Sounds like some of what you want is available - but not through PAM. And the reason it's not done through PAM is because... well... it's already being done well enough by some other tool, so nobody bothered to make a module for it.
Anything having to do with logging is a good example. logrotate, and syslog have the needs of most admins covered, and it's a little tough to see the usefulness of putting this in PAM, since most applications already have a logging interface that is easy to write and easily configurable by and admin. The idea of PAM is to allow developers to write a PAM interface (which is simple) so that admins can configure authentication/session restraints as they see fit (also pretty simple).
You're right in saying that PAM is NOT a 'security system'. It's only ONE PART of a system's security. You cannot simply configure PAM and say 'ok, all locked down'. It's not that simple, and it's never been a goal of anyone's to MAKE it that simple. Look into tools like tcpwrappers, bastille, tripwire, the compat libs, the iptables manpage, and the documentation for the latest kernel (all of it.. no - really). Everything you want to do is available. However, it's not all under the PAM umbrella. Nor does any admin want it to be, since building interfaces for firewalls, logging config, system password constraints, file access controls, etc., would make PAM the 'windows registry' of the Linux world. Too much responsibility is not good, and antithetical to the UNIX mantra of 'do one thing, and do it well'.
There are some other things you said that I don't think are factual. For example, 'blocking after x number of attempts' is possible already - though possibly not for all modules. Forcing password changes is also possible already with PAM. Forcing a specific sequence of password requirements is pretty much there - have a look at using pam_cracklib with pam_pwcheck. In my environment, we still had a little code to write to enforce everything we wanted (ie, you have to use a number, and it can't be the first or last character in the password), but it did a lot of jobs we were doing with code before.
Your items numbered 7 and 8 about using a different password algorithm should be available through bastille. ]
I'd write more, but I do have to run...
All of this said, I'll most likely be covering some of the above mentioned tools in future articles.<nobr> <wbr></nobr>:)
Learn about Linux
Download Linux
Get Linux help
Re:PAM modules
Posted by: njcajun on February 16, 2004 01:40 AMAnything having to do with logging is a good example. logrotate, and syslog have the needs of most admins covered, and it's a little tough to see the usefulness of putting this in PAM, since most applications already have a logging interface that is easy to write and easily configurable by and admin. The idea of PAM is to allow developers to write a PAM interface (which is simple) so that admins can configure authentication/session restraints as they see fit (also pretty simple).
You're right in saying that PAM is NOT a 'security system'. It's only ONE PART of a system's security. You cannot simply configure PAM and say 'ok, all locked down'. It's not that simple, and it's never been a goal of anyone's to MAKE it that simple. Look into tools like tcpwrappers, bastille, tripwire, the compat libs, the iptables manpage, and the documentation for the latest kernel (all of it.. no - really). Everything you want to do is available. However, it's not all under the PAM umbrella. Nor does any admin want it to be, since building interfaces for firewalls, logging config, system password constraints, file access controls, etc., would make PAM the 'windows registry' of the Linux world. Too much responsibility is not good, and antithetical to the UNIX mantra of 'do one thing, and do it well'.
There are some other things you said that I don't think are factual. For example, 'blocking after x number of attempts' is possible already - though possibly not for all modules. Forcing password changes is also possible already with PAM. Forcing a specific sequence of password requirements is pretty much there - have a look at using pam_cracklib with pam_pwcheck. In my environment, we still had a little code to write to enforce everything we wanted (ie, you have to use a number, and it can't be the first or last character in the password), but it did a lot of jobs we were doing with code before.
Your items numbered 7 and 8 about using a different password algorithm should be available through bastille. ]
I'd write more, but I do have to run...
All of this said, I'll most likely be covering some of the above mentioned tools in future articles.<nobr> <wbr></nobr>:)
#