1
00:00:00,000 --> 00:00:17,760
Hey everyone and welcome back. Now in the previous nugget we had introduced the concept

2
00:00:17,760 --> 00:00:23,280
of Plugable Authentication Modules. Now we learned that within the configuration files

3
00:00:23,280 --> 00:00:29,199
that we were going to actually reference particular modules to handle particular tasks. In this

4
00:00:29,199 --> 00:00:34,719
nugget right here we're actually going to look at the available PAM modules in a little bit more

5
00:00:34,719 --> 00:00:40,799
detail. Now the very first thing that I should just clarify is that there are a lot of PAM modules

6
00:00:40,799 --> 00:00:46,560
and we ultimately don't have to know too much about many of them. There are four particular ones

7
00:00:46,560 --> 00:00:53,039
that we want to focus in on for the purposes of the LPIC2 certification. So with that said,

8
00:00:53,039 --> 00:00:58,480
how about we actually dive in and look at these modules with a little bit more detail then shall

9
00:00:58,879 --> 00:01:04,640
we? Okay so what I will do here is if I clear the screen. In fact let me just change back to IPv0.

10
00:01:04,640 --> 00:01:11,519
Okay so the very first module that I want to show you is one called PAM underscore

11
00:01:11,519 --> 00:01:17,759
UNIX. Now this is really related to the setting of passwords so what I can do here is if I say

12
00:01:17,759 --> 00:01:25,679
MAN PAM underscore UNIX and hit enter we can see here it says this is a module for traditional

13
00:01:25,680 --> 00:01:31,840
password authentication. Now you can go through all of the information within this MAN page but

14
00:01:31,840 --> 00:01:37,760
we can see here some of the options which are available to us. Say for example we can see the

15
00:01:37,760 --> 00:01:43,360
MD5 option. That means that when the user is going to change their password that password is going to

16
00:01:43,360 --> 00:01:51,600
be hashed using the MD5 algorithm whereas as we saw in the previous nugget we saw SHA512 I do believe

17
00:01:51,599 --> 00:01:58,799
and this time when a user changes the password it's going to be encrypted with SHA512 or if that

18
00:01:58,799 --> 00:02:07,039
fails fall back to use MD5. We can see the null okay value. Pretty much what this means as we can

19
00:02:07,039 --> 00:02:14,000
see right here is that if the root user wants to allow regular users on the system to use empty

20
00:02:14,000 --> 00:02:19,840
passwords i.e blank passwords that is going to be allowed if we set this value within the PAM

21
00:02:19,840 --> 00:02:25,520
UNIX module as an argument. Remember we talked about password history well we can see here this

22
00:02:25,520 --> 00:02:31,680
option remembered equals N. N denotes the number of passwords we want to keep in our history so you

23
00:02:31,680 --> 00:02:37,680
could say remember equals three so that means that the system is going to remember the last

24
00:02:37,680 --> 00:02:44,240
three passwords and that means that they cannot be reused whilst they have been remembered. So again

25
00:02:44,240 --> 00:02:50,960
to use the example if the user happened to have the password john and then the password john one

26
00:02:50,960 --> 00:02:57,760
and then the password john two and remember was set to the value three well the system would remember

27
00:02:57,760 --> 00:03:03,200
these three passwords and if the user then went to change the password once again to one of these

28
00:03:03,200 --> 00:03:08,400
values say for example john well that would be within the three store passwords and we could

29
00:03:08,400 --> 00:03:13,680
ultimately deny the user the ability to use that password they would say hey by the way this is a

30
00:03:13,680 --> 00:03:18,159
recently used password you cannot use it choose something different so maybe they would go and

31
00:03:18,159 --> 00:03:24,400
choose the password bob one okay whatever it may be again neither of these passwords happen to be

32
00:03:24,400 --> 00:03:29,520
very secure or very good choose more complex passwords but you get the drift so again i encourage

33
00:03:29,520 --> 00:03:35,760
you to check out the man pages in full detail to see all of the available options here now the next

34
00:03:35,760 --> 00:03:41,760
module we want to know about is one called PAM underscore cracklib now this one here is going

35
00:03:41,759 --> 00:03:47,359
to be how users themselves can actually change their own passwords so this could be say for example

36
00:03:47,919 --> 00:03:53,759
the minimum length of characters that a user can change their password to we can also have

37
00:03:53,759 --> 00:03:59,840
particular checks whereby does the password actually contain the user's username maybe we

38
00:03:59,840 --> 00:04:05,840
don't want to allow such a thing maybe the password we deem is too simple like i say maybe one

