1
00:00:00,000 --> 00:00:17,559
Hey everyone and welcome back. So in this skill right here we have two main concepts

2
00:00:17,559 --> 00:00:23,359
you want to be focusing on. The very first one is something called Pam and then the next

3
00:00:23,359 --> 00:00:28,440
one is something called Elda but the very first thing we'll do is we shall talk about

4
00:00:28,760 --> 00:00:35,039
Pam first. So what exactly is Pam and what does it do for us? Well the reality is Pam

5
00:00:35,039 --> 00:00:42,240
stands for the Plugable Authentication Modules. Now the clue is in the name right here. Simply put

6
00:00:42,240 --> 00:00:48,680
if you have some type of application and you want to invoke some type of authentication i.e. how

7
00:00:48,680 --> 00:00:54,079
the users themselves may be authenticated for example. You don't have to worry about writing

8
00:00:54,079 --> 00:00:59,960
that into your application itself instead. This functionality is plugable directly into the

9
00:00:59,960 --> 00:01:07,200
system by using Plugable Authentication Modules. So realistically all you have to do in order to

10
00:01:07,200 --> 00:01:13,560
be able to control authentication of particular users is that you modify and manipulate these

11
00:01:13,560 --> 00:01:20,439
Pam configuration files. So really this makes it much much easier for us to be able to authenticate

12
00:01:20,480 --> 00:01:29,159
users as well as to control policy for security. So if say for example you wanted to invoke some

13
00:01:29,159 --> 00:01:35,079
type of password history you know so that users cannot reuse passwords. Let's say your password

14
00:01:35,079 --> 00:01:42,120
was originally hello1 you change it to hello2 and then when you change it again you want to change

15
00:01:42,120 --> 00:01:48,280
it back to hello1 you can maybe permit or deny that type of behavior because password1 would

16
00:01:48,359 --> 00:01:56,040
already be a previous password or maybe you wanted to control via IP address where someone could

17
00:01:56,040 --> 00:02:02,680
log in from i.e. if they happen to come from the United Kingdom they had a UK based IP address. You

18
00:02:02,680 --> 00:02:08,360
may be the side that you don't want to accept users from the UK people like me maybe we are

19
00:02:08,360 --> 00:02:15,080
troublemakers and if you want to do that with Pam that is no problem at all. You can also effectively

20
00:02:15,080 --> 00:02:21,480
put in some type of limits with respect to when users can actually access the system. Maybe you

21
00:02:21,480 --> 00:02:28,200
don't want a user to access the system on a Saturday or Sunday or at midnight whatever it may be. The

22
00:02:28,200 --> 00:02:33,800
policy itself doesn't actually matter the point I'm trying to make here is that you can set the

23
00:02:33,800 --> 00:02:41,960
policy by modifying these Pam configuration files. So really this is a very very useful tool for us

24
00:02:41,960 --> 00:02:47,879
because anything that can make our job simpler well that can't be a bad thing can it. So let's

25
00:02:47,879 --> 00:02:54,200
talk about the Pam configuration file because it seems to me at least that this is really where all

26
00:02:54,200 --> 00:03:01,159
the action is taking place. Now the reality is this configuration file is within the Etsy directory

27
00:03:01,159 --> 00:03:08,200
and it's called Pam.conf. Now with respect to Pam.conf one thing I will say is that having all

28
00:03:08,199 --> 00:03:15,079
your configurations directly within this particular configuration file this is a little bit outdated.

29
00:03:15,079 --> 00:03:20,679
The reality is you're more likely to encounter within the Etsy directory you're probably going to

30
00:03:20,679 --> 00:03:27,479
see a Pam.d directory and within this directory we're going to have a whole bunch of configuration

31
00:03:27,479 --> 00:03:34,199
files so you know the way sometimes in Linux we can ultimately modularize and chunk up our

32
00:03:34,199 --> 00:03:39,959
configuration files into multiple configuration files within a particular directory. This really

33
00:03:39,959 --> 00:03:46,439
is what is happening in more modern implementations of Pam. We use the Pam.d directory which has

34
00:03:46,439 --> 00:03:51,639
multiple configuration files relating to Pam but like I say we do want to be aware of the

35
00:03:51,639 --> 00:03:57,799
Pam.conf if only for historical purposes with respect to the LPIC2 examination objectives.

