Linux-PAMLinux-PAM

Pluggable Authentication ModulePluggable Authentication Module Collection of libraries (modules) Collection of libraries (modules)

that allow a system administrator that allow a system administrator to decide how applications will to decide how applications will authenticate usersauthenticate users

Separates task of authentication Separates task of authentication from privilege-granting programsfrom privilege-granting programs

Linux-PAM in ActionLinux-PAM in Action

PAM ExamplePAM Example

loginlogin program program– Allows access to a Linux systemAllows access to a Linux system

1.1. Started on each tty (console)Started on each tty (console)2.2. User types usernameUser types username3.3. Request authentication (password)Request authentication (password)4.4. Verify user is who they claim to be Verify user is who they claim to be

(check /etc/passwd)(check /etc/passwd)5.5. Start shellStart shell

– PAM provides 3 & 4PAM provides 3 & 4

Linux-PAM OperationLinux-PAM Operation

Programs must be built to utilize Programs must be built to utilize PAMPAM

PAM tells program what it needsPAM tells program what it needs Separates authentication task into Separates authentication task into

four groups:four groups:– Account managementAccount management– Authentication managementAuthentication management– Password managementPassword management– Session managementSession management

PAM GroupsPAM Groups

Account mgmt Account mgmt – Used to perform account Used to perform account

management functions. management functions. Ex:Ex: Has Has user’s password expired? Is user user’s password expired? Is user allowed to access this service?allowed to access this service?

Authentication mgmtAuthentication mgmt– Verify the user is who they claim to Verify the user is who they claim to

bebe

PAM Groups (cont)PAM Groups (cont)

Password mgmtPassword mgmt– Involves updating authentication Involves updating authentication

tokens (passwords, tickets)tokens (passwords, tickets) Session mgmtSession mgmt

– Cover tasks that should be done prior Cover tasks that should be done prior to a service being granted and after it to a service being granted and after it is revoked (mounting/unmounting is revoked (mounting/unmounting home directories)home directories)

PAM OrganizationPAM Organization

/lib/security/pam_*.so – the PAMs/lib/security/pam_*.so – the PAMs /lib/libpam.so.* - the PAM library/lib/libpam.so.* - the PAM library /etc/pam.conf/etc/pam.conf

– Configuration file to specify how Configuration file to specify how services will authenticate usersservices will authenticate users

– Alternatively, one config file per Alternatively, one config file per service in /etc/pam.d directory service in /etc/pam.d directory /etc/pam.d/login/etc/pam.d/login

Config File StructureConfig File Structure

Each line of file has these elements:Each line of file has these elements:– service-nameservice-name: name of service (login) : name of service (login)

Can be omitted if second method is usedCan be omitted if second method is used A special service name – OTHER – is reserved for A special service name – OTHER – is reserved for

services with no configuration presentservices with no configuration present– module-typemodule-type: PAM group this module : PAM group this module

operates in (acct, auth, password, session)operates in (acct, auth, password, session)– control-flagcontrol-flag: indicates how PAM will react to : indicates how PAM will react to

success/failure of modulesuccess/failure of module– module-pathmodule-path: path to the PAM: path to the PAM– argsargs: arguments to the module: arguments to the module

Module StackingModule Stacking

Several modules of same type (group) Several modules of same type (group) can be executed sequentiallycan be executed sequentially

Each module contributes to Each module contributes to success/failure of groupsuccess/failure of group

Known as stackingKnown as stacking Ex: (auth)Ex: (auth)

– Get passwordGet password– Laser beams of deathLaser beams of death– Fingerprint scanFingerprint scan

Module Stacking (cont)Module Stacking (cont)

Control flag values:Control flag values:– requiredrequired: success of module is required for the : success of module is required for the

group to succeed. Failure of module will not group to succeed. Failure of module will not be noticed until all modules have been be noticed until all modules have been executedexecuted

– requisiterequisite: same as required, but if module : same as required, but if module fails no more modules are executed – control fails no more modules are executed – control returns to applicationreturns to application

– sufficientsufficient: indicates that success of this : indicates that success of this module is sufficient for the whole groupmodule is sufficient for the whole group

