To stem the tide of support requests from people who don't read the INSTALL file when installing OpenSSH and then complain about password auth failing. I am considering the idea of automagically installing a PAM file into /etc/pam.d if it exists, PAM support is enabled and no such file already exists. I have a couple of questions: - How is PAM controlled on Solaris? Is there a pam.d directory or does it just use pam.conf? Do we need to install a control file for OpenSSH? - Does FreeBSD and other systems where PAM is a port or addon still use /etc/pam.d? - Some PAM control files specifiy full paths to the modules, is this necessary? - I want a "no-frills" control file which will work with the widest range of systems and still be secure. Would something like the following work everywhere? I assume pam_unix is pretty standards, but how about pam_cracklib, pam_nologin and pam_limits? I don't really want to ship without pam_cracklib in for password changes (since that is what most sites use as default). Can password changing be disabled using pam_deny? #%PAM-1.0 auth required pam_unix.so shadow nodelay auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 nullok use_authtok session required pam_unix.so session required pam_limits.so -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | <djm at mindrot.org> | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org
On Wed, 27 Dec 2000, Damien Miller wrote:> To stem the tide of support requests from people who don't read the > INSTALL file when installing OpenSSH and then complain about password > auth failing. I am considering the idea of automagically installing a > PAM file into /etc/pam.d if it exists, PAM support is enabled and no > such file already exists.I think this is a great idea. I'm attaching an /etc/pam.d/sshd that works on my SuSE 6.[3,4] and 7.0 machines.> - Some PAM control files specifiy full paths to the modules, is this > necessary?According to the Linux-PAM system administrators' guide, this is necessary (check around line 185 of PAM(8) ). I can't really speak for other operating systems.> - I want a "no-frills" control file which will work with the widest > range of systems and still be secure. Would something like the following > work everywhere? I assume pam_unix is pretty standards, but how about > pam_cracklib, pam_nologin and pam_limits?SuSE 6.[3,4] and 7.0 use "specializations" of pam_unix.so (probably hard links to one particular pam_unix_[acct,auth,passwd,session], but otherwise pam_cracklib, pam_nologin, and pam_limits are as defined. See my attached /etc/pam.d/sshd.> [...]Thx, dtc -------------- next part -------------- #%PAM-1.0 auth required /lib/security/pam_unix_auth.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix_passwd.so shadow md5 use_authtok session required /lib/security/pam_unix_session.so session required /lib/security/pam_limits.so
On Wed, 27 Dec 2000, Damien Miller wrote:> To stem the tide of support requests from people who don't read the > INSTALL file when installing OpenSSH and then complain about password > auth failing. I am considering the idea of automagically installing a > PAM file into /etc/pam.d if it exists, PAM support is enabled and no > such file already exists. > > I have a couple of questions: > > - How is PAM controlled on Solaris? Is there a pam.d directory or does > it just use pam.conf? Do we need to install a control file for OpenSSH? > > - Does FreeBSD and other systems where PAM is a port or addon still > use /etc/pam.d?FreeBSD (as of 4.2) uses only /etc/pam.conf. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
Damien Miller <djm at mindrot.org> wrote:> - Does FreeBSD and other systems where PAM is a port or addon still > use /etc/pam.d?FreeBSD has OpenSSH in the base system. -- Christian "naddy" Weisgerber naddy at mips.inka.de
Hi Damien, On Wed, 27 Dec 2000, Damien Miller wrote:> To stem the tide of support requests from people who don't read the > INSTALL file when installing OpenSSH and then complain about password > auth failing. I am considering the idea of automagically installing a > PAM file into /etc/pam.d if it exists, PAM support is enabled and no > such file already exists.> I have a couple of questions:> - Some PAM control files specifiy full paths to the modules, is this > necessary?It is not necessary with Linux-PAM; if an absolute path is not specified, Linux-PAM will look for the module in the compiled-in default directory. It seems to be personal preference on the part of the admin/packager that determines which way it's written. The default module directory isn't likely to move anytime soon, so effectively it's not very important.> - I want a "no-frills" control file which will work with the widest > range of systems and still be secure. Would something like the following > work everywhere? I assume pam_unix is pretty standards, but how about > pam_cracklib, pam_nologin and pam_limits?The big question, of course, is whether these modules are available with the Solaris and HPUX PAM implementations. I haven't worked with either, so I don't have any idea. I don't know that I would agree with using pam_cracklib by default. The module has a somewhat spotty history, and even if available everywhere it will not always give the desired results, particularly on older Linux installs. Let the distro maintainers deal with those problems when they package openssh, rather than bringing those support issues down on yourself. :)> I don't really want to ship without pam_cracklib in for password > changes (since that is what most sites use as default). Can password > changing be disabled using pam_deny?> #%PAM-1.0 > auth required pam_unix.so shadow nodelayThe 'shadow' option to pam_unix has no meaning when used in the 'auth' section, and never has. All versions of pam_unix that I've ever seen (and pam_pwdb, for that matter) will auto-detect whether to look in the shadow file for the password, as should be the case. This ever-present 'shadow' arg seems to be something someone at RedHat came up with once upon a time, and everyone else has just followed along unquestioningly without ever looking at the source. :) Fortunately, all versions of pam_unix I've ever seen will also silently ignore this option when given in the 'auth' section, but according to the docs, an unknown argument to a pam module is to be considered a fatal error. Implementations of pam_unix on other OSes may follow this more strictly, so where portability is an issue, 'shadow' should be dropped. Cheers, Steve Langasek postmodern programmer
<SNIP>> > - How is PAM controlled on Solaris? Is there a pam.d directory or does > > it just use pam.conf? Do we need to install a control file for OpenSSH?on Solaris 7 there is an /etc/pam.conf as there is one on Solaris 2.6, dunno if there is any change on Solaris 8. HTH Carlo