Setting Up PAM Authentication With mon mini-HOWTO
Andrew Ryan, andrewr@nam-shub.com
$Id: mon-PAM-mini-HOWTO.txt,v 1.3 2000/09/06 20:03:29 andrewr Exp $
This document describes how to use PAM authentication with the network
monitoring software mon, gives some specific configuration
examples, and points out some gotchas with PAM authentication in mon.
------------------------------------------------------------
Contents
1.0 Introduction
2.0 Caveats and Risks
3.0 Setting Up PAM Support For mon in Your OS
3.1 Setting Up PAM Support For Solaris Using Solaris PAM
3.2 Setting Up PAM Support Using Linux-PAM (for Linux,
FreeBSD, Solaris, SunOS and HP-UX 9.0 too!)
3.3 Notes on Shadow Password Support with mon and PAM
4.0 Setting up PAM Authentication in mon
5.0 Examples
5.1 Setting Up LDAP+SSL PAM Authentication in mon
5.2 Stacking PAM Modules
5.3 Other Cool-Looking PAM Services (which haven't been
tested with mon)
------------------------------------------------------------
1.0 Introduction
PAM (Pluggable Authentication Module) is an architecture for providing
one or more of the following four services: authentication, account
management, session management, and password management. PAM allows
applications to share these functions, and for these functions to be
maintained separately from the applications themselves. Thus, not
every application developer has to write routines to perform
authentication within their applications.
You can use PAM as an authentication mechanism for mon, and in the
process gain support for cool login methods like shadow passwords,
LDAP, and NT domains into your mon server. In addition, PAM modules
can be "stacked," which allows you to require authentication against
more than one PAM module.
------------------------------------------------------------
2.0 Caveats and Risks
It is important to understand what you are getting yourself into when
you use PAM with mon. Using PAM with mon should increase your
security, not decrease it.
Perhaps the biggest risk involved is that your passwords are going to
stay around in the memory of the mon program. When a C program is done
using a password, it can release the memory and the password is more
or less gone.
Unfortunately, in perl, we can't do our own memory management
(fortunately, we don't have to!). Even an 'undef' does not guarantee
that memory is going to be released or that values will be
forgotten. If you're really really paranoid about certain passwords,
don't use PAM authentication for mon, at least for these passwords.
There is also some risk inherent in some of the third party free
PAM modules that are out there. Some of them might not work with mon,
or they might not work well at your site. This is something of a fact
of life with free software, but at least it doesn't cost you anything
to try. Of course it's also an issue with non-free software as well :)
------------------------------------------------------------
3.0 Setting Up PAM Support For mon in Your OS
Before you set up mon to use PAM for authentication, you first need to
set up PAM for mon in your operating system. We discuss the two major
PAM implementations here, Solaris and Linux PAM. Linux PAM has been
ported to FreeBSD, Solaris, SunOS and HP-UX 9.0, so it's not just for
Linux, but the instructions are the same. If you aren't running Linux,
and you use Linux-PAM, however, you have to expect to be on your own
as far as support goes, both with Linux-PAM and your vendor.
------------------------------------------------------------
3.1 Setting Up PAM Support For Solaris Using Solaris PAM
PAM on Solaris is configured in the file /etc/pam.conf. You should
reference the man page for pam.conf(4) for syntax details. What I
suggest is adding a new PAM service for mon, with the following 4
lines (you may choose to use a different PAM module):
# Solaris PAM configuration for mon and www.padl.com's pam_ldap
mon auth required /usr/lib/security/pam_ldap.so.1
mon account required /usr/lib/security/pam_ldap.so.1
mon session required /usr/lib/security/pam_ldap.so.1
mon password required /usr/lib/security/pam_ldap.so.1
Or, use shadow passwords with this configuration (see the section
on notes for shadow passwords later in this document):
# Solaris PAM configuration for shadow passwords
mon auth required /usr/lib/security/pam_unix.so.1
mon account required /usr/lib/security/pam_unix.so.1
mon session required /usr/lib/security/pam_unix.so.1
mon password required /usr/lib/security/pam_unix.so.1
Be really careful about the syntax in the pam.conf file, and I highly
recommend that you keep a root shell open while you're editing this
file, especially when you first begin experimenting with PAM. If you
mangle the pam.conf file, NO PAM AUTHENTICATION WILL WORK AND YOU WILL
BE UNABLE TO LOG IN TO THE SYSTEM.
Don't worry about defining PAM services (like account) that you won't
use. It doesn't hurt, and it makes a good placeholder.
------------------------------------------------------------
3.2 Setting Up PAM Support Using Linux PAM (for Linux,
FreeBSD, Solaris, SunOS and HP-UX 9.0 too!)
Linux PAM has a different syntax but it's just as easy to set up. You
can reference the pam(8) man page or the Linux PAM page at
http://www.kernel.org/pub/linux/libs/pam/
for more information.
Instead of one configuration file for all of PAM, like Solaris uses,
Linux uses a directory, /etc/pam.d/, which contains one file
per PAM service. The contents of each file look very much like the
Solaris pam.conf file, except that there's no service name. To duplicate what
we did above, and set up a "mon" PAM service which used pam_ldap for
authentication, we would create a file called /etc/pam.d/mon with the
following lines:
#%PAM-1.0
auth required /lib/security/pam_ldap.so.1
account required /lib/security/pam_ldap.so.1
session required /lib/security/pam_ldap.so.1
password required /lib/security/pam_ldap.so.1
Or for shadow passwords:
#%PAM-1.0
auth required /lib/security/pam_pwdb.so.1 shadow nullok
account required /lib/security/pam_pwdb.so.1
session required /lib/security/pam_pwdb.so.1
password required /lib/security/pam_pwdb.so.1
Again, don't worry about defining PAM services (like account) that you
won't use. It doesn't hurt, and it makes a good placeholder.
