$Date: 2004/06/07 19:35:17 $ $Id: FAQ,v 1.1 2004/06/07 19:35:17 morgan Exp $ Q0: What exactly is PAM? Q1: Whom should I email when I'm having trouble? Q2: Is there a "free" version of PAM available? Q3: Are there any distributions (of Linux) that come with PAM? [Note on Solaris implementation] Q4: Is Linux-PAM just for Linux? Q5: What do I need to use Linux-PAM? Q6: Do I have to wait for Red Hat to upgrade my version of PAM? Q7: When I upgrade to a newer version of PAM, my login prompt changes! Why? Q8: Root cannot do this without typing the user's password! Can I fix this? Q9: xlock and foobar don't work with shadow passwords Q10: how do I shadow my system? Q11: how come passwd doesn't know who I am? Q12: why is rlogin slow? Q13: Is there an archive of email to the pam-list? Module specific questions: ---------------------------------------------- Q0: What exactly is PAM? PAM = Pluggable Authentication Modules Basically, it is a flexible mechanism for authenticating users. Since the beginnings of UNIX, authenticating a user has been accomplished via the user entering a password and the system checking if the entered password corresponds to the encrypted official password that is stored in /etc/passwd . The idea being that the user *is* really that user if and only if they can correctly enter their secret password. That was in the beginning. Since then, a number of new ways of authenticating users have become popular. Including more complicated replacements for the /etc/passwd file, and hardware devices Smart cards etc.. The problem is that each time a new authentication scheme is developed, it requires all the necessary programs (login, ftpd etc...) to be rewritten to support it. PAM provides a way to develop programs that are independent of authentication scheme. These programs need "authentication modules" to be attatched to them at run-time in order to work. Which authentication module is to be attatched is dependent upon the local system setup and is at the discretion of the local system administrator. Q1: Whom should I email when I'm having trouble? Before emailing anyone. Consider the nature of your trouble. Are you using the Red Hat Linux default PAM? If so, you should email the folks at Red Hat: redhat-list@redhat.com Are you experiencing trouble with SimplePAMApps? In this case you should email: morgan@linux.kernel.org Only if you are experiencing trouble with the latest version of, or would like to contribute to the ongoing development of, Linux-PAM should you email: pam-list@redhat.com If you would like to suggest someting you have "solved" for yourself be added to this FAQ, please email its maintainer (see end of file). Q2: Is there a "free" version of PAM available? YES. It is Linux-PAM and can be found at http://linux.kernel.org/pub/linux/libs/pam ftp://linux.kernel.org/pub/linux/libs/pam . Q3: Are there any distributions (of Linux) that come with PAM? YES. Currently, Red Hat Linux, Caldera, Debian as of 2.2. Also, FreeBSD supports PAM, as of version 3.1. A note about Sun's implementation of PAM: - - - - - - - - - - - - - - - - - - - - - PAM was invented by SUN Microsystems. They have their own implementation of the specification(!). It is present in an internal form in Solaris 2.5 and will be fully realized in 2.6 . [Internal form = no stacking of modules and no pam.conf file] A note about the HP-UX implementation of PAM: - - - - - - - - - - - - - - - - - - - - - [The following text courtesy of Charlie Brooks.] HP/Compaq included a working implementation of PAM derived from the Sun code in HP-UX 11.00. Previous versions are reported to work poorly if at all, and all early versions implemented everything within a single module, libpam_unix.1. Currently ldap, ssh, CIFS9000 (samba) and kerberos are all known to work with HP-UX PAM. Q4: Is Linux-PAM just for Linux? Primarily, Yes. Linux-PAM is actively being developed using Linux machines. There have been some efforts to make the distribution compile on others and future releases will hopefully be easier to install on these systems. Q5: What do I need to use Linux-PAM? You will need the library installed (libpam.so{.X.YY}) some modules (pam_ZZZZ.so) an /etc/pam.conf file and some applications that were compiled to use PAM. Generally, the applications will have come with your distribution of Linux, but (thanks to Red Hat) many mainstream applications have PAM patches in them -- if you are doing it yourself, you will have to compile these. (The applications may require the presence of libpam_misc.[a|so]). If you just want to play, you might consider downloading the SimplePAMApps (see pointer above) some of these require the presence of libpwdb (but then so do some of the modules...). Q6: Do I have to wait for Red Hat to upgrade my version of PAM? If you worry about having someone to complain to. The answer is YES. If, however, you are willing to try alpha/beta versions, Cristian Gafton tries to make rpms for more recent PAM (& libpwdb) distributions available from ftp://sysadm.sorosis.ro/pub/pam/ While there is no guaranteed support for this software, bug reports should be posted to pam-list@redhat.com, so they can be fixed. Q7: When I upgrade to a newer version of PAM, my login prompt changes! Why? Red Hat shipped a version of Linux-PAM that had a default PAM_USER_PROMPT (defined in Linux-PAM-X.YY/libpam/pam_private.h as PAM_DEFAULT_PROMPT) of "Login: ". They did this to reduce the amount of work needed to port applications to using PAM authentication. In