1 00:00:06,870 --> 00:00:10,650 - So we have just talked about ACLs and attributes, 2 00:00:10,650 --> 00:00:14,610 a totally different local security fee here is PAM, 3 00:00:14,610 --> 00:00:16,803 Pluggable Authentication Modules. 4 00:00:17,820 --> 00:00:21,150 So PAM helps separate the specific authentication approach 5 00:00:21,150 --> 00:00:23,400 from the binary that needs it. 6 00:00:23,400 --> 00:00:25,200 And PAM also provides modules 7 00:00:25,200 --> 00:00:27,840 that may be used by different binaries. 8 00:00:27,840 --> 00:00:29,700 And it can be used to enhance security 9 00:00:29,700 --> 00:00:31,860 in different environments. 10 00:00:31,860 --> 00:00:35,580 PAM Tally2 for instance, can be used to put restrictions 11 00:00:35,580 --> 00:00:39,000 on errors that may happen during the log in procedure. 12 00:00:39,000 --> 00:00:42,003 PAM is a very rich environment. Let's explore it. 13 00:00:44,010 --> 00:00:47,493 So to start with, I want to give you LDD, 14 00:00:48,738 --> 00:00:49,770 (keyboard tapping) 15 00:00:49,770 --> 00:00:53,670 on which login, which is showing all the different libraries 16 00:00:53,670 --> 00:00:56,310 that are used by the login binary, 17 00:00:56,310 --> 00:00:59,400 including LibPAM and LibPAM misc. 18 00:00:59,400 --> 00:01:02,340 That's good, that means that login is a binary 19 00:01:02,340 --> 00:01:05,940 that is PAM compatible using the PAM libraries. 20 00:01:05,940 --> 00:01:07,500 And that means that you can use 21 00:01:07,500 --> 00:01:11,643 the PAM framework to configure it. 22 00:01:12,930 --> 00:01:17,550 Now in PAM we have ETC PAM.D, and in ETC PAM.D 23 00:01:17,550 --> 00:01:20,073 we see the different PAM configuration files. 24 00:01:21,060 --> 00:01:23,220 Typically the name of the configuration file 25 00:01:23,220 --> 00:01:27,000 corresponds to the name of the service 26 00:01:27,000 --> 00:01:29,430 or program that is using it. 27 00:01:29,430 --> 00:01:32,040 So if you have a look at login, now what do we see? 28 00:01:32,040 --> 00:01:33,783 We see the PAM configuration. 29 00:01:34,680 --> 00:01:37,530 In this PAM configuration we have three columns. 30 00:01:37,530 --> 00:01:39,060 The first column is about the face 31 00:01:39,060 --> 00:01:41,160 of the authentication procedure, 32 00:01:41,160 --> 00:01:43,470 and that consists of four phases, 33 00:01:43,470 --> 00:01:46,110 auth, account, password and session. 34 00:01:46,110 --> 00:01:49,650 Where auth is the first phase in the authentication. 35 00:01:49,650 --> 00:01:53,550 Account is checking account configuration 36 00:01:53,550 --> 00:01:57,840 to see if any files like PAM no login apply for instance. 37 00:01:57,840 --> 00:01:59,880 Password is password related. 38 00:01:59,880 --> 00:02:02,010 And session is to further specify 39 00:02:02,010 --> 00:02:04,383 what is going to happen in a specific session. 40 00:02:06,390 --> 00:02:09,540 Now you can have required, which is a very common one 41 00:02:09,540 --> 00:02:12,630 which means that you need to meet the conditions in this PAM 42 00:02:12,630 --> 00:02:17,520 or include, which is including another configuration file. 43 00:02:17,520 --> 00:02:20,520 A very common include a system auth for instance, 44 00:02:20,520 --> 00:02:22,890 which is a generic PAM configuration 45 00:02:22,890 --> 00:02:24,783 that is used by multiple services. 