------------------------------------------------------------
3.3 Notes on Shadow Password Support with mon and PAM
Shadow password authentication is far and away the most commonly used
and best-supported PAM service (Sun supports Solaris', and RedHat
supports the Linux version). You can use it with mon, although there
is an important fact to note.
By default, in order to read the shadow password file, you must be
root, because /etc/shadow is 0400 and owned by root. That means that
either the mon server must run as root, or that your password file
must have less restrictive permissions. You could make it 0444, but
that's like having no shadow password support at all.
An intermediate approach is to create a new group, say "mon", and then
'chgrp mon /etc/shadow ; chmod 0440 /etc/shadow'. Now put the user
which mon runs at, preferably a dedicated user who does nothing else,
into the "mon" group and now the shadow password file will be readable
only by root and the mon user, which hopefully is a locked account
used only to run mon and nothing else.
------------------------------------------------------------
4.0 Setting up PAM Authentication in mon
Configuring PAM support in the OS is the hard part, the mon portion
is quite easy. You need to add/change 2 lines in your mon.cf file, for
example:
# Use userfile authentication, followed by PAM authentication
authtype = userfile pam
# Use the "mon" PAM service
pamservice = mon
Note that in the above example, we're still using userfile
authentication as the first check. If mon authenticates a user via
userfile authentication, PAM is not consulted. But if userfile
authentication fails, PAM is checked and the user is either
authenticated or rejected. I like to keep userfile authentication for
my default mon.cgi user, since it has a password and username that may
be sent in the clear and I don't really want to have users in my
password database with clear/known passwords.
------------------------------------------------------------
5.0 Examples
We will discuss some examples of other interesting PAM services which
mon users might find interesting. Please contribute your own examples
and success stories to this section!
------------------------------------------------------------
5.1 Setting Up LDAP+SSL PAM Authentication in mon
The original reason I wanted PAM support in mon was to use LDAP
authentication for our organization. It is a really cool application
of LDAP and PAM which will allow you to implement secure, distributed
authentication for mon in conjunction with the mon.cgi GUI. It will
also spare you from having to maintain a separate mon password file.
Because there are a lot of different ways in which LDAP can be set up,
I won't cover all possibilities here. We got this working using
essentially the following method, connecting to a Netscape 4.1
Directory Server. OpenLDAP may also work but I've never tried it.
The basic outline:
1. Download and install the Netscape LDAP SDK from
http://www.iplanet.com/
2. Download the latest pam_ldap from http://www.padl.com/
3. Presumably you have a LDAP server, either Netscape or OpenLDAP,
which is working and has the correct entries in it to allow
authentication. I'm not sure if OpenLDAP works with SSL
(it definitely works without SSL), you should check the
latest release notes for pam_ldap.
4. Compile and install pam_ldap.so into /lib/security. Make
sure to configure and build with ssl support.
5. Set your /etc/ldap.conf file to point to your LDAP server, and
change the base name to match your organization.
6. Put a copy of cert7.db (which ships with Netscape Communicator)
in the path that you specified in the ldap.conf file under
sslpath.
7. Change the authtype config parameter to include "pam" in your
mon.cf, and also change the pamservice variable to be the PAM
service that you just set up (in the above example, we used "mon").
8. Reset mon.
9. Test mon authentication with a user that you know doesn't exist
in a local password file (assuming you're using one of the files
authentication types in conjunction with PAM).
A minimal ldap.conf file could look like this (with the names changed,
this is what we use):
host 1.2.3.4
base o=your_org.name
ldap_version 3
port 636
ssl yes
sslpath /etc/cert7.db
------------------------------------------------------------
5.2 Stacking PAM Modules
As mentioned previously, PAM modules can be stacked to require one or
more forms of authentication. Using different keywords, authentication
can be controlled to a very fine degree. Here are Solaris and Linux
examples of stacking modules to require that the mon password a user
submits is found both on an LDAP server and on the local machine's
shadow password file:
# Solaris /etc/pam.conf example of stacking modules to require
# both LDAP authentication and shadow password authentication for
# the 'mon' service
mon auth required /usr/lib/security/pam_ldap.so.1
mon auth required /usr/lib/security/pam_unix.so.1 try_first_pass
# Linux /etc/pam.d/mon example of stacking modules to require
# both LDAP authentication and shadow password authentication for
# the 'mon' service
auth required /lib/security/pam_ldap.so.1
auth required /lib/security/pam_pwdb.so.1 shadow nullok try_first_pass
This example just scratches the surface of what you can do by stacking
PAM authentication modules. Please reference your PAM documentation
for more examples and syntax.
------------------------------------------------------------
5.3 Other Cool-Looking PAM Services (which haven't been tested with
mon)
See this page for more PAM modules:
http://www.kernel.org/pub/linux/libs/pam/modules.html
Some cool modules that stand out:
* pam_ntdom - Authenticate against an NT PDC. From the Samba project.
* pam_securid (static passwds only) - Using static passwords, you can
authenticate against an ACE server (2-factor would work as well but
would be of very limited usefulness, better to implement 2-factor
authentication at the web server layer, e.g. mod_securid for Apache).
* Netware - Authenticate against a Netware server
* kerberos, S/Key, Radius, TACACS+ - Self-explanatory.