Linux-PAMLinux-PAM
Pluggable Authentication ModulePluggable Authentication Module Collection of libraries (modules) Collection of libraries (modules)
that allow a system administrator that allow a system administrator to decide how applications will to decide how applications will authenticate usersauthenticate users
Separates task of authentication Separates task of authentication from privilege-granting programsfrom privilege-granting programs
Linux-PAM in ActionLinux-PAM in Action
PAM ExamplePAM Example
loginlogin program program– Allows access to a Linux systemAllows access to a Linux system
1.1. Started on each tty (console)Started on each tty (console)2.2. User types usernameUser types username3.3. Request authentication (password)Request authentication (password)4.4. Verify user is who they claim to be Verify user is who they claim to be
(check /etc/passwd)(check /etc/passwd)5.5. Start shellStart shell
– PAM provides 3 & 4PAM provides 3 & 4
Linux-PAM OperationLinux-PAM Operation
Programs must be built to utilize Programs must be built to utilize PAMPAM
PAM tells program what it needsPAM tells program what it needs Separates authentication task into Separates authentication task into
four groups:four groups:– Account managementAccount management– Authentication managementAuthentication management– Password managementPassword management– Session managementSession management
PAM GroupsPAM Groups
Account mgmt Account mgmt – Used to perform account Used to perform account
management functions. management functions. Ex:Ex: Has Has user’s password expired? Is user user’s password expired? Is user allowed to access this service?allowed to access this service?
Authentication mgmtAuthentication mgmt– Verify the user is who they claim to Verify the user is who they claim to
bebe
PAM Groups (cont)PAM Groups (cont)
Password mgmtPassword mgmt– Involves updating authentication Involves updating authentication
tokens (passwords, tickets)tokens (passwords, tickets) Session mgmtSession mgmt
– Cover tasks that should be done prior Cover tasks that should be done prior to a service being granted and after it to a service being granted and after it is revoked (mounting/unmounting is revoked (mounting/unmounting home directories)home directories)
PAM OrganizationPAM Organization
/lib/security/pam_*.so – the PAMs/lib/security/pam_*.so – the PAMs /lib/libpam.so.* - the PAM library/lib/libpam.so.* - the PAM library /etc/pam.conf/etc/pam.conf
– Configuration file to specify how Configuration file to specify how services will authenticate usersservices will authenticate users
– Alternatively, one config file per Alternatively, one config file per service in /etc/pam.d directory service in /etc/pam.d directory /etc/pam.d/login/etc/pam.d/login
Config File StructureConfig File Structure
Each line of file has these elements:Each line of file has these elements:– service-nameservice-name: name of service (login) : name of service (login)
Can be omitted if second method is usedCan be omitted if second method is used A special service name – OTHER – is reserved for A special service name – OTHER – is reserved for
services with no configuration presentservices with no configuration present– module-typemodule-type: PAM group this module : PAM group this module
operates in (acct, auth, password, session)operates in (acct, auth, password, session)– control-flagcontrol-flag: indicates how PAM will react to : indicates how PAM will react to
success/failure of modulesuccess/failure of module– module-pathmodule-path: path to the PAM: path to the PAM– argsargs: arguments to the module: arguments to the module
Module StackingModule Stacking
Several modules of same type (group) Several modules of same type (group) can be executed sequentiallycan be executed sequentially
Each module contributes to Each module contributes to success/failure of groupsuccess/failure of group
Known as stackingKnown as stacking Ex: (auth)Ex: (auth)
– Get passwordGet password– Laser beams of deathLaser beams of death– Fingerprint scanFingerprint scan
Module Stacking (cont)Module Stacking (cont)
Control flag values:Control flag values:– requiredrequired: success of module is required for the : success of module is required for the
