-
Notifications
You must be signed in to change notification settings - Fork 9
pam_namespace(sshd:session): open_session - start
pam_namespace(sshd:session): Parsing config file /etc/security/namespace.conf
pam_namespace(sshd:session): Expanded polydir: '/tmp'
pam_namespace(sshd:session): Expanded ruser polydir: '/tmp'
pam_namespace(sshd:session): Expanded instance prefix: '/tmp/tmp-inst/'
pam_namespace(sshd:session): Expanded polydir: '/var/tmp'
pam_namespace(sshd:session): Expanded ruser polydir: '/var/tmp'
pam_namespace(sshd:session): Expanded instance prefix: '/var/tmp/tmp-inst/'
pam_namespace(sshd:session): Configured poly dirs:
pam_namespace(sshd:session): dir='/tmp' iprefix='/tmp/tmp-inst/' meth=3
pam_namespace(sshd:session): override user 0
pam_namespace(sshd:session): dir='/var/tmp' iprefix='/var/tmp/tmp-inst/' meth=3
pam_namespace(sshd:session): override user 0
pam_namespace(sshd:session): Set up namespace for pid 2676
pam_namespace(sshd:session): Checking for ns override in dir /tmp for uid 1000
pam_namespace(sshd:session): Need poly ns for user 1000 for dir /tmp
pam_namespace(sshd:session): The / mount point was marked as slave
pam_namespace(sshd:session): Checking for ns override in dir /tmp for uid 0
pam_namespace(sshd:session): Checking for ns override in dir /tmp for uid 1000
pam_namespace(sshd:session): Setting poly ns for user 1000 for dir /tmp
pam_namespace(sshd:session): Set namespace for directory /tmp
pam_namespace(sshd:session): poly_name pi
pam_namespace(sshd:session): instance_dir /tmp/tmp-inst/pi
pam_namespace(sshd:session): Protect mount of /tmp/tmp-inst over itself
pam_namespace(sshd:session): Checking for ns override in dir /var/tmp for uid 0
pam_namespace(sshd:session): Checking for ns override in dir /var/tmp for uid 1000
pam_namespace(sshd:session): Setting poly ns for user 1000 for dir /var/tmp
pam_namespace(sshd:session): Set namespace for directory /var/tmp
pam_namespace(sshd:session): poly_name pi
pam_namespace(sshd:session): instance_dir /var/tmp/tmp-inst/pi
pam_namespace(sshd:session): Protect mount of /var/tmp/tmp-inst over itself
pam_namespace(sshd:session): namespace setup ok for pid 2676
From 6.22. pam_namespace: "as the last line for session group"
-
pam_namespacebreaks SSH X11 forwarding, because/tmp/.X11-unix/X*does not exist for regular users. See Red Hat Bugzilla – Bug 598671. - It might also break some Kerberos stuff, as user's tickets aren't in
/tmpanymore from whererpc.gssd(which is running asroot) tries to look for them.
pwhistory is a bit problematic in Debian when e.g. ldap is also used. As the man page says: "In general, it does not make much sense to use this module in conjunction with NIS or LDAP, since the old passwords are stored on the local machine and are not available on another machine for password history checking.".
pam-auth-update will write the following:
password requisite pam_passwdqc.so
password required pam_pwhistory.so use_authtok debug
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass
So that means pwhistory is in use with the LDAP module. It would be better to use the remember option with pam_unix, as then it would apply only to local accounts.
https://www.eyrie.org/~eagle/software/pam-krb5/
If pam_krb5 comes after pam_unix (and others) you will want to use use_first_pass (instead of try_first_pass) or the pam_krb5 will prompt for the password again.
- For
auditd - "This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd."
Sudo needs to be compiled with --with-pam-login that "allows for a separate pam configuration for sudo's initial login mode" as stated in INSTALL.md.
This file is supported (or used) only by util-linux's su and not shadow's su.
/* name of the pam configuration files. separate configs for su and su - */
#define PAM_SRVNAME_SU "su"
#define PAM_SRVNAME_SU_L "su-l"TODO: DEPRECATED
The auth part needs to be at the top of the primary block, as if pam_unix fails, it calls requisite pam_deny and the execution of the stack stops and the failed attempt doesn't get counted. The priority is set to 257, so it would be just above pam_unix and others.
The account part doesn't seem to be needed, but is added just in case. Adding it to the additional block should be sufficient. As it's function is to deny access in case of failed logins, it is executed if some other module doesn't block the access before. End result is the same -> no access.
ACCOUNT OPTIONS
Account phase resets attempts counter if the user is not magic root. This phase can be used optionally for services which don't call
pam_setcred(3) correctly or if the reset should be done regardless of the failure of the account phase of other modules.
By default, lastlog is only enabled in login. SSH (apparently) updates the log file by itself. This is added, so that logins from display managers will also be in the list and also that SSH would report failed logins:
Last login: Thu Jan 11 00:14:21 EET 2018 from 1.2.3.4 on pts/2
Last failed login: Thu Jan 11 00:14:32 EET 2018 from 1.2.3.4 on ssh:notty
There was 1 failed login attempt since the last successful login.
If lastlog is added to common-session-noninteractive, PAM sessions from cron also get logged.
root cron Sat Jan 13 12:17:01 +0200 2018
daemon cron Sat Jan 13 11:43:01 +0200 2018
bin cron Sat Jan 13 11:43:01 +0200 2018
Not having lastlog in common-session-noninteractive stops sudo lastlogging also.
When pam_lastlog displays failed logins it reads the btmp file. Unfortunately it's up to the authenticating software to log failed logins to btmp and not all programs do this. Here is incomplete table about which programs log these and which don't:
| Program | Logs to btmp |
|---|---|
| sudo | No |
| OpenSSH | Yes |
| login | Yes |
| su (shadow) | No? |
| su (util-linux) | Yes (log_btmp()) |
This configuration prohibits authentication (& account) of system users. In auth it is set as requisite so that system users don't even get to pam_unix. It could be also as required, but it doesn't seem to provide any additional benefit. It would be nice to continue to pam_unix and see the situation where system user password authentication would succeed (shouldn't happen, and would be an anomaly), but pam_unix doesn't log that until session (pam_unix(sshd:session): session opened for user ...).
In addition to auth this also needs to exist in account if the system user is authenticating through sshd with SSH keys, krb5 etc., as in that case PAM auth is not processed by sshd.
libpam-google-authenticator-
/etc/pam.d/sucould be justpam_rootok&pam_deny? Enablelastlogging from display managerslibpam-cap
- https://www.debian.org/doc/manuals/debian-reference/ch04.en.html
- http://linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html
- https://wiki.ubuntu.com/PAMConfigFrameworkSpec
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583492
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s1-pam-sample-simple.html