Difference between revisions of "NB PAM"

From SELinux Wiki
Jump to: navigation, search
(New page: = PAM Login Process = Applications used to provide login services (such as <tt>gdm</tt> and <tt>ssh</tt>) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide t...)
 
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 
= PAM Login Process =
 
= PAM Login Process =
Applications used to provide login services (such as <tt>gdm</tt> and <tt>ssh</tt>) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services:
+
Applications used to provide login services (such as <tt>gdm</tt> and <tt>ssh</tt>) in F-20 use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services:
 
+
 
: '''Account Management''' - This manages services such as password expiry, service entitlement (i.e. what services the login process is allowed to access).
 
: '''Account Management''' - This manages services such as password expiry, service entitlement (i.e. what services the login process is allowed to access).
 
 
: '''Authentication Management''' - Authenticate the user or subject and set up the credentials. PAM can handle a variety of devices including smart-cards and biometric devices.
 
: '''Authentication Management''' - Authenticate the user or subject and set up the credentials. PAM can handle a variety of devices including smart-cards and biometric devices.
 
 
: '''Password Management''' - Manages password updates as needed by the specific authentication mechanism being used and the password policy.
 
: '''Password Management''' - Manages password updates as needed by the specific authentication mechanism being used and the password policy.
 
 
: '''Session Management''' - Manages any services that must be invoked before the login process completes and / or when the login process terminates. For SELinux this is where hooks are used to manage the domains the subject may enter.  
 
: '''Session Management''' - Manages any services that must be invoked before the login process completes and / or when the login process terminates. For SELinux this is where hooks are used to manage the domains the subject may enter.  
  
 
The <tt>pam</tt> and <tt>pam.conf</tt> <tt>man</tt> pages describe the services and configuration in detail and only a summary is provided here covering the SELinux services.
 
The <tt>pam</tt> and <tt>pam.conf</tt> <tt>man</tt> pages describe the services and configuration in detail and only a summary is provided here covering the SELinux services.
  
The PAM configuration for F-12 is managed by a number of files located in the <tt>/etc/pam.d</tt> directory which has configuration files for login services such as: <tt>gdm</tt>, <tt>gdm-autologin</tt>, <tt>login</tt>, <tt>remote</tt> and <tt>sshd</tt>, and at various points in this Notebook the <tt>gdm</tt> configuration file has been modified to allow root login and the <tt>pam_namespace.so</tt> module used to manage polyinstantiated directories for users.
+
The PAM configuration for F-20 is managed by a number of files located in the <tt>/etc/pam.d</tt> directory which has configuration files for login services such as: <tt>gdm</tt>, <tt>gdm-autologin</tt>, <tt>login</tt>, <tt>remote</tt> and <tt>sshd</tt>, and at various points in this Notebook the <tt>gdm</tt> configuration file has been modified to allow root login and the <tt>pam_namespace.so</tt> module used to manage polyinstantiated directories for users.
  
There are also a number of PAM related configuration files in <tt>/etc/security</tt>, although only one is directly related to SELinux that is described in the <tt>/etc/security/sepermit.conf File</tt> section of the [[GlobalConfigurationFiles | Global Configuration Files]].
+
There are also a number of PAM related configuration files in <tt>/etc/security</tt>, although only one is directly related to SELinux that is described in the <tt>[[GlobalConfigurationFiles#/etc/security/sepermit.conf | /etc/security/sepermit.conf]]</tt> file section.
  
 
The main login service related PAM configuration files (e.g. <tt>gdm</tt>) consist of multiple lines of information that are formatted as follows:
 
The main login service related PAM configuration files (e.g. <tt>gdm</tt>) consist of multiple lines of information that are formatted as follows:
Line 23: Line 19:
 
Where:
 
Where:
 
{| border="1"
 
{| border="1"
| <tt>service</tt>
+
| service
| The service name such as <tt>gdm</tt> and <tt>login</tt> reflecting the login application. If there is a <tt>/etc/pam.d</tt> directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called <tt>/etc/pam.conf</tt> can be used. F-12 uses the <tt>/etc/pam.d</tt> configuration.
+
| The service name such as <tt>gdm</tt> and <tt>login</tt> reflecting the login application. If there is a <tt>/etc/pam.d</tt> directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called <tt>/etc/pam.conf</tt> can be used. F-20 uses the <tt>/etc/pam.d</tt> configuration.
  