36
00:03:57,799 --> 00:04:03,879
So how about we actually look at this configuration file so if I go into my Etsy directory and I do

37
00:04:03,879 --> 00:04:11,719
an ls and I happen to grep for Pam we can see here we have the Pam.d directory and here we have the

38
00:04:11,719 --> 00:04:19,319
Pam.conf configuration file itself so if I go into the configuration file and hit enter check this out

39
00:04:19,319 --> 00:04:26,600
now it even has the good manners to tell us that most programs will actually use a file under

40
00:04:26,600 --> 00:04:32,839
this particular directory i.e we will have multiple files relating to specific services

41
00:04:32,919 --> 00:04:39,000
in this directory as opposed to just using one global Pam.conf like I said but it's a good idea

42
00:04:39,000 --> 00:04:45,399
to actually notice the structure right here so here is the deal we can see here the formats if you

43
00:04:45,399 --> 00:04:51,799
look at this part right here and at the very left we see something called serve really this is the

44
00:04:51,799 --> 00:04:58,519
service column now this is really relating to the service to which the module is related so say for

45
00:04:58,519 --> 00:05:04,759
example you are running some type of SSH service and you wanted to have user authentication relating

46
00:05:04,759 --> 00:05:11,000
to this SSH service then this is exactly where you would specify this in the very first column

47
00:05:11,000 --> 00:05:18,279
now we also have the type column which you can see and this essentially has a bunch of different

48
00:05:18,279 --> 00:05:24,919
values so within the type column what we can specify here in fact let me just write this up here type

49
00:05:24,920 --> 00:05:31,319
we can specify information relating to the account now what the account value is going to specify

50
00:05:31,319 --> 00:05:37,960
is really is this user going to be allowed on the system now we also have another option called

51
00:05:37,960 --> 00:05:44,680
authentication this might sound like the exact same as account although it is slightly different

52
00:05:44,680 --> 00:05:50,439
and that this is about the authentication of a user so we're thinking here about a password

53
00:05:50,519 --> 00:05:55,879
so if you can imagine we tried to specify for the service SSH maybe we went into the type

54
00:05:55,879 --> 00:06:03,319
and using the account we could specify the account ipv0 that means ipv0 would be in this case here

55
00:06:03,319 --> 00:06:09,800
allowed to use the SSH service but of course just being allowed as a user is not enough

56
00:06:09,800 --> 00:06:15,159
whilst that user is allowed this access someone has to authenticate themselves to prove that they

57
00:06:15,160 --> 00:06:20,600
are that particular user and this is where we would specify ipv0's passwords which would

58
00:06:20,600 --> 00:06:27,240
authenticate that user as ipv0 and allow or disallow if you so wish access to that particular

59
00:06:27,240 --> 00:06:32,440
service that you are specifying now the next thing and this can be a little bit confusing

60
00:06:32,440 --> 00:06:37,800
is we have our password option now all the password is it's relating to the changing of a

61
00:06:37,800 --> 00:06:43,000
password so we can actually use the palm module to change a password be careful to remember that

62
00:06:43,000 --> 00:06:48,439
this password option right here this has nothing to do with password authentication that is handled

63
00:06:48,439 --> 00:06:55,879
by authentication and we also have lastly the session option and this is just going to relate to

64
00:06:55,879 --> 00:07:01,480
this particular accounts environment with respect to the service of things like you know should you

65
00:07:01,480 --> 00:07:06,839
mount the home directory of that user when they happen to use this particular service whatever

66
00:07:06,839 --> 00:07:12,680
it may be so that is everything relating to the type option here next we can see here something

67
00:07:12,759 --> 00:07:20,199
called control and this again has multiple different options so with respect to the control option we

68
00:07:20,199 --> 00:07:26,519
have a bunch of different values we want to check out the very first one is something called the

69
00:07:26,519 --> 00:07:33,560
requisite value so what we're seeing here with the requisite value is that the module must actually be

70
00:07:33,560 --> 00:07:39,480
successful in authentication to actually operate that said if the module happens to fail the

71
00:07:39,480 --> 00:07:44,200
authentication process what is going to happen is that the user is going to get some feedback

72
00:07:44,200 --> 00:07:50,920
immediately telling that user that the authentication failed without any kind of delay the next option

73
00:07:50,920 --> 00:07:57,960
we have would be the required value now this is very very similar to requisite the difference here

74
00:07:57,960 --> 00:08:04,680
is that just like before for the authentication module to actually operate the results of the

75
00:08:04,759 --> 00:08:10,280
authentication module must be successful the difference here though is that if the user fails

76
00:08:10,280 --> 00:08:16,199
to authenticate at any point in the test you are not going to be immediately informed simply put

77
00:08:16,199 --> 00:08:20,920
let's imagine you happen to have some type of server authentication this could be like say

78
00:08:20,920 --> 00:08:27,480
something called a radius server or you happen to have some type of local authentication on the

79
00:08:27,480 --> 00:08:33,639
system i.e the password restored locally if you log in if the system is configured to check

80
00:08:33,639 --> 00:08:39,000
your credentials with the radius server and you happen to fail that authentication i.e you give

81
00:08:39,000 --> 00:08:45,639
the wrong password well required is going to fail anyway but the difference is it's also going to

