Wouldn’t it be less complicated and more secure to just disable password auth for all users?
This is great. I didn’t realize this sort of modularity existed for Linux where you can add in your own functionality. I thought you were either change the operating system or you use what is available. Do a lot of other aspects of Linux have this available?
Also the way he takes you through one step at a time so each step compiles is very helpful.
Yes, you should find most of *nix like this, not just linux. :)
You can also do the same thing with the Name Service Switch (NSS), for things like how usernames are mapped to user entries (uid, gid, home directory path, etc), group membership is looked up, host name resolution (forward and reverse), and a few other misc. things.
All in all, you can customize quite a bit of how the system actually operates from userspace.
Not sure, but I guess the equivalent for windows NT family is GINA, see eg:
I remember looking into alternatives a good while back, I think with the aim of using regular kerberos (not ms flavored AD). In the end that didn’t pan out… But interesting possibility at any rate.
Many modern unixes use PAM. E.g. you can use PAM on macOS to use Touch ID for sudo:
After a google-search, the explainations that I have found about what PAM is, were a bit too technical for my current understanding and knowledge of Linux. How would you describe the usage, the importance, the role, of this brick of the linux systems ?
(I say Linux, though I see it has been standardized on many other Unix like OSes.)
Pam is an authentication/authorisation system, so in essence any time you “log in” PAM is involved.
For example ssh uses it to check usersnames&passwords, and then before the shell is created it might also setup ulimits etc.
PAM is the standardized way in which applications (say “ssh” or “login” or your screensaver, etc) ask the “system” to authenticate and authorize a user. The “system” here is actually a library called libpam. libpam then looks at its configuration files (normally /etc/pam.conf and /etc/pam.d) for the rules to follow to authenticate a user for that application.
libpam replaces an older, less flexible, mechanism largely handled by NSS (Network Service Switch) or reading directly from fixed location files like “/etc/shadow”.
libpam came about because administrators wanted a flexible way to configure authentication on their systems, say requiring multiple factors via SSH but only a single factor on the serial port. Or supporting authentication mechanisms that are particular to their organization or environment, such as using a MySQL database to determine if a user is allowed to login to the current system via SSH.
Very cool. Thank you for the post :)
I’m writing a custom daemon to monitor HardenedBSD’s infrastructure, notifying me via Pushover whenever there’s an anomaly. As part of this, I plan to write a PAM (tangent: is it “PAM” or “PAM Module”?) to send a Pushover notification whenever a login attempt is made to any internal server. Thanks for writing this article, which I’m going to use as the base of where to start in my PAM development journey.
Do let me know how it goes and if you run into any issues that need to be shored up in the article !