAMSCRIPTDIR=. ./pam_script -v -x -s auth,acct tally
For Ubuntu/Debian:
cat >>/etc/pam.d/common-account <<!
account required pam_script.so
!
cat >>/etc/pam.d/common-auth <<!
auth required pam_script.so deny=5 lock_time=30 unlock_time=600
!
For RedHat/Fedora:
cat >> /etc/pam.d/system-auth <<!
account required /lib/security/$ISA/pam_script.so
auth required /lib/security/$ISA/pam_script.so \
deny=5 lock_time=30 unlock_time=600
!
Pam_script.so is listed as "required" so failures will affect the outcome
of the PAM stack, particularly for authentication, which will lock a
user with greater than "deny" login failures.
|