82
00:08:45,639 --> 00:08:51,480
run through the other checks i.e it will then check the local password settings but here is the deal

83
00:08:51,480 --> 00:08:57,960
even if you happen to provide credentials which match on the local database by virtue of you

84
00:08:57,960 --> 00:09:03,319
failing the first check against the radius server you still will not be authenticated it will be

85
00:09:03,320 --> 00:09:08,840
deemed as a failure the difference being here though is that instead of being immediately

86
00:09:08,840 --> 00:09:14,040
told about your failure it's still going to run through the entire checks before reporting the

87
00:09:14,040 --> 00:09:18,680
failure so a little bit confusing there one is going to tell you about the failure right away

88
00:09:18,680 --> 00:09:23,720
the other one it might seem a little bit sadistic it's going to continue checking the other

89
00:09:23,720 --> 00:09:29,480
authentication methods even though ultimately by virtue of failing earlier on you're still not going

90
00:09:29,560 --> 00:09:36,200
to be authenticated so the next one we have is the sufficient control value in this case here if we

91
00:09:36,200 --> 00:09:41,240
happen to get a pass we don't have to continue checking for any more this is more kind of like

92
00:09:41,240 --> 00:09:47,240
or logic i.e we don't have to have everything authenticate and everything hits so whether we

93
00:09:47,240 --> 00:09:53,320
happen to be authenticating with some type of external server like a radius server or LDAP or

94
00:09:53,320 --> 00:09:59,000
a local database once we get authentication we do not have to continue checking a valid

95
00:09:59,000 --> 00:10:05,000
authentication here anywhere it's going to give us the green light next we have the optional control

96
00:10:05,000 --> 00:10:11,879
value now this is not a mandatory value instead this is only going to be needed only in particular

97
00:10:11,879 --> 00:10:18,600
scenarios when say for example another module happens to rely upon it okay so we have the service

98
00:10:18,600 --> 00:10:25,559
name we have the module type we then have the control flag then we specify the path to the module

99
00:10:25,559 --> 00:10:32,279
and then we can actually provide arguments to that module path if the module path happens to take

100
00:10:32,279 --> 00:10:39,079
any arguments that really is the basic setup of the original pam.configuration fail but like I say

101
00:10:39,079 --> 00:10:44,919
more modern distributions are going to be implementing this directory based implementation

102
00:10:44,919 --> 00:10:50,759
so let's actually check out the pam.d directory then so what i will do here is i'll just escape out

103
00:10:50,759 --> 00:10:57,639
and i will go into pam.d i'm doing ls now we can see here in fact let me just long list this

104
00:10:57,639 --> 00:11:04,679
now we can see instead of actually having a line in the pam.con file which tells you a

105
00:11:04,679 --> 00:11:10,919
particular service instead we have these individual files which denote the service or say for example

106
00:11:10,919 --> 00:11:17,080
within this file right here this will be related to cron which we can use for scheduling particular

107
00:11:17,080 --> 00:11:21,800
tasks or say for example samba if you want to authenticate with samba we could go directly

108
00:11:21,800 --> 00:11:28,680
into this file right here if we want to look at ssh authentication we could go into this one right

109
00:11:28,680 --> 00:11:34,920
here so say for example we dive right into this one right here sshd then so i will say

110
00:11:34,920 --> 00:11:41,960
sudonano sshd and go in here so notice the slight difference here no longer do we have

111
00:11:41,960 --> 00:11:48,600
this service column we go straight to the type column which we can see right here so in this

112
00:11:48,600 --> 00:11:54,600
case here this is the type account so this is going to be related to particular users who are allowed

113
00:11:54,600 --> 00:12:01,000
to log in notice that the control flag says this is required and then we actually have the path to

114
00:12:01,000 --> 00:12:07,960
the module itself here so this actual module here is pam no login dot s o and the little description

115
00:12:07,960 --> 00:12:15,160
here ultimately tells us that this is going to disallow non-root logins whenever we have this

116
00:12:15,160 --> 00:12:22,040
ssh no login file created now one thing i should actually specify here or point out is that we also

117
00:12:22,040 --> 00:12:28,280
have this include option now all we are saying here is we want to include the rules that are

118
00:12:28,280 --> 00:12:35,480
specified within this particular file so we have this file common auth and we can see here the sshd

119
00:12:36,039 --> 00:12:42,680
configuration is relying on whatever is specified in here it is including it ultimately it is

120
00:12:42,680 --> 00:12:49,159
consuming these rules so if we go into common auth now we can see this right here and hit enter we

121
00:12:49,159 --> 00:12:55,480
can see the type is authentication we can see here that this is a requisite control value so we

122
00:12:55,480 --> 00:13:02,039
know if the user happens to fail the authentication at any point the user is going to be told about

123
00:13:02,039 --> 00:13:08,679
this failure immediately and here we can see it referencing the pam deny module which is ultimately

