Jaxelson at 20:48, 13 September 2010

Jaxelson — Mon, 13 Sep 2010 20:48:33 GMT

←Older revision		Revision as of 20:48, 13 September 2010
Line 87:		Line 87:
	----		----
	<references/>		<references/>
		+
		+	[[Category:Notebook]]

RichardHaines: New page: = PAM Login Process = Applications used to provide login services (such as `gdm` and `ssh`) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide t...

RichardHaines — Mon, 17 May 2010 15:26:50 GMT

New page: = PAM Login Process = Applications used to provide login services (such as <tt>gdm</tt> and <tt>ssh</tt>) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide t...

New page

= PAM Login Process =
Applications used to provide login services (such as <tt>gdm</tt> and <tt>ssh</tt>) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services:

: '''Account Management''' - This manages services such as password expiry, service entitlement (i.e. what services the login process is allowed to access).

: '''Authentication Management''' - Authenticate the user or subject and set up the credentials. PAM can handle a variety of devices including smart-cards and biometric devices.

: '''Password Management''' - Manages password updates as needed by the specific authentication mechanism being used and the password policy.

: '''Session Management''' - Manages any services that must be invoked before the login process completes and / or when the login process terminates. For SELinux this is where hooks are used to manage the domains the subject may enter.

The <tt>pam</tt> and <tt>pam.conf</tt> <tt>man</tt> pages describe the services and configuration in detail and only a summary is provided here covering the SELinux services.

The PAM configuration for F-12 is managed by a number of files located in the <tt>/etc/pam.d</tt> directory which has configuration files for login services such as: <tt>gdm</tt>, <tt>gdm-autologin</tt>, <tt>login</tt>, <tt>remote</tt> and <tt>sshd</tt>, and at various points in this Notebook the <tt>gdm</tt> configuration file has been modified to allow root login and the <tt>pam_namespace.so</tt> module used to manage polyinstantiated directories for users.

There are also a number of PAM related configuration files in <tt>/etc/security</tt>, although only one is directly related to SELinux that is described in the <tt>/etc/security/sepermit.conf File</tt> section of the [[GlobalConfigurationFiles | Global Configuration Files]].

The main login service related PAM configuration files (e.g. <tt>gdm</tt>) consist of multiple lines of information that are formatted as follows:
<pre>
service type control module-path arguments
</pre>

Where:
{| border="1"
| <tt>service</tt>
| The service name such as <tt>gdm</tt> and <tt>login</tt> reflecting the login application. If there is a <tt>/etc/pam.d</tt> directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called <tt>/etc/pam.conf</tt> can be used. F-12 uses the <tt>/etc/pam.d</tt> configuration.

|-
| <tt>type</tt>
| These are the management groups used by PAM with valid entries being: <tt>account</tt>, <tt>auth</tt>, <tt>password</tt> and <tt>session</tt> that correspond to the descriptions given above. Where there are multiple entries of the same "<tt>type</tt>", the order they appear could be significant.

|-
| <tt>control</tt>
| This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as r<tt>equired</tt>, <tt>optional</tt>, and <tt>include</tt>; or multiple space separated entries enclosed in square brackets consisting of :
<pre>
[value1=action1 value2=action2 ..]
</pre>

Both formats are shown in the example file below, however see the <tt>pam.conf</tt> <tt>man</tt> pages for the gory details.

|-
| <tt>module-path</tt>
| Either the full path name of the module or its location relative to <tt>/lib/security</tt> (but does depend on the system architecture).

|-
| <tt>arguments</tt>
| A space separated list of the arguments that are defined for the module.

|}

An example PAM configuration file is as follows, although note that the "<tt>service</tt>" parameter is actually the file name because F-12 uses the <tt>/etc/pam.d</tt> directory configuration (in this case <tt>gdm</tt> for the Gnome login service).
<pre>
# /etc/pam.d/gdm configuration rule entry.
# SERVICE = file name (gdm)

# TYPE CONTROL PATH ARGUMENTS
#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
# auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
</pre>

The core services are provided by PAM, however other library modules can be written to manage specific services such as support for SELinux. The SELinux PAM modules use the <tt>libselinux</tt> API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions:

: <tt>'''pam_selinux_permit.so'''</tt> - Allows pre-defined users the ability to logon without a password provided that SELinux is in enforcing mode (see the <tt>/etc/security/sepermit.conf File</tt> section of the [[GlobalConfigurationFiles | Global Configuration Files]]).

: <tt>'''pam_selinux.so open'''</tt> - Allows a security context to be set up for the user at initial logon (as all programs exec'ed from here will use this context). How the context is retrieved is described in the <tt>seusers file</tt> section of the [[PolicyConfigurationFiles | Policy Configuration Files]].

: <tt>'''pam_selinux.so close'''</tt> - This will reset the login programs context to the context defined in the policy.

----
<references/>

NB PAM - Revision history

Jaxelson at 20:48, 13 September 2010

RichardHaines: New page: = PAM Login Process = Applications used to provide login services (such as gdm and ssh) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide t...

RichardHaines: New page: = PAM Login Process = Applications used to provide login services (such as `gdm` and `ssh`) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide t...