46 00:02:25,980 --> 00:02:26,880 In the last column, 47 00:02:26,880 --> 00:02:30,570 you can find the name of the different PAM libraries. 48 00:02:30,570 --> 00:02:33,630 And these libraries is what PAM is all about, 49 00:02:33,630 --> 00:02:36,900 because PAM is using these libraries, and that means 50 00:02:36,900 --> 00:02:39,750 that you can easily add a different method 51 00:02:39,750 --> 00:02:41,643 to your authentication procedure. 52 00:02:43,080 --> 00:02:44,970 So let's check out these libraries. 53 00:02:44,970 --> 00:02:49,970 PAM SE Linux.so for instance, they are in Lib64 security. 54 00:02:53,340 --> 00:02:56,610 And there we can see all the PAMs that are available. 55 00:02:56,610 --> 00:02:58,620 Now I want to work out an example, 56 00:02:58,620 --> 00:03:00,810 that helps us understand how PAM is working 57 00:03:00,810 --> 00:03:03,900 and that is PAM SecureTTY.so. 58 00:03:03,900 --> 00:03:04,830 What is that? 59 00:03:04,830 --> 00:03:08,580 Well, you may have heard of the file ETC SecureTTY, 60 00:03:08,580 --> 00:03:10,800 which is an old file and this old file 61 00:03:10,800 --> 00:03:13,560 is used to define TTYs, 62 00:03:13,560 --> 00:03:16,893 on which it is considered secure for the root user to login. 63 00:03:18,630 --> 00:03:22,203 Now at this point, if I'm using ETC SecureTTY, 64 00:03:23,880 --> 00:03:26,280 now we can see the file does not exist. 65 00:03:26,280 --> 00:03:31,280 And if I'm putting only TTY4 in there as a SecureTTY, 66 00:03:31,410 --> 00:03:34,800 then it's not working, and I can show you 67 00:03:34,800 --> 00:03:39,630 if I use CHVT3 to open a TTY, a virtual terminal 68 00:03:39,630 --> 00:03:42,450 on TTY 3, then this is what I get 69 00:03:42,450 --> 00:03:47,450 and I try to login as the root user, and it works. 70 00:03:47,850 --> 00:03:52,380 Now let me use CHVT2 to get back to the graphical interface, 71 00:03:52,380 --> 00:03:56,520 because I want this ETC SecureTTY to be effective 72 00:03:56,520 --> 00:04:01,323 and I wanna make sure that root can only log in on TTY4. 73 00:04:02,250 --> 00:04:04,770 Not that it makes sense for you to only be able 74 00:04:04,770 --> 00:04:08,190 to login on TTY4, but hey it's just an example. 75 00:04:08,190 --> 00:04:10,323 I want to show you how PAM is working. 76 00:04:11,190 --> 00:04:12,750 Now how are we going to do that? 77 00:04:12,750 --> 00:04:16,320 Well, let's try man on PAM_SecureTTY. 78 00:04:18,240 --> 00:04:19,983 These PAMs have a man page, 79 00:04:21,090 --> 00:04:26,090 and what I'm looking for is right here. 80 00:04:26,850 --> 00:04:29,910 PAM should be used as a required authentication method 81 00:04:29,910 --> 00:04:33,270 before any sufficient authentication methods. 82 00:04:33,270 --> 00:04:38,270 Well that means that it belongs to the auth module, 83 00:04:38,790 --> 00:04:42,090 and I need to make sure that this PAM SecureTTY 84 00:04:42,090 --> 00:04:46,410 is included in the auth module of the login procedure. 85 00:04:46,410 --> 00:04:50,613 So I am going to edit the ETC PAM.D login file, 86 00:04:51,870 --> 00:04:54,390 and in there I'm going to use auth. 87 00:04:58,483 --> 00:04:59,933 (keyboard tapping) Required. 