group to succeed. Failure of module will not group to succeed. Failure of module will not be noticed until all modules have been be noticed until all modules have been executedexecuted
– requisiterequisite: same as required, but if module : same as required, but if module fails no more modules are executed – control fails no more modules are executed – control returns to applicationreturns to application
– sufficientsufficient: indicates that success of this : indicates that success of this module is sufficient for the whole groupmodule is sufficient for the whole group
– optionaloptional: success of module is optional: success of module is optional
Example Config FileExample Config File
/etc/pam.d/login/etc/pam.d/login
auth required /lib/security/pam_securetty.soauth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-authauth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.soauth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-authaccount required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-authpassword required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.sosession optional /lib/security/pam_console.so
PAMified ProgramsPAMified Programs
RH 7.3RH 7.3– loginlogin: sign onto system: sign onto system– susu: substitute user: substitute user– passwdpasswd: change passwords: change passwords– halthalt: halt the system: halt the system– rebootreboot: reboot the system: reboot the system
Using PAMUsing PAM
Restricting su Restricting su – Add to /etc/pam.d/su: Add to /etc/pam.d/su:
auth sufficient /lib/security/pam_rootok.so debugauth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=wheelauth required /lib/security/pam_wheel.so group=wheel
Using PAM (cont)Using PAM (cont)
Password strengthPassword strength– Add to /etc/pam.d/passwdAdd to /etc/pam.d/passwd
password required /lib/security/pam_cracklib.sopassword required /lib/security/pam_cracklib.so retry=3 minlen=8retry=3 minlen=8
Using PAM (cont)Using PAM (cont)
Enforcing resource limitsEnforcing resource limits– Add to /etc/pam.d/loginAdd to /etc/pam.d/login
session required /lib/security/pam_limits.sosession required /lib/security/pam_limits.so
– Edit /etc/security/limits.conf file Edit /etc/security/limits.conf file – Can specify limits on number of Can specify limits on number of
processes, memory usage, and size processes, memory usage, and size of core dumpsof core dumps
Using PAM (cont)Using PAM (cont)
Strong default configurationStrong default configuration– /etc/pam.d/other:/etc/pam.d/other:
auth required pam_deny.so auth required pam_deny.so auth required pam_warn.so auth required pam_warn.so account required pam_deny.so account required pam_deny.so account required pam_warn.so account required pam_warn.so password required pam_deny.sopassword required pam_deny.sopassword required pam_warn.so password required pam_warn.so session required pam_deny.so session required pam_deny.so
session required pam_warn.sosession required pam_warn.so
Kernel TuningKernel Tuning
/proc filesystem/proc filesystem– ““virtual” filesystem – exists only in memoryvirtual” filesystem – exists only in memory– Can view info on running processesCan view info on running processes
EnvironmentEnvironment Path to executablePath to executable Memory usageMemory usage
– Interface into kernel – source of informationInterface into kernel – source of information– Can be used to configure kernel dynamicallyCan be used to configure kernel dynamically
Contents of /procContents of /proc
filesystems – file which lists filesystems – file which lists filesystems supported by kernelfilesystems supported by kernel
net – directory containing files net – directory containing files which give info about networkwhich give info about network
pci – file which contains list of PCI pci – file which contains list of PCI devices and their configurationdevices and their configuration
sys – contains variables which can sys – contains variables which can be modified to alter kernel be modified to alter kernel behaviorbehavior
Changing VariablesChanging Variables
Two ways:Two ways:1.1. Since files in /proc/sys are text, can Since files in /proc/sys are text, can
pipe output of standard text pipe output of standard text commands, i.e. commands, i.e. echoecho
