plugged authentication module
DESCRIPTION
Plugged Authentication Module. Enijmax 4/23/2004 8/17/2004 updated. PAM Design Goals. The system admin should be able to choose the default authentication mechanism for the machine. The range from a simple password to complex smart card system. - PowerPoint PPT PresentationTRANSCRIPT
Plugged Authentication Module
Enijmax
4/23/2004
8/17/2004 updated
PAM Design Goals
The system admin should be able to choose the default authentication mechanism for the machine. The range from a simple password to complex smart card system.
It should be possible to configure the user authentication mechanism on a per application basis.
The framework should support the display requirements of the applications.[ 顯示密碼提示的需求 ]
It should be possible to configure multiple authentication protocols for each of those applications.
The system administrator should be able to stack multiple user authentication mechanisms such that the user is authenticated with all authentication protocols without retyping the password.
The architecture should allow for multiple passwords if necessary to achieve higher security for users with specific security requirements.
The system-entry services should not be required to change when the underlying mechanism changes.
For backward-compatibility reasons, the PAM API should support the authentication requirements of the current system-entry services.
PAM Architecture
程式流動的方向
Four Basic functions
Authentication PAM uses to know how to authenticate a user to the system’s
authentication method. The first is to determine that the user is who they say they are, by passwords or other token. Second the module sets up the credentials for the user, such as user id.
Account It verifies the accounts availability.
Session It handles what is needed to set-up and tear-down a session.
Including logging and setting up any mounts. Password
Change the authentication token (ex : password) associated with an account.
Four Building Block
PAM aware applications/services PAM aware application will have a call to the PAM library and then in turn the
libraries/modules do the work of authentication according to the PAM configuration file specification.
PAM libraries The PAM library modules are at the heart of what makes PAM work. The PA
M library modules are the dynamically linked functions that are called to do the PAM configured tasks. Different modules are developed to work with one or more of the four basic tasks.
PAM configuration file or files See the next page.
Information data files or databases that a library may look for or need to access. Pam_unix.so use the /etc/passwd and /etc/shadow files or a password datab
ase. Pam_pwdb.so module is used with the account action to write accounting inf
ormation to syslog and update /etc/utmp and /etc/wtmp.
Configuration file
Format: Application-Name, Type, control-flag, module-path, module-argu
ments [/etc/pam.conf] Type, Control-flag, module-path, module-arguments [/etc/pam.d/
*] Type
Auth Account Session Password
Control Flag Required Requisite Sufficient Optional
Configuration file (Cont.)
Module-path The module path is the actual path to the library
module you want to use for a specific task type. Not all library modules can be used with all the
task types. If a task calls a module and which is not
programmed for that task, then that line will be ignored and PAM move on to the next line.
Module-Arguments Each module accepts different arguments.
Control Flags
Depending on if the module passes or fails, the control flag then determines what PAM will tell the application.
Required Success of the module is required for the module type facility to
succeed. Failure of the module will not show to the application until all of the remaining modules have been executed.
Requisite (order sensitive, failure->immediately return) Like required, however, in the case that such a module returns a
failure, control is directly returned to the application. Gain: It protects against the possibility of a user getting the
opportunity to enter a password over an unsafe medium. Loss: Such behavior might inform an attacker of valid accounts
on a system.
Control Flags (Cont.)
Sufficient (order sensitive, success->immediately return) If the module fails, then the module is ignored and the rest
of the PAM-Module is executed. If the module succeeds and no earlier module in the chain
has filed, the PAM-Module is immediately terminated and return success.
Optional This control-flag marks the module as not being critical to
the success or failure of the user’s application for service. In the absence of any definite successes or failures of
stacked modules, this module will determine the nature of the response to the application.
Example (it also called stack module)
Auth required /lib/security/pam_securetty.so#it checks that if the user is trying to login as root, the tty on which they are logging in is list
ed in the /etc/securetty file.Auth required /lib/security/pam_unix.so shadow nullok#This line causes the user to be asked for a password and then checks the password usin
g the information stored in /etc/passwd and /etc/shadow.Auth required /lib/security/pam_nologin.so#This is the final authentication step. It checks to see if the file /etc/nologin exists.Account required /lib/security/pam_unix.so#It caused any necessary account verification to be done. Password required /lib/security/pam_cracklib.so retry=3#If password has expired, the password component of the pam_cracklib.so module prompt
s for a new password. Retry=3 means there have three time for user to create a strong password if he chose a week password.
Password required /lib/security/pam_unix.so shadow nullok use_authtok#When change the password, we need pam_unix.so to update shadow password.#shadow: update shadow password file; nullok: password can be empty; use_authtok: Session required /lib/security/pam_unix.so#It logs the username and the service type to /var/log/messages at the beginning and end
of each session.
Execution
order
Configuration setup error?
If any of the fields are invalid, or if a module is not found, that line is ignored and the error is logged as a critical error via syslog(3).
