1 00:00:00,000 --> 00:00:11,440 In this video, I will show you an example of how you can use PAM to make certain parts 2 00:00:11,440 --> 00:00:12,760 happen. 3 00:00:12,760 --> 00:00:16,940 For this example, I need to make sure that the user root has a password. 4 00:00:16,940 --> 00:00:23,639 So I'm going to use passwd root and set the password. 5 00:00:23,639 --> 00:00:29,600 Now I'm going to use chvt4, I'm going to virtual terminal number 4, and I'm logging in as the 6 00:00:29,600 --> 00:00:32,119 root user. 7 00:00:32,119 --> 00:00:33,279 There we go. 8 00:00:33,279 --> 00:00:35,360 And as you can see, it works. 9 00:00:35,360 --> 00:00:40,200 Right, chvt2, I'm going back to virtual terminal number 2. 10 00:00:40,200 --> 00:00:45,880 And then I'm going to use the configuration file etcsecuretty. 11 00:00:45,880 --> 00:00:46,880 What is that? 12 00:00:46,880 --> 00:00:52,919 Well, this is listing TTYs on which it is secure for user root to log in. 13 00:00:53,040 --> 00:00:56,799 So I am going to post TTY 3. 14 00:00:56,799 --> 00:01:03,520 And the result should be that if I'm getting back to TTY 4, let's do that, and I'm using 15 00:01:03,520 --> 00:01:10,040 exit and I'm trying to log in as a root user, the result should be of etcsecuretty that 16 00:01:10,040 --> 00:01:11,279 I don't get access. 17 00:01:11,279 --> 00:01:14,199 Too bad, I do have access. 18 00:01:14,199 --> 00:01:15,199 And you know why? 19 00:01:15,199 --> 00:01:20,519 That is because of the PAM secure TTY module. 20 00:01:20,519 --> 00:01:24,239 So we need to figure out where these modules are. 21 00:01:24,239 --> 00:01:30,000 So lib64 security, that is where you can find PAM modules. 22 00:01:30,000 --> 00:01:35,279 And the module that I'm looking for is right here, pam-security-tty.so. 23 00:01:35,279 --> 00:01:38,720 Let's check out the man page for man-security-tty. 24 00:01:38,720 --> 00:01:44,040 And what I am looking for, I'm looking for this, module type provided, only the auth 25 00:01:44,040 --> 00:01:46,559 module type is provided, aha. 26 00:01:46,559 --> 00:01:50,120 So now I know enough, I need this in the auth module. 27 00:01:50,120 --> 00:01:58,760 So I'm going to use etcpam.dlogin, because after all, we are talking about login. 28 00:01:58,760 --> 00:02:13,399 And in there, I'm going to include auth required pam-secure-tty.so. 29 00:02:13,399 --> 00:02:14,679 That's how simple it is. 30 00:02:14,679 --> 00:02:20,479 From now on, pam-secure-tty.so will be included in the authentication procedure. 31 00:02:20,479 --> 00:02:23,080 No need to read anything anymore. 32 00:02:23,080 --> 00:02:27,839 It's just a matter of addressing the right login binary, which finds the PAM configuration 33 00:02:27,839 --> 00:02:32,440 file and will dynamically load all of the required libraries. 34 00:02:32,440 --> 00:02:34,960 So I'm getting back to TTY4. 35 00:02:34,960 --> 00:02:38,639 And there, I'm going to try to log in as a root user again. 36 00:02:38,639 --> 00:02:41,639 And as you can see, it works no longer. 37 00:02:41,639 --> 00:02:47,080 Just to verify that I did not make a typo, no, I did not make a typo, user root can no 38 00:02:47,080 --> 00:02:48,600 longer log in. 39 00:02:48,600 --> 00:02:51,600 So I'm going in as user student. 40 00:02:51,600 --> 00:02:52,800 That's still allowed. 41 00:02:52,800 --> 00:02:56,199 And sudo minus I, that's still allowed as well. 42 00:02:56,199 --> 00:02:57,199 Why is that? 43 00:02:57,199 --> 00:03:02,160 Well, my modification was in the PAM for login, not in the PAM for sudo. 44 00:03:02,160 --> 00:03:08,199 And now I can use chvt2 to get back to my virtual terminal. 45 00:03:08,199 --> 00:03:11,720 It might be nice to use loginctl. 46 00:03:11,720 --> 00:03:14,800 Loginctl is your login session manager. 47 00:03:14,800 --> 00:03:22,279 And I want to see the different users, list users. 48 00:03:22,279 --> 00:03:24,679 And there, I can see, oh, that's not very specific. 49 00:03:24,679 --> 00:03:27,960 Well, let's go for list sessions. 50 00:03:27,960 --> 00:03:32,960 And list sessions is showing my user on TTY4. 51 00:03:32,960 --> 00:03:33,960 And you know what? 52 00:03:33,960 --> 00:03:35,559 I don't want this user anymore. 53 00:03:35,559 --> 00:03:41,199 So I'm going to use loginctl kill session 14. 54 00:03:41,199 --> 00:03:45,039 And now my user is logged out without having to go back to the console.