Re: Some questions about PAM

To: Debian User <debian-user@lists.debian.org>
Subject: Re: Some questions about PAM
From: l0f4r0@tuta.io
Date: Tue, 26 May 2020 23:57:49 +0200 (CEST)
Message-id: <[🔎] M8HzSz---3-2@tuta.io>
In-reply-to: <[🔎] M82qmXe--3-2@tuta.io>
References: <[🔎] M82qmXe--3-2@tuta.io>

Hi,

I've investigated a little bit so I'm answering to myself & anyone interested + I ask other questions ;)

24 mai 2020 à 01:25 de l0f4r0@tuta.io:

> 1) How do we know which options can be set up in a /etc/security conf file and which one can be specified as a module argument in the /etc/pam.d files?
> For example, regarding pam_pwquality.so:
> * ocredit can be specified in /etc/security/pwquality.conf or as a module argument
> * authtok_type needs to be specified (if need be) as a module argument only
> Of course, there is still the empirical solution but it would be easier if it was indicated somewhere (I didn't find where though).
>
I still don't know for this one except assuming that the options mentioned in the man pages but missing in the default conf files (even in comments) should be used as module arguments instead...

> 2) Given a service, is the whole related pam.d file read (full stack) or just the appropriate stack (account, auth, password, session) or a mix of them?
> Sub-question: I know the order of the instructions can be important (especially with "requisite" or "sufficient" controls) but is the order important between different stacks for the same service (for example "account" before "auth" before "password" before "session")?
>
I think it all depends on the binary requesting linux-pam.
It may implement one or more functions like pam_authenticate, pam-acct_mgmt, pam_setcred, pam_open_session, pam_close_session and so trigger different module types accordingly (auth, account, session and password).

> 3) I've installed pamtester but I'm really lost regarding how it works.
> Resources are scarce, I've only found > http://pamtester.sourceforge.net/>  or man pamtester.
>
> a) Would you have a good pointer for me please (ideally a kind of tutorial explaining in details the "operations" and "items" parts)?
>
I still haven't found a good resource regarding pamtester.
What is interesting though is that one can specify the module types to trigger within a pam config file with parameters authenticate, acct_mgmt, open_session, close_session and chauthtok.

> b) I've created a /etc/pam.d/my_common_password (copy of /etc/pam.d/common-password).
> Then I've invoked: pamtester -v my_common_password some_existing_account chauthtok
> With no avail ("Authentication token manipulation error" after typing the correct some_existing_account current password)...
> Since /etc/pam.d/common-password is correct (default file), I suppose my pamtester command is wrong, isn't it?
>
A priori, my command is OK.

The issue is rather related to unix_chkpwd (called by pam_unix.so because /etc/shadow is not simple user readable), that's why the user current password is asked.

As a security measure, the PAM modules run as the same user as the calling program, so they cannot do anything you could not do yourself, and in particular cannot access /etc/shadow.

So I've used the following command instead:
sudo -iu some_existing_account pamtester -v my_common_password some_existing_account chauthtok
It works a little bit better but it still fails at final step when changing the password... Too bad, I don't know why.

What really confuses me is that I don't understand why a password change works with command "passwd" after logging as some_existing_user but doesn't work with "pamtester -v passwd some_existing_account chauthtok" after logging as some_existing_user as well... 

> c) Even more basically, let's create another /etc/pam.d/my_common_password file with  1 instruction only:
> password required pam_pwquality retry=3
> Everything works when running:
> pamtester -v my_common_password some_existing_account chauthtok
> pamtester: invoking pam_start(my_common_password, some_existing_account, ...)
> pamtester: performing operation - chauthtok
> New password:
> Retype new password:
> pamtester: authentication token altered successfully.
>
> However, if I append the following instruction:
> password required pam_deny.so
> Then the same pamtester command returns an error now:
> pamtester: invoking pam_start(my_common_password, some_existing_account, ...)
> pamtester: performing operation - chauthtok
> pamtester: Authentication token manipulation error
>
> Of course, there should be an error indeed but why am I not asked for a password beforehand nonetheless?
> It looks as if pam_deny was executed first...
>
Hypothesis: the config file is read once before execution and a PAM error is triggered immediatey if this is technically impossible that a PAM success can be obtained (no need to waste time). If true, it would be bad for debugging.
What do you think please?

Finally, for some of you interested in PAM, here are the best resources I've read so far:
* http://linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html
* https://www.pearsonhighered.com/assets/samplechapter/0/1/3/0/0130158070.pdf
* https://wpollock.com/AUnix2/PAM-Help.htm
HTH

Best regards,
l0f4r0

Reply to:

References:
- Some questions about PAM
  - From: l0f4r0@tuta.io

Prev by Date: Re: Error importing gpg key - Solved!
Next by Date: Re: Fwd: lists.debian.org has received bounces from you
Previous by thread: Some questions about PAM
Next by thread: How about sources.sources? (Was: Question Regarding sources.list)
Index(es):
- Date
- Thread