mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
83 lines
5.3 KiB
Markdown
83 lines
5.3 KiB
Markdown
# PAM - Pluggable Authentication Modules
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
|
|
### Basic Information
|
|
|
|
**PAM (Pluggable Authentication Modules)** acts as a security mechanism that **verifies the identity of users attempting to access computer services**, controlling their access based on various criteria. It's akin to a digital gatekeeper, ensuring that only authorized users can engage with specific services while potentially limiting their usage to prevent system overloads.
|
|
|
|
#### Configuration Files
|
|
|
|
* **Solaris and UNIX-based systems** typically utilize a central configuration file located at `/etc/pam.conf`.
|
|
* **Linux systems** prefer a directory approach, storing service-specific configurations within `/etc/pam.d`. For instance, the configuration file for the login service is found at `/etc/pam.d/login`.
|
|
|
|
An example of a PAM configuration for the login service might look like this:
|
|
|
|
```
|
|
auth required /lib/security/pam_securetty.so
|
|
auth required /lib/security/pam_nologin.so
|
|
auth sufficient /lib/security/pam_ldap.so
|
|
auth required /lib/security/pam_unix_auth.so try_first_pass
|
|
account sufficient /lib/security/pam_ldap.so
|
|
account required /lib/security/pam_unix_acct.so
|
|
password required /lib/security/pam_cracklib.so
|
|
password required /lib/security/pam_ldap.so
|
|
password required /lib/security/pam_pwdb.so use_first_pass
|
|
session required /lib/security/pam_unix_session.so
|
|
```
|
|
|
|
#### **PAM Management Realms**
|
|
|
|
These realms, or management groups, include **auth**, **account**, **password**, and **session**, each responsible for different aspects of the authentication and session management process:
|
|
|
|
* **Auth**: Validates user identity, often by prompting for a password.
|
|
* **Account**: Handles account verification, checking for conditions like group membership or time-of-day restrictions.
|
|
* **Password**: Manages password updates, including complexity checks or dictionary attacks prevention.
|
|
* **Session**: Manages actions during the start or end of a service session, such as mounting directories or setting resource limits.
|
|
|
|
#### **PAM Module Controls**
|
|
|
|
Controls dictate the module's response to success or failure, influencing the overall authentication process. These include:
|
|
|
|
* **Required**: Failure of a required module results in eventual failure, but only after all subsequent modules are checked.
|
|
* **Requisite**: Immediate termination of the process upon failure.
|
|
* **Sufficient**: Success bypasses the rest of the same realm's checks unless a subsequent module fails.
|
|
* **Optional**: Only causes failure if it's the sole module in the stack.
|
|
|
|
#### Example Scenario
|
|
|
|
In a setup with multiple auth modules, the process follows a strict order. If the `pam_securetty` module finds the login terminal unauthorized, root logins are blocked, yet all modules are still processed due to its "required" status. The `pam_env` sets environment variables, potentially aiding in user experience. The `pam_ldap` and `pam_unix` modules work together to authenticate the user, with `pam_unix` attempting to use a previously supplied password, enhancing efficiency and flexibility in authentication methods.
|
|
|
|
### References
|
|
|
|
* [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434)
|
|
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|