Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
84 views9 pages

PAM Authentication in Linux - Practical Guide With SSH

Uploaded by

suresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
84 views9 pages

PAM Authentication in Linux - Practical Guide With SSH

Uploaded by

suresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

PAM Authentication in Linux:

Practical Guide with SSH


Introduction:
PAM (Pluggable Authentication Modules) controls user authentication in
Linux, allowing flexible security policies. This document covers PAM
setup, configuration, and SSH authentication with step-by-step
screenshots. 🚀

1. vi /etc/pam.d/common-auth
 Explanation: Opens the common-auth file to configure
authentication settings (e.g., password or two-factor authentication).
 Purpose: Controls how users authenticate during login.
2. vi /etc/pam.d/common-password
 Explanation: Opens the common-password file to define password
policies (e.g., length, expiration, complexity).
 Purpose: Enforces password management rules for user accounts.
3. sudo vi /etc/pam.d/common-account
 Explanation: Opens the common-account file with administrative
privileges to manage account settings.
 Purpose: Configures account restrictions, such as locking, expiration,
and login times.
Steps Taken to Check and Implement PAM Security
1. Initial PAM Security Check Attempt
Initially, I attempted to check if PAM security was properly
implemented by performing simple login and exit operations.
However, this method didn’t work due to some underlying issues in
the system configuration. I couldn't get the expected results by simply
logging in and exiting, which led me to investigate further.
2. Creating a New User
Since the initial approach wasn’t successful, I decided to create a new
user to verify if the settings were applied correctly. To create a new
user, I used the following command:
3. Editing PAM Configuration Files
The next step involved editing key PAM configuration files to ensure
that the security policies were correctly applied. I used the vi text
editor to open and modify the following PAM files:
Authentication settings: vi /etc/pam.d/common-auth
Password policies: vi /etc/pam.d/common-password
Account management policies: sudo vi /etc/pam.d/common-
account
These files were edited to configure the desired behavior, such as limiting
the number of login attempts, setting password policies, and account
restrictions (e.g., account lockout after multiple failed login attempts).
4. Verifying the Configuration Changes
After making the necessary changes to the PAM configuration files, I
tested the lockout functionality. Specifically, I was testing if the
system would lock the account after multiple failed login attempts, as
per the changes made in the PAM files.
5. Testing Lockout Feature After Multiple Failed Attempts
To check if the account lockout mechanism was working as expected,
I attempted to log in with the wrong password multiple times (in this
case, 4 failed attempts).
 Expected Outcome: After 4 failed attempts, the system should
lock the user account, displaying a lock message or preventing
further login attempts.
 Result: After 4 incorrect login attempts, the system indeed
locked the account and showed the expected lock message,
confirming that the PAM security configurations were
successfully implemented.
6. Conclusion
By creating a new user, modifying the PAM configuration files, and
testing the lockout feature, I was able to verify that PAM security
was correctly implemented. The system now enforces login
restrictions as intended, locking out the user after a set number of
failed login attempts. This approach worked after I applied all the
necessary configurations and tested them with the newly created user.

 When I was trying to reset the time or reset its login activity, it was
not working. Because of the time limit of locking was 2 minutes only.
And after the successfully entering the correct password it actually
worked after the 2 minutes.

Conclusion:
 PAM Authentication Overview:
o What was done: Configured and verified PAM authentication
to manage secure login policies, password management, and
account restrictions.
o Key files edited:
 common-auth: Controls authentication methods (e.g.,
password or multi-factor authentication).
 common-password: Defines password policies (e.g., length,
expiration, complexity).
 common-account: Configures account restrictions (e.g.,
account lockout after failed attempts).
 Steps Taken to Verify PAM Security:
1. Initial Check via Login/Exit:
 Mistake: The initial check didn’t work as expected because
simple login/exit attempts weren’t sufficient to verify the
PAM security settings.
 What should be done: Use more specific tests like
multiple failed login attempts to ensure the configurations
work.
2. Created a New User:
 What was done: Created a new user to validate that PAM
security settings were properly applied.
 Mistake: This step was necessary only because the initial
login/exit check didn’t confirm PAM was working.
 What should be done: It’s better to always test
configurations with a new user if the old ones are already
affected or misconfigured.
3. Editing PAM Files:
 What was done: Edited the files (common-auth, common-
password, and common-account) using vi to apply desired
configurations (e.g., setting failed login attempts).
4. Verifying Configuration Changes:
 What was done: Verified the changes by testing the
lockout feature after multiple failed login attempts.
5. Testing Lockout After Multiple Failed Attempts:
 What was done: Attempted to log in with incorrect
credentials four times to trigger the account lockout.
 Expected Outcome: The account should lock after four
failed attempts.
 Actual Outcome: The lockout mechanism worked as
expected, and the account was locked, showing the lock
message.

Mistakes and Suggested Fixes:


 Issue with Lock Timeout:
o Mistake: When testing, I found that the system didn’t allow me
to log in again immediately after a successful attempt due to a 2-
minute timeout after the account lock.
o What should be done: Understand the configuration details in
the common-auth file, especially the timeout settings. If you
want a shorter or longer lock period, you can adjust the
pam_tally or pam_tally2 configurations to suit your needs.
o Solution: Increase the timeout duration or configure the lockout
time to meet your specific requirements.
 Testing Methodology:
o Mistake: I relied solely on the login/logout method at first,
which didn’t properly validate the configurations.
o What should be done: Always perform multiple types of tests,
such as:
 Logging in with incorrect passwords.
 Checking the lockout message after failed attempts.
 Verifying password policy enforcement (e.g., minimum
length, complexity).
 Editing Files with sudo:
o Mistake: I didn’t always use sudo when editing files that
required elevated permissions (e.g., common-account).
o What should be done: Always use sudo for system
configuration files that require administrative access, such as:
 sudo vi /etc/pam.d/common-account

Final Thoughts:
 Importance of Testing: Properly test all configurations after editing
PAM files to ensure they are functioning as expected. Always try
multiple test cases, including failed login attempts and account
lockout scenarios.
 Error Handling: Be aware of timeout values and lock duration.
Adjust these values according to your security policies and test
thoroughly to ensure accurate results.

By following the suggestions above and testing thoroughly, you will


ensure your PAM configuration is both functional and secure.

----------Thank-You----------

You might also like