88 00:05:01,361 --> 00:05:03,930 (keyboard tapping) 89 00:05:03,930 --> 00:05:08,930 PAM SecureTTY.SO. (keyboard tapping) 90 00:05:09,840 --> 00:05:11,490 And now I'm going to try it again. 91 00:05:11,490 --> 00:05:16,490 So I am using CHVT3, where the root user is still logged in. 92 00:05:18,120 --> 00:05:19,743 No problem, let's log him out. 93 00:05:20,820 --> 00:05:24,480 So this is proof that PAM is working for TTY4, 94 00:05:24,480 --> 00:05:27,000 and blocking access on TTY3. 95 00:05:27,000 --> 00:05:31,470 Now let me get back to TTY2, there we go. 96 00:05:31,470 --> 00:05:34,770 And now I do have one little issue, and that's these users 97 00:05:34,770 --> 00:05:37,530 that are logged in on TTY 3, and TTY 4. 98 00:05:37,530 --> 00:05:41,073 Not really related to the topic, but there's login CTL. 99 00:05:42,570 --> 00:05:45,930 Login CTL is a part of system D, 100 00:05:45,930 --> 00:05:48,600 and it allows you to manage sessions. 101 00:05:48,600 --> 00:05:53,253 So in login CTL, I can use list sessions, 102 00:05:55,142 --> 00:05:57,300 (keyboard tapping) 103 00:05:57,300 --> 00:05:59,220 where we can see the different sessions. 104 00:05:59,220 --> 00:06:03,240 And well, I want to terminate session six and session seven. 105 00:06:03,240 --> 00:06:05,040 So how do we do that? 106 00:06:05,040 --> 00:06:08,664 Well that would be terminate session. 107 00:06:08,664 --> 00:06:11,730 (keyboard tapping) 108 00:06:11,730 --> 00:06:15,030 For session six and session seven as well. 109 00:06:15,030 --> 00:06:17,460 W again, and now these users are gone 110 00:06:17,460 --> 00:06:19,323 and my system is secure again. 111 00:06:20,190 --> 00:06:21,870 Good, it's up to you to decide 112 00:06:21,870 --> 00:06:23,730 if you want to clean this up or not. 113 00:06:23,730 --> 00:06:27,420 I think it's pretty cool, this ETC SecureTTY. 114 00:06:27,420 --> 00:06:30,603 One final thing, and that is the generic PAM. 115 00:06:32,700 --> 00:06:35,706 So we need to get back to ETC PAM.D 116 00:06:35,706 --> 00:06:38,340 (keyboard tapping) 117 00:06:38,340 --> 00:06:40,023 where we have the different PAMs, 118 00:06:41,206 --> 00:06:44,670 and the system auth is file that I would like to check. 119 00:06:44,670 --> 00:06:47,460 This system auth is the generic PAM that is included 120 00:06:47,460 --> 00:06:51,450 by many different services, and in this generic PAM 121 00:06:51,450 --> 00:06:55,050 we have auth sufficient on PAM UNIX.SO, which means 122 00:06:55,050 --> 00:06:58,290 that if you have a user account that could be verified 123 00:06:58,290 --> 00:07:01,320 through ETC pass WD, you're in. 124 00:07:01,320 --> 00:07:03,780 If not, then that's not a problem. 125 00:07:03,780 --> 00:07:07,590 Then you still have a chance to login through triple SD. 126 00:07:07,590 --> 00:07:09,960 Triple SD is a service that is trying 127 00:07:09,960 --> 00:07:12,870 to get you authenticated using LDAP. 128 00:07:12,870 --> 00:07:17,460 If that's also not working, PAM Deny.SO, no access. 129 00:07:17,460 --> 00:07:19,590 PAM deny is a nice less rule, 130 00:07:19,590 --> 00:07:22,890 that will deny all access if you haven't been able 131 00:07:22,890 --> 00:07:26,373 to authenticate based on any of the previous modules.