Posted by: Administrator
on February 15, 2004 02:54 AM
I have had to meet the security requirements of various institutions and use PAM to meet many of the basic logging requirements.
There are several issues I would wish addressed.
1. There are several conflicts I found in using the module options for number of logins before you kick people out. If you include root, it has trouble working. 2. Pam is only as good as its supporting functions. Turning on logging, quotas, authentication of passwords, etc are useless without a way DESCRIBED in detail on how to disable or reenable these items. 3. File Access is not covered. Had to use SNARE and its still incomplete. 4. PAM is not a security system.. and yet it is. It is an incomplete one.. How do I make it work for things like: Common Criteria Certification (Redhat Interprise is Cert) EAL level 3 Certification (SuSE is cert)
1. Logging 2. Blocking after X number of attempts 3. Turning over logs after X number of days (logrotate) 4. Putting a banner before all Logins stating a notice of some sort. 5. Forced a change password after X logins, or X time. 6. FORCE a SPECIFIC sequence of Password requirements (numberics, alpha, etc) 7. Force more than 8 significant letters for the password. 8. Be able to drop in a DIFFERENT algorithm for passwords that will work with Shadow/Passwd. There are specific new algorithms that are required in some contracts that give 1024 bit encryption, etc.
This is a start of a super powerful document. I got tired of sifting through the documentation on the net.. a strong, tested, primer that not only showed the Capabilities of PAM but also the Limitations. As you can see, I am trying to use it for things that logrotate, chkpasswd, or other functions use.
Learn about Linux
Download Linux
Get Linux help
Re:PAM modules
Posted by: Administrator on February 15, 2004 02:54 AMThere are several issues I would wish addressed.
1. There are several conflicts I found in using the module options for number of logins before you kick people out. If you include root, it has trouble working.
2. Pam is only as good as its supporting functions. Turning on logging, quotas, authentication of passwords, etc are useless without a way DESCRIBED in detail on how to disable or reenable these items.
3. File Access is not covered. Had to use SNARE and its still incomplete.
4. PAM is not a security system.. and yet it is. It is an incomplete one.. How do I make it work for things like:
Common Criteria Certification (Redhat Interprise is Cert)
EAL level 3 Certification (SuSE is cert)
1. Logging
2. Blocking after X number of attempts
3. Turning over logs after X number of days (logrotate)
4. Putting a banner before all Logins stating a notice of some sort.
5. Forced a change password after X logins, or X time.
6. FORCE a SPECIFIC sequence of Password requirements (numberics, alpha, etc)
7. Force more than 8 significant letters for the password.
8. Be able to drop in a DIFFERENT algorithm for passwords that will work with Shadow/Passwd. There are specific new algorithms that are required in some contracts that give 1024 bit encryption, etc.
This is a start of a super powerful document. I got tired of sifting through the documentation on the net.. a strong, tested, primer that not only showed the Capabilities of PAM but also the Limitations. As you can see, I am trying to use it for things that logrotate, chkpasswd, or other functions use.
#