Friday, September 1, 2017

3 - Linux Security: setting password restrictions with PAM (Pluggable Authentication Module)


In this exercise a Linux Debian server is used:

1 - Introduction to PAM

- PAM (Pluggable Authentication Module) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). 

- PAM is built as an intermediary between authentication services and the applications that require user authentication

- It allows programs that rely on authentication to be written independently of the underlying authentication scheme.

- In the past previous distributions contained used and passwords at /etc/passwd and corresponding hashes at /etc/shadow. However this results on the security problem of the chance for hackers of obtaining those two files and achieving the credentials.

- Modern Unix-like systems such as the Debian system provide PAM mechanism to the administrator to configure his system. 

- PAM offers a flexible authentication mechanism used by the application software that involves password data exchange.

- All the programs using PAM have their authentication configuration at the directory /etc/pam.d

2 - PAM Organization

- Linux's version of PAM divides module functionality into different categories depending on which part of the process they are involved in. Here is a brief explanation of the categories:

a) Authentication: The authentication modules validate the user's authentication credentials. This means it checks if the user can supply valid credentials.

b) Account: These modules are responsible for deciding if the account that is trying to sign in has access to the resources that it is requesting at this time. PAM allows you to specify controls that can deny or allow users based on predetermined criteria.

c) Session: These modules establish the environment that will be built up and torn down after user log in or log off. Session files can determine which commands need to be run to prepare the environment.

d) Password: These modules are responsible for updating various services' authentication details. If a password needs to be changed for a service, this module can assist in communicating with the service and modifying the correct values.

 * from Carmen Balan

3 - common-auth

- Let's check the contents of the file common-auth:

- The first line refers to the the "pam_unix" module, which provides standard unix authentication configured through the "/etc/nsswitch.conf" file. Usually this just means checking the /etc/passwd and /etc/shadow files, as expected.

- The "nullok_secure" argument being passed to the unix module specifies that accounts with no password are ok as long as login information checks out with the /etc/securetty file.

- The control field, which has "[success=1 default=ignore]" allows for more fine-grained control. In this instance, if the module returns success, it skips the next "1" line. The default case, which handles every other return value of the module, results in the line being ignored and moving on.

- The second line has the control value of "requisite" meaning that if it fails, the entire configuration returns a failure immediately. It also calls on the "pam_deny" module, which returns a failure for every call. This means that this will always fail. The only exception is when this line is skipped, which happens when the first line returns successfully.

- The third line is required and calls the "pam_permit" module, which returns success every time. This simply resets the current "pass/fail" record at this point to ensure that there aren't some strange values from earlier.

4 - Checking if PAM is being used

- Let's check if PAM is being used for some services.

- login:

- apache (no result):

- sshd:

- password:

5 - Passwords restrictions with command "chage"

- Let's change the password for the user roch in a normal way (no restrictions so far):

- The command chage is useful for dealing with passwords restrictions:

- Checking the default settings for the user roch:

- Now let's enter some new some restrictions for the user roch using the command chage:

- Options for command chage are:

a) -m 7 = minimum number of days between password change
b) -M 60 = maximum number of days between password change
c) -W 3 = number of days of warning before password expires

- Going back to the user roch account:

- When trying to change the password from the roch user account there is a message telling that it is not possible to perform the change. The reason is that there is a restriction stating that at least 7 days must be waited until doing a password change:

- However, it is interesting to notice that root can change password and restrictions. For instance, root can remove restrictions going back to the default setting:

- Checking that the default setting is now active:

6 - Password restrictions with PAM

- PAM allows a more detailed approach to password restrictions.

- First of all, let's install some dependencies:

- Editing the file pwquality.conf, some password restrictions can be entered, for instance related with length, number and type of characters, etc ...

- Also, editing the file common-password a maximum number of 3 retries can be set:

- Going back to the user roch account:

- When trying to change a password that doesn't comply with the restrictions a message is displayed, stating that the change cannot be performed, up to a maximum of 3 trials:

- However, it is interesting to notice that root can perform any password change overruling the restrictions, though a warning message is displayed: