1
00:00:00,000 --> 00:00:09,560
In this video, you'll learn about PAM.

2
00:00:09,560 --> 00:00:13,220
So PAM is Pluggable Authentication Modules.

3
00:00:13,220 --> 00:00:17,040
It is what makes authentication pluggable, and that is useful.

4
00:00:17,040 --> 00:00:21,680
Let's imagine that you are a device vendor and you want to introduce your fingerprint

5
00:00:21,680 --> 00:00:22,680
reader.

6
00:00:22,680 --> 00:00:28,040
And in order to integrate this in the Linux authentication, it uses a specific library.

7
00:00:28,040 --> 00:00:30,360
Well, that is what PAM is doing.

8
00:00:30,360 --> 00:00:38,840
It integrates libraries into the authentication procedure to extend the possibilities of authentication.

9
00:00:38,840 --> 00:00:43,520
And the nice thing about it is that it helps separating the specific authentication approach

10
00:00:43,520 --> 00:00:46,240
from the binary that is actually going to need it.

11
00:00:46,240 --> 00:00:51,240
PAM also helps in providing modules that may be used by different binaries, and it can

12
00:00:51,240 --> 00:00:55,279
be used to enhance security in different environments.

13
00:00:55,279 --> 00:01:00,000
PAM Tally 2, for instance, can be used to put restrictions on errors that may happen

14
00:01:00,000 --> 00:01:03,000
during the boot procedure.

15
00:01:03,000 --> 00:01:08,040
Now let's have a quick look at PAM so that you understand what is going on.

16
00:01:08,040 --> 00:01:13,559
It's not my purpose to make you a specialist here, but the goal is to know how it can be

17
00:01:13,559 --> 00:01:17,279
used to influence the authentication procedure.

18
00:01:17,279 --> 00:01:22,900
To start with, I'm going to use LDD on which logging.

19
00:01:22,900 --> 00:01:27,980
And there we can see that it is using libpam and libpam-misc.

20
00:01:27,980 --> 00:01:28,980
Now what does that mean?

21
00:01:28,980 --> 00:01:35,139
Well, that means that in etcpam.d, there is a configuration, and here we can find this

22
00:01:35,139 --> 00:01:37,739
login configuration file.

23
00:01:37,739 --> 00:01:43,980
And in this login configuration file, it distinguishes four different phases in the authentication.

24
00:01:43,980 --> 00:01:48,059
Auth is where the user makes initial contact.

25
00:01:48,059 --> 00:01:50,820
Account is where account settings are checked.

26
00:01:50,820 --> 00:01:54,019
Password is where password requirements are verified.

27
00:01:54,019 --> 00:02:00,620
And then session is for opening a session and providing access to the specific resources.

28
00:02:00,620 --> 00:02:04,220
Now you can see that for some of them, a specific module is called.

29
00:02:04,220 --> 00:02:08,419
Like here, session require pam-se-linux.so.

30
00:02:08,419 --> 00:02:12,779
That's something that makes sense on a Red Hat system, but on an Ubuntu system that doesn't

31
00:02:12,779 --> 00:02:16,860
come with SE Linux by default, you won't find this.

32
00:02:16,860 --> 00:02:18,220
What do you think of this?

33
00:02:18,220 --> 00:02:21,139
Auth required pam-nologin.so.

34
00:02:21,139 --> 00:02:27,740
This is what makes it if you create a file with the name nologin in the root of your

35
00:02:27,740 --> 00:02:32,100
file system, then nobody except the root user can log in.

36
00:02:32,100 --> 00:02:35,699
We can also see an include of system auth.

37
00:02:35,699 --> 00:02:41,300
Now behind this system auth is the idea that the same thing needs to happen over and over

38
00:02:41,300 --> 00:02:44,639
again by many different services.

39
00:02:44,639 --> 00:02:49,559
So here we can see the common modules, where for auth, it reads the environment.

40
00:02:49,559 --> 00:02:53,960
We have a fill delay, which makes it you can only try it for so long.

41
00:02:53,960 --> 00:03:00,600
Then we have pam-unix.so, and pam-unix.so is making sure that you authenticate based

42
00:03:00,600 --> 00:03:03,839
on etc passwd.

43
00:03:03,839 --> 00:03:09,320
Here we have another one that is interesting as well, pam-pw-quality, which is integrated

44
00:03:09,320 --> 00:03:11,399
in the password phase.

45
00:03:11,600 --> 00:03:16,600
That makes sure that your password meets the appropriate quality.

46
00:03:16,600 --> 00:03:23,440
You can also see that most of the phases have a pam-deny at the end, meaning that if you

47
00:03:23,440 --> 00:03:29,679
don't pass the required option here and the sufficient option here, well, then you will

48
00:03:29,679 --> 00:03:33,199
hit the pam-deny and you won't get into the system.

49
00:03:33,199 --> 00:03:36,279
Now what about the pw-quality?

50
00:03:36,279 --> 00:03:39,839
Well the fun thing is that TAM has many man pages.

51
00:03:39,839 --> 00:03:47,800
So let's do a pw-quality in man-k, and now we can see pam-pw-quality.

52
00:03:47,800 --> 00:03:51,000
And I think you don't have to guess where this is configured.

53
00:03:51,000 --> 00:03:55,679
So let's check out etc security.

54
00:03:55,679 --> 00:03:58,679
That's where they typically are, pw-quality.com.

55
00:03:58,679 --> 00:04:05,919
Yes, pam modules normally are configured through files in etc security.

56
00:04:06,000 --> 00:04:11,839
And here we can see an example of pw-quality, including an explanation of all that you can

57
00:04:11,839 --> 00:04:16,000
do to make sure that your passwords are secure.

58
00:04:16,000 --> 00:04:20,679
You don't need to know all the details about pam, but you do need to know that it is used

59
00:04:20,679 --> 00:04:25,720
in the authentication procedure to make authentication really modular.