Configuration Information
Configuration information is placed in /etc/pam.d/
. Below is an example file:
# Begin /etc/pam.d/other
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so nullok
# End /etc/pam.d/other
Now set up some generic files. As root:
install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account
account required pam_unix.so
# End /etc/pam.d/system-account
EOF
cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth
auth required pam_unix.so
# End /etc/pam.d/system-auth
EOF
cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session
session required pam_unix.so
# End /etc/pam.d/system-session
EOF
The remaining generic file depends on whether CrackLib-2.9.7 is
installed. If it is installed, use:
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# check new passwords for strength (man pam_cracklib)
password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
minlen=9 dcredit=1 ucredit=1 \
lcredit=1 ocredit=1 minclass=0 \
maxrepeat=0 maxsequence=0 \
maxclassrepeat=0 \
dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_cracklib
# above (or any previous modules)
password required pam_unix.so sha512 shadow use_authtok
# End /etc/pam.d/system-password
EOF
Note
In its default configuration, pam_cracklib will allow multiple
case passwords as short as 6 characters, even with the
minlen
value set to 11.
You should review the pam_cracklib(8) man page and determine if
these default values are acceptable for the security of your
system.
If CrackLib-2.9.7 is NOT installed, use:
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password required pam_unix.so sha512 shadow try_first_pass
# End /etc/pam.d/system-password
EOF
Now add a restrictive /etc/pam.d/other
configuration file. With this
file, programs that are PAM aware will not run unless a
configuration file specifically for that application is created.
cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
# End /etc/pam.d/other
EOF
The PAM man page (man pam) provides a good
starting point for descriptions of fields and allowable entries.
The Linux-PAM
System Administrators' Guide is recommended for additional
information.