124
00:13:08,679 --> 00:13:14,519
a module used to deny access and we'll get to look at the different pam modules in the next

125
00:13:14,519 --> 00:13:19,240
nugget now we have a whole bunch of different files that we can configure right here if i happen to

126
00:13:19,240 --> 00:13:25,799
go in let's say for example into the common passwords file if i scroll on down we can see here this

127
00:13:25,799 --> 00:13:30,919
is going to be related to the password type which is about changing of passwords and here are some

128
00:13:30,919 --> 00:13:35,879
of the checks we're going to run through we can see we're going to run through the pam unix s o

129
00:13:35,879 --> 00:13:41,719
module we have additional features here we can see we have the sha 512 hashing algorithm what i'm

130
00:13:41,719 --> 00:13:46,919
going to do is i'm first going to create a new user okay so let me show you this if i say sudo

131
00:13:46,919 --> 00:13:53,159
user add and i just call this test account and then i will say sudo passwd for test account to

132
00:13:53,159 --> 00:14:00,599
specify a password let's just say the password will be john okay so jio hn okay so that was a fairly

133
00:14:00,600 --> 00:14:06,519
simple password what i will do is i will substitute the user to change into test account okay so i'll

134
00:14:06,519 --> 00:14:12,600
say the user so i'll type in the password of john okay so if i say who am i we can see we have the

135
00:14:12,600 --> 00:14:18,519
test accounts now what i want to do is i want to change my password but i want to add in some

136
00:14:18,519 --> 00:14:25,240
additional controls here so what i will do is actually i'll go back to ipv0 and i will go into

137
00:14:25,240 --> 00:14:31,960
the common password file and down here what i will do is i will specify the min length of a

138
00:14:31,960 --> 00:14:38,200
password okay so i can use the keyword minlen and i'll make that password let's maybe say it's got

139
00:14:38,200 --> 00:14:44,279
to be 11 characters long so think about this this is all about the password type which we know is

140
00:14:44,279 --> 00:14:50,440
about changing passwords within my series of checks i'm going to make sure it checks that the min length

141
00:14:50,440 --> 00:14:57,480
is 11 so let's save this and if i go back and i substitute user into test account and i will

142
00:14:57,480 --> 00:15:04,680
type in john as a password if i happen to say passwd and i type in john as my current one

143
00:15:04,680 --> 00:15:12,040
if i try to type in a password that is maybe just say 10 characters long so i'll just say jio hn

144
00:15:12,040 --> 00:15:18,760
jio hn jio so that's john john joe that's only 10 characters if i hit enter and i do it again

145
00:15:18,840 --> 00:15:27,639
jio hn jio hn jio and to answer it's telling me i must choose a longer password because we now need

146
00:15:27,639 --> 00:15:33,879
to have 11 characters when we are changing a password now so if i'm going to change it what

147
00:15:33,879 --> 00:15:43,879
i can say is jio hn jio hn jio h that will be 11 characters i do it again jio hn jio hn jio h and

148
00:15:43,960 --> 00:15:50,120
hit enter suddenly now the password has been successfully updated but we're able to control

149
00:15:50,120 --> 00:15:56,120
our authentication in a very particular way just by manipulating these palm configuration

150
00:15:56,120 --> 00:16:01,240
files and the palm configuration file that i happen to manipulate was all about changing passwords

151
00:16:01,240 --> 00:16:07,320
that was relating to that type of password but again like i say we can have control over the

152
00:16:07,320 --> 00:16:13,399
account as the user allowed the authentication the changing of passwords or the session itself

153
00:16:13,399 --> 00:16:18,439
what should actually happen for that user once they have become authenticated and again if we do

154
00:16:18,439 --> 00:16:25,720
an ls-l we can see common account settings common authentication settings common password settings

155
00:16:25,720 --> 00:16:31,879
and common session settings as well as session non-interactive sessions as well as as we can

156
00:16:31,879 --> 00:16:38,439
see here these service specific authentication files which ultimately can if they so choose

157
00:16:38,440 --> 00:16:45,080
include and call in these more general settings right here so i know that was a lot to get to

158
00:16:45,080 --> 00:16:50,680
within this opening nugget it can be a very confusing concept when you first dig into it but

159
00:16:50,680 --> 00:16:56,440
once you begin playing around with these configuration files and making the changes slowly but surely

160
00:16:56,440 --> 00:17:01,480
things will begin to make sense but what we really have to understand are the different types of palm

161
00:17:01,480 --> 00:17:07,960
modules available to us because these are crucial to the operation of pluggable authentication modules

162
00:17:07,960 --> 00:17:11,720
and well that's what we're talking about in the very next nuggets i hope this has been

163
00:17:11,720 --> 00:17:17,960
informative for you and i'd like to thank you for viewing