Difficulties tweaking PAM

Support for security such as Firewalls and securing linux
Post Reply
sawozny
Posts: 22
Joined: 2019/07/13 22:19:14

Difficulties tweaking PAM

Post by sawozny » 2019/08/11 23:22:18

So it turns out PAM was WAY harder than I thought it would be once I started to dig into it. I’m trying to make some policy changes on a CentOS 7.6 min install server and I have a few questions I can’t seem to find answers for in the documentation or in the googlesphere.

1) I get that I can’t modify /etc/pam.d/system-auth and /etc/pam.d/password-auth directly or they will be overwritten by authconfig the next time it’s run, but I can’t find a similar warning for /etc/security/pwquality.conf. Does that mean I’m OK to directly modify that file without fear of it being over-written? I can’t find anything to the contrary, but I don’t want to risk implementing a password policy and thinking it’s working when it’s not. If I can’t modify it directly, what is the proper way to modify those parameters? The options I want are also in authconfig. Should I use authconfig instead?

2) Speaking of authconfig, I see in /etc/sysconfig/authconfig that there’s a FAILLOCKARGS=”deny=4 unlock_time=1200” parameter I would like to modify but I can’t see any reference to pam_faillock.so in any of the pam.d files, so I was wondering how that was being enforced. Now I’m questioning whether or not it is as I logged out and entered my username with a bad password 4 times in a row and then was able to log in the 5th time with the system telling me there had just been 4 bad logins. Does anyone have any insight into how that parameter and the system interact? If some of the parameters in /etc/sysconfig/authconfig are just not effective, is there a list of which are and which aren’t? None of the lines appear to be commented, so I don’t think it’s that. My fundamental desire here is to set a failed login policy, myself. I was wondering if it was just a sudo authconfig --faillockargs=”deny=x unlock_time=y” --update or can I modify /etc/sysconfig/authconfig directly since there’s no warning in that file not to do so and then reboot. However, I don’t want to mess with this until I have a better idea what’s going on because I worry I’ve found a bug and if I start messing with this, I’ll have to reinstall to demonstrate it as I’m presently working directly on hardware.

3) How can I enable password reuse restrictions? If I can’t add the remember argument to either pam_unix.so or pam_pwhistory.so module calls directly in system-auth or password-auth and there’s no option for it in authconfig, what does that leave me with?

If I can’t use the available tools to do what I need, I’m tempted to make the needed modifications in the files directly and hobble authconfig to keep it from overwriting my changes on reboot / package update / application installer call or whatever, but that seems like a SUPER inelegant solution. Has anyone run into this and / or figured out a solution that worked for them and was sustainable?

Thanks,

Scott

hunter86_bg
Posts: 1914
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Difficulties tweaking PAM

Post by hunter86_bg » 2019/08/15 19:17:11

sawozny wrote:
2019/08/11 23:22:18
So it turns out PAM was WAY harder than I thought it would be once I started to dig into it. I’m trying to make some policy changes on a CentOS 7.6 min install server and I have a few questions I can’t seem to find answers for in the documentation or in the googlesphere.

1) I get that I can’t modify /etc/pam.d/system-auth and /etc/pam.d/password-auth directly or they will be overwritten by authconfig the next time it’s run, but I can’t find a similar warning for /etc/security/pwquality.conf. Does that mean I’m OK to directly modify that file without fear of it being over-written? I can’t find anything to the contrary, but I don’t want to risk implementing a password policy and thinking it’s working when it’s not. If I can’t modify it directly, what is the proper way to modify those parameters? The options I want are also in authconfig. Should I use authconfig instead?
authconfig changes files ending '-ac'. If you want to prevent authconfig of changing your stuff - copy the file (that ends on -ac) and then remove the symbolic link and create a new one to your file.
So for example you can :

Code: Select all

cp -a  /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-custom
unlink /etc/pam.d/system-auth
ln -s /etc/pam.d/system-auth-custom /etc/pam.d/system-auth
Edit:
For point 2 you can make your 'system-auth-custom' and 'password-auth-custom ' (don't forget the link) as follows:

Code: Select all

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_faillock.so authfail audit deny=3 unlock_time=600
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

..snip..
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
auth        sufficient    pam_faillock.so authsucc audit deny=3 unlock_time=600
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

..snip..

Source: Red Hat Solution# 62949

I would recommend you taking a look at Linux-PAM System Administrator's Guide

sawozny
Posts: 22
Joined: 2019/07/13 22:19:14

Re: Difficulties tweaking PAM

Post by sawozny » 2019/08/17 21:52:24

Thanks very much for the reply hunter86_bg. You brought up some interesting points.

BTW, if anyone in the future reads this and wants to disconnect authconfig in this way, the commands in the above post work, but they MUST be done AS root. I tried it by sudo’ing and as soon as I unlinked system-auth that broke sudo as well as the ability for me to log in as root to fix the situation. The answer was to boot from a rescue CD, mount the filesystem I had just screwed up and create the link in the last step that way. Had I thought about it before I did the unlink it would have been obvious but I didn’t. I just mention it to help prevent future travelers from making my mistake. :)

Either way, it’s a great method to disconnect authconfig and works just as I’d expect. One thing I’d note is that once this change is made, any changes made to the custom file won’t be effective until you systemctl restart polkit (which authconfig does for you when you use it to update policy).

I wanted to see if I could make authconfig do what I wanted, so I reconnected it. To my earlier post, for item #2, it turns out that the FAILLOCKARGS in /etc/sysconfig/authconfig are just fine as they are, but to make them EFFECTIVE you need to authconfig --enablefaillock --updateall.

I thought that was great and so I also did an authconfig --passminclass=3 --updateall but while the command returned with no errors, there was also no change to system-auth, password-auth or the results of authconfig --test. Does anyone know if that parameter in authconfig works and there’s a second step needed (like the authconfig --enablefaillock --updateall above) to make it effective?

I tried disabling pwquality in authconfig hoping that would make the authconfig password quality parameters work instead, but I couldn’t find (or guess) a switch to do that. I even tried to change USEPWQUALITY=yes in /etc/sysconfig/authconfig to no but any time authconfig was updated, that parameter is switched back in the file and authconfig--test shows pwquality is enabled so I think the only way around that would be to detach authconfig from system-auth and password-auth as detailed above and make whatever changes I want, but that operates counter to my desire to use authconfig.

I suppose I’d just like to understand how the authconfig tool works, better. If it’s supposed to be the future of how one configures authentication (rather than manually manipulating PAM files) I think it either still needs to work as expected or have better documentation. I’m open to either possibility, but if anyone knows of a good authconfig resource I’d love to hear it.

I tried configuring password complexity using authconfig per https://access.redhat.com/documentation ... ig-pwd-cmd but even those commands show no evidence having done anything in journalctl -e, authconfig --test, or any of the files in /etc/pam.d.

If all else fails, I still have /etc/security/pwquality.conf and changes there DO appear to work (which isn’t entirely unexpected since pam_pwquality.so is the first entry in the password stack in both system-auth and password-auth) so unless there’s something really obvious I’m doing wrong with authconfig I guess it will remain a mystery. I would just prefer to use it correctly if it's the tool of the future, rather than finding workarounds, but maybe it's just not ready for prime time.

Thanks,

Scott

hunter86_bg
Posts: 1914
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Difficulties tweaking PAM

Post by hunter86_bg » 2019/08/21 19:13:58

Authconfig will be deprecated as per : this one.

Post Reply

Return to “CentOS 7 - Security Support”