– optionaloptional: success of module is optional: success of module is optional

Example Config FileExample Config File

/etc/pam.d/login/etc/pam.d/login

auth required /lib/security/pam_securetty.soauth required /lib/security/pam_securetty.so

auth required /lib/security/pam_stack.so service=system-authauth required /lib/security/pam_stack.so service=system-auth

auth required /lib/security/pam_nologin.soauth required /lib/security/pam_nologin.so

account required /lib/security/pam_stack.so service=system-authaccount required /lib/security/pam_stack.so service=system-auth

password required /lib/security/pam_stack.so service=system-authpassword required /lib/security/pam_stack.so service=system-auth

session required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_stack.so service=system-auth

session optional /lib/security/pam_console.sosession optional /lib/security/pam_console.so

PAMified ProgramsPAMified Programs

RH 7.3RH 7.3– loginlogin: sign onto system: sign onto system– susu: substitute user: substitute user– passwdpasswd: change passwords: change passwords– halthalt: halt the system: halt the system– rebootreboot: reboot the system: reboot the system

Using PAMUsing PAM

Restricting su Restricting su – Add to /etc/pam.d/su: Add to /etc/pam.d/su:

auth sufficient /lib/security/pam_rootok.so debugauth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/pam_wheel.so group=wheelauth required /lib/security/pam_wheel.so group=wheel

Using PAM (cont)Using PAM (cont)

Password strengthPassword strength– Add to /etc/pam.d/passwdAdd to /etc/pam.d/passwd

password required /lib/security/pam_cracklib.sopassword required /lib/security/pam_cracklib.so retry=3 minlen=8retry=3 minlen=8

Using PAM (cont)Using PAM (cont)

Enforcing resource limitsEnforcing resource limits– Add to /etc/pam.d/loginAdd to /etc/pam.d/login

session required /lib/security/pam_limits.sosession required /lib/security/pam_limits.so

– Edit /etc/security/limits.conf file Edit /etc/security/limits.conf file – Can specify limits on number of Can specify limits on number of

processes, memory usage, and size processes, memory usage, and size of core dumpsof core dumps

Using PAM (cont)Using PAM (cont)

Strong default configurationStrong default configuration– /etc/pam.d/other:/etc/pam.d/other:

auth required pam_deny.so auth required pam_deny.so auth required pam_warn.so auth required pam_warn.so account required pam_deny.so account required pam_deny.so account required pam_warn.so account required pam_warn.so password required pam_deny.sopassword required pam_deny.sopassword required pam_warn.so password required pam_warn.so session required pam_deny.so session required pam_deny.so

session required pam_warn.sosession required pam_warn.so

Kernel TuningKernel Tuning

/proc filesystem/proc filesystem– ““virtual” filesystem – exists only in memoryvirtual” filesystem – exists only in memory– Can view info on running processesCan view info on running processes

EnvironmentEnvironment Path to executablePath to executable Memory usageMemory usage

– Interface into kernel – source of informationInterface into kernel – source of information– Can be used to configure kernel dynamicallyCan be used to configure kernel dynamically

Contents of /procContents of /proc

filesystems – file which lists filesystems – file which lists filesystems supported by kernelfilesystems supported by kernel

net – directory containing files net – directory containing files which give info about networkwhich give info about network

pci – file which contains list of PCI pci – file which contains list of PCI devices and their configurationdevices and their configuration

sys – contains variables which can sys – contains variables which can be modified to alter kernel be modified to alter kernel behaviorbehavior

Changing VariablesChanging Variables

Two ways:Two ways:1.1. Since files in /proc/sys are text, can Since files in /proc/sys are text, can

pipe output of standard text pipe output of standard text commands, i.e. commands, i.e. echoecho

Changes disappear upon rebootChanges disappear upon reboot

2.2. sysctlsysctl command command /etc/sysctl.conf file – stores /etc/sysctl.conf file – stores

variable/value pairsvariable/value pairs Read at boot by startup scriptRead at boot by startup script

TCP SYN CookiesTCP SYN Cookies

SYN floods – DoS attack which fills SYN SYN floods – DoS attack which fills SYN queuequeue