All PAM module failure will record in /var/log/message. Example:
Date &Time Hostname Prog name Error messageApr 23 12:06:47 leo p2: PAM unable to dlopen(/usr/lib/security/
pam_unix_acct.so)
PAM Aware Application
Before running the program, we can use PAM APIs to finish authentication of the program.
The application must take responsibility for protecting the environment in which PAM operates.
PAM Application Interface
Authentication management API: pam_authentication(pam_handle_t *pamh, int flags)
It is used to authenticate the user. pam_setcred(pam_handle_t *pamh, int flags)
It is used to set, refresh or destroy the user credentials. Account management API:
pam_acct_mgmt(pam_handle_t *pamh, int flags) It is used to check whether the authenticated user should be given ac
cess to his account. In other word, it checks the states of the user account in sure that the account is available.
Session management APIs: pam_open_session(pam_handle_t *pamh, int flags)
A new session has been initialized. pam_close_session(pam_handle_t *pamh, int flags)
Upon termination of the session.
PAM Application Interface (Cont.) Password management APIs:
pam_chauthtok() It is used to change the password.
Administrative Interfaces APIs: pam_start()
Initializing pam module. pam_end()
Finishing pam module. pam_set_item() pam_get_item()
The above APIs are used to read and write the state information. pam_strerror()
The error message can be printed with this API.
PAM Module API
Conversation Function
An application must provides the conversation function used for direct communication between a loaded module and the application.
The structure of pam_conv :struct pam_conv { int (*conv) (int num_msg,
const struct pam_message * *msg, struct pam_response * *resp, void *appdata_ptr);
void *appdata_ptr; }; It is initialized by the application before it is passe
d to the module.
Conversation Function (Cont.)Struct pam_message {
int msg_style;const char *msg;
};/*The use of pam_message structure is indicating what kind of message st
yle and text should be showed.*/ msg_style could be the one of followings:
PAM_PROMPT_ECHO_OFF PAM_PROMPT_ECHO_ON PAM_ERROR_MSG PAM_TEXT_INFO
Struct pam_response {char *resp;int resp_retcode;
};/*The use of pam_response structure is keeping the result in the resp.*/
Transactions in PAM Application The lifecycle of a typical PAM transaction is described below. If any of these
steps fail, the transaction should be aborted.1. Calling pam_start(3) to initialize the PAM library and specify its service name
and target account, and register a suitable conversation function.2. Calling pam_set(3) to set relative information( e.g. username and hostname)3. Calling pam_authenticate(3) to authenticate the applicant.4. Calling pam_acct_mgmt(3) to verify that the requested account is available
and valid. If the password is correct but has expired, app should call pam_chauthtok(3) to force the client to change the authentication token.
5. Calling pam_setcred(3) to establish the credentials of the requested account.6. Once the correct credentials have been established, app calls
pam_open_session(3) to set up the session.7. Provide the applicant with a shell.8. Close the session by using pam_close_session(3).9. Finally, app calls pam_end(3) to notify the PAM library that it is done and
release whatever resources it has allocated in the course of the transaction.
Examples
#include <security/pam_appl.h>#include <security/pam_misc.h>#include <pwd.h>#include <sys/types.h>#include <stdio.h>
static struct pam_conv pamc = {misc_conv, NULL};
void my_prog(){
printf("this is my program!");}int main(){
pam_handle_t *pamh;int result;struct passwd *pw; //save the passwordprintf("start to authenticate\n");if ((pw=getpwuid(getuid())) == NULL )
perror("getpwuid");else if (( result = pam_start("su",pw->pw_name, &pamc, &pamh)) != PAM_SUCCESS)
fprintf(stderr, " start failed: %d\n", result);else if (( result = pam_authenticate(pamh,0)) != PAM_SUCCESS)
fprintf(stderr, " authenticate failed: %d\n", result);else if (( result = pam_acct_mgmt(pamh,0)) != PAM_SUCCESS)
fprintf(stderr, " acct_mgmt failed: %d\n",result);else if ((result = pam_end(pamh, result)) !=PAM_SUCCESS)
fprintf(stderr, " end failed: %d\n", result);else
my_prog();return 0;
}
PAM Security Issues
Sharing of passwords with multiple authentication mechanisms. If user use the same password for all of the authentication
mechanisms and any of them is compromised, the user’s password in all systems would be compromised.
Password-mapping. This technique of encrypting all other passwords with the primary
password assumes that it is lot more difficult to crack the primary password.
Security of the configuration file. The configuration should be protected from unauthorized
modifications. Stacking various PAM modules.
The composition of various authentication modules should be carefully examined. The trusted computing base of the machine now includes the PAM modules.
Writing PAM Modules
Authentication Management pam_sm_authenticate() pam_sm_setcred()
Account Management pam_sm_acct_mgmt()
Session Management pam_sm_open_session() pam_sm_close_session()
Password Management pam_sm_chauthtok()