 
|-
 
|-
<tt>type</tt>
+
|  type
| These are the management groups used by PAM with valid entries being: <tt>account</tt>, <tt>auth</tt>, <tt>password</tt> and <tt>session</tt> that correspond to the descriptions given above. Where there are multiple entries of the same "<tt>type</tt>", the order they appear could be significant.
+
| These are the management groups used by PAM with valid entries being: <tt>account</tt>, <tt>auth</tt>, <tt>password</tt> and <tt>session</tt> that correspond to the descriptions given above. Where there are multiple entries of the same '<tt>type</tt>', the order they appear could be significant.
  
 
|-
 
|-
| <tt>control</tt>
+
| control
| This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as r<tt>equired</tt>, <tt>optional</tt>, and <tt>include</tt>; or multiple space separated entries enclosed in square brackets consisting of :
+
| This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as <tt>required</tt>, <tt>optional</tt>, and <tt>include</tt>; or multiple space separated entries enclosed in square brackets consisting of:
 
<pre>
 
<pre>
 
   [value1=action1 value2=action2 ..]
 
   [value1=action1 value2=action2 ..]
 
</pre>
 
</pre>
 
 
Both formats are shown in the example file below, however see the <tt>pam.conf</tt> <tt>man</tt> pages for the gory details.  
 
Both formats are shown in the example file below, however see the <tt>pam.conf</tt> <tt>man</tt> pages for the gory details.  
  
 
|-
 
|-
<tt>module-path</tt>
+
|  module-path
 
| Either the full path name of the module or its location relative to <tt>/lib/security</tt> (but does depend on the system architecture).
 
| Either the full path name of the module or its location relative to <tt>/lib/security</tt> (but does depend on the system architecture).
  
 
|-
 
|-
<tt>arguments</tt>
+
|  arguments
 
| A space separated list of the arguments that are defined for the module.
 
| A space separated list of the arguments that are defined for the module.
  
Line 50: Line 45:
  
  
An example PAM configuration file is as follows, although note that the "<tt>service</tt>" parameter is actually the file name because F-12 uses the <tt>/etc/pam.d</tt> directory configuration (in this case <tt>gdm</tt> for the Gnome login service).
+
An example PAM configuration file is as follows, although note that the '<tt>service</tt>' parameter is actually the file name because F-20 uses the <tt>/etc/pam.d</tt> directory configuration (in this case <tt>gdm-password</tt> for the Gnome login service).
 
<pre>
 
<pre>
# /etc/pam.d/gdm configuration rule entry.  
+
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
# SERVICE = file name (gdm)
+
auth substack password-auth
 +
auth optional pam_gnome_keyring.so
 +
auth include postlogin
  
# TYPE  CONTROL  PATH                  ARGUMENTS
+
account required pam_nologin.so
#%PAM-1.0
+
account include password-auth
auth    [success=done ignore=ignore default=bad] pam_selinux_permit.so
+
 
# auth  required pam_succeed_if.so    user != root quiet
+
password include password-auth
auth    required pam_env.so
+
 
auth    substack system-auth
+
session required pam_selinux.so close debug
auth    optional pam_gnome_keyring.so
+
session required pam_loginuid.so
account required pam_nologin.so
+
session optional pam_console.so
account include system-auth
+
-session optional pam_ck_connector.so
password include system-auth
+
session required pam_selinux.so open debug
session required pam_selinux.so       close
+
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
+
session required pam_namespace.so
session optional pam_console.so
+
session include password-auth
session required pam_selinux.so       open
+
session optional pam_gnome_keyring.so auto_start
session optional pam_keyinit.so       force revoke
+
session include postlogin
session required pam_namespace.so
+
session optional pam_gnome_keyring.so auto_start
+
session include system-auth
+
 
</pre>
 
</pre>
  
 
The core services are provided by PAM, however other library modules can be written to manage specific services such as support for SELinux. The SELinux PAM modules use the <tt>libselinux</tt> API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions:
 
The core services are provided by PAM, however other library modules can be written to manage specific services such as support for SELinux. The SELinux PAM modules use the <tt>libselinux</tt> API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions:
 +
: <tt>'''pam_selinux_permit.so'''</tt> - Allows pre-defined users the ability to logon without a password provided that SELinux is in enforcing mode (see the <tt>[[GlobalConfigurationFiles#/etc/security/sepermit.conf | /etc/security/sepermit.conf]]</tt> file section).
 +
: <tt>'''pam_selinux.so open'''</tt> - Allows a security context to be set up for the user at initial logon (as all programs exec'ed from here will use this context). How the context is retrieved is described in the <tt>[[PolicyConfigurationFiles#seusers | seusers]]</tt> file section.
 +
: <tt>'''pam_selinux.so close'''</tt> - This will reset the login programs context to the context defined in the policy.
  