39
00:04:05,840 --> 00:04:11,680
password was john the next one it was changed to by the user was john one we may say hey by the way

40
00:04:11,680 --> 00:04:17,199
this is too simple it's too close this is a security risk we don't want your password to be

41
00:04:17,199 --> 00:04:24,319
correct so easily we could check that maybe the user's old password was john and then they changed it to

42
00:04:24,879 --> 00:04:32,240
john i.e that is one was lowercase and all they did was change it to uppercase we could deny such

43
00:04:32,240 --> 00:04:39,519
behavior again all of this made possible by the cracklib module the next one is the PAM limits

44
00:04:39,519 --> 00:04:44,800
module if you go into the man page this one here relates to the limiting of particular resources

45
00:04:44,800 --> 00:04:51,040
we can see we can actually control system resources relating to a particular user session that has

46
00:04:51,040 --> 00:04:57,199
been authenticated notice crucially that there are default limits and we really want to be remembering

47
00:04:57,199 --> 00:05:02,399
this part here the default limits that are going to be drawn from are going to be within this

48
00:05:02,399 --> 00:05:08,959
particular configuration fail the etsy directory the security directory and then limits.conf and

49
00:05:08,959 --> 00:05:15,839
similarly we also have the etsy security limits directory and any files within that directory

50
00:05:15,839 --> 00:05:23,199
which end in .conf they can be read in and applied also so let's imagine we wanted to limit the amount

51
00:05:23,199 --> 00:05:29,279
of concurrent logins for example this would be relating to the controlling of resources i.e this

52
00:05:29,279 --> 00:05:34,319
is something we could control via PAM limits now the last one that we want to talk about if i just

53
00:05:34,319 --> 00:05:42,079
quit this the last one is the PAM list file module if i go into the man page here what we can do here

54
00:05:42,079 --> 00:05:49,360
is we can as we see allow or deny services based on an arbitrary file so what this means is that if

55
00:05:49,360 --> 00:05:56,480
you wanted to let's maybe say deny users for a particular ssh session you could create an arbitrary

56
00:05:56,480 --> 00:06:02,960
file so that would be a file that you just make you could just call the file myrandom.txt and

57
00:06:02,960 --> 00:06:10,720
within this file you could specify the names john and then the name michelle and depending

58
00:06:10,720 --> 00:06:16,400
whether you specified and the arguments of that module to allow whatever you had in that arbitrary

59
00:06:16,399 --> 00:06:22,959
file you could allow access to just john and michelle or you could specify deny meaning that we would

60
00:06:22,959 --> 00:06:29,199
read the same file containing the user names john and michelle but you could deny the access and again

61
00:06:29,199 --> 00:06:36,000
we can see here if we scroll on down what we would do here is specify the keyword sense equal to either

62
00:06:36,000 --> 00:06:43,599
allow to allow the users or deny then we would specify the file which would give us the path to

63
00:06:43,600 --> 00:06:49,520
the arbitrary file that we just created which contained say for example those user names

64
00:06:49,520 --> 00:06:54,240
john and michelle now john and michelle what is that going to be is that going to be a group name is

65
00:06:54,240 --> 00:07:01,840
that going to be a username well we would specify the item so let's just say that it was going to be

66
00:07:01,840 --> 00:07:08,879
user names we could say item is equal to user which we see here or we could say equal to grip

67
00:07:08,959 --> 00:07:15,279
whatever it may be and then we could say file is equal to let's just say forward slash my random

68
00:07:15,279 --> 00:07:24,159
dot txt and the sense is we could allow so that would mean that we could specify users within a

69
00:07:24,159 --> 00:07:30,399
particular text file located here and whatever users that are specified within this text file

70
00:07:30,399 --> 00:07:37,040
we are going to allow them particular access and this really is what the palm list file module

71
00:07:37,040 --> 00:07:43,280
is all about now like i say when you happen to be using palm there are a ton more modules than we

72
00:07:43,280 --> 00:07:48,560
just saw here but again for the purposes of the examination these are the four that we really

73
00:07:48,560 --> 00:07:54,320
want to have drilled and well understood so that if we happen to be getting any questions on these

74
00:07:54,320 --> 00:08:01,040
particular modules we know exactly what to do and how we can modify their values so once again

75
00:08:01,040 --> 00:08:06,080
as always i recommend go to the man pages to get familiar with all the different options that we

76
00:08:06,079 --> 00:08:12,079
have available within these particular modules but for now that is us for palm authentication i hope

77
00:08:12,079 --> 00:08:22,000
this has been informative for you and i'd like to thank you for viewing