– Host cannot accept any more connectionsHost cannot accept any more connections Defense – SYN CookiesDefense – SYN Cookies

1.1. Host receives SYN packet from initiatorHost receives SYN packet from initiator2.2. Computes SYN cookie – function of source/dest IP addr, ports, Computes SYN cookie – function of source/dest IP addr, ports,

time & secrettime & secret3.3. Sends SYN cookie value as ISN of SYN/ACK replySends SYN cookie value as ISN of SYN/ACK reply4.4. If original SYN was syncere (hah!), initiator will reply with ACK If original SYN was syncere (hah!), initiator will reply with ACK

packet - packet - acknowledgement number will be SYN cookieacknowledgement number will be SYN cookie5.5. Host recomputes SYN cookie using values from ACK packet Host recomputes SYN cookie using values from ACK packet

and recent values of timeand recent values of time6.6. If new SYN cookie matches acknowledgement number – If new SYN cookie matches acknowledgement number –

connection establishedconnection established

Enable SYN CookiesEnable SYN Cookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookiesecho 1 > /proc/sys/net/ipv4/tcp_syncookies

- or -- or -

sysctl –w net.ipv4.tcp_syncookies=1sysctl –w net.ipv4.tcp_syncookies=1

– Also, add following line to /etc/sysctl.confAlso, add following line to /etc/sysctl.conf

net.ipv4.tcp_syncookies = 1net.ipv4.tcp_syncookies = 1

Source-routingSource-routing

Packet contains details of path to Packet contains details of path to destinationdestination

Reply must also follow pathReply must also follow path Attacker can forge packets to Attacker can forge packets to

include his/her machine in the include his/her machine in the return pathreturn path– Can intercept trafficCan intercept traffic

Solution: do not accept source-Solution: do not accept source-routed packetsrouted packets

Reject source-routed Reject source-routed packetspackets

for f in /proc/sys/net/ipv4/conf/*/accept_source_routefor f in /proc/sys/net/ipv4/conf/*/accept_source_route

dodo

echo 0 > $fecho 0 > $f

donedone

- or -- or -

sysctl –w net.ipv4.conf.all.accept_source_route=0sysctl –w net.ipv4.conf.all.accept_source_route=0

sysctl –w net.ipv4.conf.default.accept_source_route=0sysctl –w net.ipv4.conf.default.accept_source_route=0

sysctl –w net.ipv4.conf.eth0.accept_source_route=0sysctl –w net.ipv4.conf.eth0.accept_source_route=0

sysctl –w net.ipv4.conf.lo.accept_source_route=0sysctl –w net.ipv4.conf.lo.accept_source_route=0

Ignore ICMP Echo Ignore ICMP Echo RequestsRequests echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_allecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

- or -- or -

sysctl –w net.ipv4.icmp_echo_ignore_all=1sysctl –w net.ipv4.icmp_echo_ignore_all=1

Ignore ICMP Ignore ICMP BroadcastsBroadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

- or -- or -

sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1

Ignore ICMP RedirectIgnore ICMP Redirect

Used to inform hosts of non-Used to inform hosts of non-functioning or non-optimal routefunctioning or non-optimal route

Can be used by attackers to alter Can be used by attackers to alter routing tablesrouting tables

To disable:To disable:for f in /proc/sys/net/ipv4/conf/*/accept_redirectsfor f in /proc/sys/net/ipv4/conf/*/accept_redirectsdodo

echo 0 > $fecho 0 > $fdonedone

SourcesSources

Securing and Optimizing Red-Hat LinuxSecuring and Optimizing Red-Hat Linux

http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/indhttp://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.htmlex.html

The Linux Administrator’s Security GuideThe Linux Administrator’s Security Guide

http://www.seifried.org/lasg/http://www.seifried.org/lasg/

Skoudis, Ed. Skoudis, Ed. Counter Hack.Counter Hack. Prentice Hall, New Jersey; 2002. 564 pp. Prentice Hall, New Jersey; 2002. 564 pp.

Linux man pages.Linux man pages.

Questions?Questions?