the longer term, applications should be fixed to specify their preferred user prompt with the following line inserted before their first call to pam_authenticate(): pam_set_item(pamh, PAM_USER_PROMPT, "Login: "); [Instead of "Login: ", the desired prompt should be used..] The default prompt, is more ugly: "Please enter username: ", and will remain this way, to encourage application developers to write robust applications! (In case you are wondering, the "official" Sun version is "Please enter user name: " , which besides being ugly, is also bad UN*X-speak..!) Another solution, if you find this behavior to be a problem, is to do the following: upgrade to an enhanced version of the linux-utilities: Derrick J. Brashear has contributed this: > ftp://ftp.dementia.org/pub/pam/util-linux-2.5-26.src.rpm > has been updated but again I forgot to increment the build number. Q8: Root cannot do this without typing the user's password! Can I fix this? Historically, root could do a number of things on behalf of a user without having to bother with typing the user's password. Applications like 'passwd', 'su' and 'chfn' would skip the "Enter user's password: " prompt in such cases. PAM places this behavior at the discretion of the System Administrator. To enable this behavior, the admin should insert a line of the following form in the /etc/pam.conf file. (It should be placed before the line that would otherwise prompt for a password): XXX auth sufficient /usr/lib/security/pam_rootok.so Here, XXX is the "service name" of interest. **NOTE**: This should only be applied to applications that a pre-authenticated user invokes to obtain a restricted service (su, passwd, etc.). Applications like 'login', 'ftpd' etc. are always invoked with the identity of root (indirectly by init) and so this line will effectively remove any security on this service!! Q9: xlock and foobar don't work with shadow passwords This may be to do with the fact that 'xlock' (or 'foobar') does not have permission to read the /etc/shadow file. The simlpest thing to do to overcome this, is to setuid (chown root `which xlock` && chmod +s `which xlock`). To my knowledge no one has verified that xlock cannot be made to launch a root-owned shell this way, so think twice before you do this. The unix and pwdb modules can use the help of a helper binary to verify the password field ** for the current user **. So an alternative to making xlock setuid is to use the pam_unix or pam_pwdb modules for authentication. If this still doesn't work check the /etc/log/messages file for a clue... If the module complains that it cannot open the configuration file, check the access permissions on the /etc/pam.conf (OR /etc/pam.d/) file (directory). For 'foobar' applications the situation may be more complicated. Generally, this is because the foobar application wants to authenticate users other than the one that invoked them. As such, the helper programs used by the unix and pwdb modules will refuse to check the corresponding password. If you want to get around this problem then you need to do something to give the foobar program more general access to the /etc/shadow file. A simple thing to do is to make the foobar program setgid - shadow, and make the /etc/shadow file's group ownership the shadow group (chgrp shadow /etc/shadow), with read access for that group (chmod g+r /etc/shadow). Q10: how do I shadow my system? A shadowed system is one in which all passwords are stored in the /etc/shadow file. The single character, 'x', is placed in the passwd field of /etc/passwd . The remainder of this answer is Red Hat specific. There is a utility in RedHat's distribution /usr/sbin/pwconv5 (part of the shadow-utils package) it makes your /etc/passwd file shadowed. There is also a shell script in /usr/sbin/ that adds new users (the nifty usercfg breaks when you shadow your system) you need to apply the following patch to adduser-1.2-1 to make it work (pre-4.1, the nifty usercfg program will break once your system is shadowed): ======================================================================== --- adduser~ Mon Aug 26 11:24:48 1996 +++ adduser Fri Jan 31 10:03:31 1997 @@ -115,7 +115,7 @@ # The date invocation is non-standard, but works with GNU date. # It fills in the "last changed" field with the number of DAYS # since epoch (86400 seconds per day; %s is second since epoch). - echo "$LOGIN:*:$(($(date '+%s')/86400))::-1:-1:-1:-1:-1:-1" >> $SHADOW + echo "$LOGIN:*:$(($(date '+%s')/86400)):-1:-1:-1:-1:-1:-1" >> $SHADOW else echo "$LOGIN:*:$NUID:$NGID:RHS Linux User:$DHOME/$LOGIN:$DSHELL" >> $PASSWD fi ======================================================================== Q11: how come passwd doesn't know who I am? This is a bug. Most likely it is outside PAM but it seems to be related to corruption of the /var/log/utmp file. Functions like getlogin() rely on this file, another symptom of the problem is that 'logname' doesn't work. The problem has been pinned down to the NetKit-B rpm. You should upgrade to a newer one (the problem is actually in telnetd). Q12: Why is rlogin slow? All things point to you having a nameserver misconfiguration. You can verify that this is likely to be the case by substituting the IP addresses for any hostnames in your .rhosts (etc.) file(s). Q13: Is there an archive of email to the pam-list? Yes, please try: https://listman.redhat.com/mailman/listinfo/pam-list --------- This FAQ is maintained by Andrew Morgan http://www.kernel.org/pub/linux/libs/pam