Some questions about PAM

To: Debian User <debian-user@lists.debian.org>
Subject: Some questions about PAM
From: l0f4r0@tuta.io
Date: Sun, 24 May 2020 01:25:36 +0200 (CEST)
Message-id: <[🔎] M82qmXe--3-2@tuta.io>

Hi,

I'm discovering PAM :)
I'm currently reading lots of different resources about it but I have some questions to ask please:

1) How do we know which options can be set up in a /etc/security conf file and which one can be specified as a module argument in the /etc/pam.d files?
For example, regarding pam_pwquality.so:
* ocredit can be specified in /etc/security/pwquality.conf or as a module argument
* authtok_type needs to be specified (if need be) as a module argument only
Of course, there is still the empirical solution but it would be easier if it was indicated somewhere (I didn't find where though).

2) Given a service, is the whole related pam.d file read (full stack) or just the appropriate stack (account, auth, password, session) or a mix of them?
Sub-question: I know the order of the instructions can be important (especially with "requisite" or "sufficient" controls) but is the order important between different stacks for the same service (for example "account" before "auth" before "password" before "session")?

3) I've installed pamtester but I'm really lost regarding how it works.
Resources are scarce, I've only found http://pamtester.sourceforge.net/ or man pamtester.

a) Would you have a good pointer for me please (ideally a kind of tutorial explaining in details the "operations" and "items" parts)?

b) I've created a /etc/pam.d/my_common_password (copy of /etc/pam.d/common-password).
Then I've invoked: pamtester -v my_common_password some_existing_account chauthtok
With no avail ("Authentication token manipulation error" after typing the correct some_existing_account current password)...
Since /etc/pam.d/common-password is correct (default file), I suppose my pamtester command is wrong, isn't it?
c) Even more basically, let's create another /etc/pam.d/my_common_password file with  1 instruction only:
password required pam_pwquality retry=3
Everything works when running:
pamtester -v my_common_password some_existing_account chauthtok
pamtester: invoking pam_start(my_common_password, some_existing_account, ...)
pamtester: performing operation - chauthtok
New password:
Retype new password:
pamtester: authentication token altered successfully.

However, if I append the following instruction:
password required pam_deny.so
Then the same pamtester command returns an error now:
pamtester: invoking pam_start(my_common_password, some_existing_account, ...)
pamtester: performing operation - chauthtok
pamtester: Authentication token manipulation error

Of course, there should be an error indeed but why am I not asked for a password beforehand nonetheless?
It looks as if pam_deny was executed first...

Thank you in advance :)
Best regards,
l0f4r0

Reply to:

Follow-Ups:
- Re: Some questions about PAM
  - From: l0f4r0@tuta.io

Prev by Date: Debian cloud image default login details
Next by Date: Re: USB controller resets when burning CD
Previous by thread: Re: Debian cloud image default login details
Next by thread: Re: Some questions about PAM
Index(es):
- Date
- Thread