Changes disappear upon rebootChanges disappear upon reboot
2.2. sysctlsysctl command command /etc/sysctl.conf file – stores /etc/sysctl.conf file – stores
variable/value pairsvariable/value pairs Read at boot by startup scriptRead at boot by startup script
TCP SYN CookiesTCP SYN Cookies
SYN floods – DoS attack which fills SYN SYN floods – DoS attack which fills SYN queuequeue
– Host cannot accept any more connectionsHost cannot accept any more connections Defense – SYN CookiesDefense – SYN Cookies
1.1. Host receives SYN packet from initiatorHost receives SYN packet from initiator2.2. Computes SYN cookie – function of source/dest IP addr, ports, Computes SYN cookie – function of source/dest IP addr, ports,
time & secrettime & secret3.3. Sends SYN cookie value as ISN of SYN/ACK replySends SYN cookie value as ISN of SYN/ACK reply4.4. If original SYN was syncere (hah!), initiator will reply with ACK If original SYN was syncere (hah!), initiator will reply with ACK
packet - packet - acknowledgement number will be SYN cookieacknowledgement number will be SYN cookie5.5. Host recomputes SYN cookie using values from ACK packet Host recomputes SYN cookie using values from ACK packet
and recent values of timeand recent values of time6.6. If new SYN cookie matches acknowledgement number – If new SYN cookie matches acknowledgement number –
connection establishedconnection established
Enable SYN CookiesEnable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookiesecho 1 > /proc/sys/net/ipv4/tcp_syncookies
- or -- or -
sysctl –w net.ipv4.tcp_syncookies=1sysctl –w net.ipv4.tcp_syncookies=1
– Also, add following line to /etc/sysctl.confAlso, add following line to /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1net.ipv4.tcp_syncookies = 1
Source-routingSource-routing
Packet contains details of path to Packet contains details of path to destinationdestination
Reply must also follow pathReply must also follow path Attacker can forge packets to Attacker can forge packets to
include his/her machine in the include his/her machine in the return pathreturn path– Can intercept trafficCan intercept traffic
Solution: do not accept source-Solution: do not accept source-routed packetsrouted packets
Reject source-routed Reject source-routed packetspackets
for f in /proc/sys/net/ipv4/conf/*/accept_source_routefor f in /proc/sys/net/ipv4/conf/*/accept_source_route
dodo
echo 0 > $fecho 0 > $f
donedone
- or -- or -
sysctl –w net.ipv4.conf.all.accept_source_route=0sysctl –w net.ipv4.conf.all.accept_source_route=0
sysctl –w net.ipv4.conf.default.accept_source_route=0sysctl –w net.ipv4.conf.default.accept_source_route=0
sysctl –w net.ipv4.conf.eth0.accept_source_route=0sysctl –w net.ipv4.conf.eth0.accept_source_route=0
sysctl –w net.ipv4.conf.lo.accept_source_route=0sysctl –w net.ipv4.conf.lo.accept_source_route=0
Ignore ICMP Echo Ignore ICMP Echo RequestsRequests echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_allecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
- or -- or -
sysctl –w net.ipv4.icmp_echo_ignore_all=1sysctl –w net.ipv4.icmp_echo_ignore_all=1
Ignore ICMP Ignore ICMP BroadcastsBroadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- or -- or -
sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1
Ignore ICMP RedirectIgnore ICMP Redirect
Used to inform hosts of non-Used to inform hosts of non-functioning or non-optimal routefunctioning or non-optimal route
Can be used by attackers to alter Can be used by attackers to alter routing tablesrouting tables
To disable:To disable:for f in /proc/sys/net/ipv4/conf/*/accept_redirectsfor f in /proc/sys/net/ipv4/conf/*/accept_redirectsdodo
echo 0 > $fecho 0 > $fdonedone
SourcesSources
Securing and Optimizing Red-Hat LinuxSecuring and Optimizing Red-Hat Linux
http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/indhttp://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.htmlex.html
The Linux Administrator’s Security GuideThe Linux Administrator’s Security Guide
http://www.seifried.org/lasg/http://www.seifried.org/lasg/
Skoudis, Ed. Skoudis, Ed. Counter Hack.Counter Hack. Prentice Hall, New Jersey; 2002. 564 pp. Prentice Hall, New Jersey; 2002. 564 pp.
Linux man pages.Linux man pages.
Questions?Questions?