: <tt>'''pam_selinux_permit.so'''</tt> - Allows pre-defined users the ability to logon without a password provided that SELinux is in enforcing mode (see the <tt>/etc/security/sepermit.conf File</tt> section of the [[GlobalConfigurationFiles | Global Configuration Files]]).
 
 
: <tt>'''pam_selinux.so open'''</tt> - Allows a security context to be set up for the user at initial logon (as all programs exec'ed from here will use this context). How the context is retrieved is described in the <tt>seusers file</tt> section of the [[PolicyConfigurationFiles | Policy Configuration Files]].
 
 
: <tt>'''pam_selinux.so close'''</tt> - This will reset the login programs context to the context defined in the policy.
 
  
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[NB_Poly | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[NB_LSM | '''Next''']]</center>
 +
|}
  
  
 
----
 
----
 
<references/>
 
<references/>
 +
 +
[[Category:Notebook]]

Latest revision as of 15:45, 6 December 2014

PAM Login Process

Applications used to provide login services (such as gdm and ssh) in F-20 use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services:

Account Management - This manages services such as password expiry, service entitlement (i.e. what services the login process is allowed to access).
Authentication Management - Authenticate the user or subject and set up the credentials. PAM can handle a variety of devices including smart-cards and biometric devices.
Password Management - Manages password updates as needed by the specific authentication mechanism being used and the password policy.
Session Management - Manages any services that must be invoked before the login process completes and / or when the login process terminates. For SELinux this is where hooks are used to manage the domains the subject may enter.

The pam and pam.conf man pages describe the services and configuration in detail and only a summary is provided here covering the SELinux services.

The PAM configuration for F-20 is managed by a number of files located in the /etc/pam.d directory which has configuration files for login services such as: gdm, gdm-autologin, login, remote and sshd, and at various points in this Notebook the gdm configuration file has been modified to allow root login and the pam_namespace.so module used to manage polyinstantiated directories for users.

There are also a number of PAM related configuration files in /etc/security, although only one is directly related to SELinux that is described in the /etc/security/sepermit.conf file section.

The main login service related PAM configuration files (e.g. gdm) consist of multiple lines of information that are formatted as follows:

service type control module-path arguments

Where:

service The service name such as gdm and login reflecting the login application. If there is a /etc/pam.d directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called /etc/pam.conf can be used. F-20 uses the /etc/pam.d configuration.
type These are the management groups used by PAM with valid entries being: account, auth, password and session that correspond to the descriptions given above. Where there are multiple entries of the same 'type', the order they appear could be significant.
control This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as required, optional, and include; or multiple space separated entries enclosed in square brackets consisting of:
   [value1=action1 value2=action2 ..]

Both formats are shown in the example file below, however see the pam.conf man pages for the gory details.

module-path Either the full path name of the module or its location relative to /lib/security (but does depend on the system architecture).
arguments A space separated list of the arguments that are defined for the module.


An example PAM configuration file is as follows, although note that the 'service' parameter is actually the file name because F-20 uses the /etc/pam.d directory configuration (in this case gdm-password for the Gnome login service).

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin

account required pam_nologin.so
account include password-auth

password include password-auth

session required pam_selinux.so close debug
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open debug
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin

The core services are provided by PAM, however other library modules can be written to manage specific services such as support for SELinux. The SELinux PAM modules use the libselinux API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions:

pam_selinux_permit.so - Allows pre-defined users the ability to logon without a password provided that SELinux is in enforcing mode (see the /etc/security/sepermit.conf file section).
pam_selinux.so open - Allows a security context to be set up for the user at initial logon (as all programs exec'ed from here will use this context). How the context is retrieved is described in the seusers file section.
pam_selinux.so close - This will reset the login programs context to the context defined in the policy.


Previous
Home
Next