Understanding and Configuring the PAM Config File on Raspberry Pi

Ben
Ben
@benjislab

Pluggable Authentication Modules (PAM) are a powerful system in Linux, including Raspberry Pi OS, that manage authentication for users and applications. By configuring PAM, you can enforce security policies, control access, and customize how authentication is handled on your Raspberry Pi. This guide will walk you through the basics of PAM, the structure of its configuration files, and how to modify them to meet your security needs.

What is PAM?

PAM stands for Pluggable Authentication Modules, a suite of shared libraries that enable the dynamic authentication of users on Linux systems. PAM provides a flexible and modular approach to authentication, allowing you to configure how users are authenticated, authorized, and logged in.

The PAM configuration files determine how different services (such as login, SSH, and sudo) authenticate users. These files are typically located in the /etc/pam.d/ directory.

Key PAM Configuration Files

The PAM configuration files on your Raspberry Pi are usually found in the /etc/pam.d/ directory. Each file corresponds to a specific service and controls how PAM handles authentication for that service.

Common Files in /etc/pam.d/:

  • /etc/pam.d/sshd: Manages SSH authentication.
  • /etc/pam.d/login: Controls console login authentication.
  • /etc/pam.d/sudo: Handles authentication for the sudo command.
  • /etc/pam.d/common-auth: Common authentication settings shared across multiple services.

PAM Configuration File Syntax

Each PAM configuration file consists of a series of directives, each with the following structure:

<module-type> <control-flag> <module-path> <module-arguments>
  • module-type: Specifies the type of PAM module (e.g., auth, account, password, session).
  • control-flag: Determines the behavior if the module succeeds or fails (e.g., required, requisite, optional, sufficient).
  • module-path: The path to the PAM module library.
  • module-arguments: Additional arguments passed to the module.

Configuring PAM for Enhanced Security

Here are some common configurations you can apply to improve security on your Raspberry Pi using PAM.

1. Enforcing Strong Passwords

To ensure users create strong passwords, you can configure the pam_pwquality.so module in the /etc/pam.d/common-password file.

  1. Open the common-password file:
sudo nano /etc/pam.d/common-password
  1. Add or Modify the Password Quality Module:

Add the following line or modify the existing one:

password requisite pam_pwquality.so retry=3 minlen=8 difok=3
  • retry=3: Allows the user three attempts to choose a strong password.
  • minlen=8: Sets the minimum password length to 8 characters.
  • difok=3: Requires that at least 3 characters in the new password differ from the old one.
  1. Save and Exit: Save your changes and exit the text editor.

2. Limiting Login Attempts

You can limit the number of failed login attempts to prevent brute-force attacks using the pam_tally2.so module.

  1. Open the sshd file:
sudo nano /etc/pam.d/sshd
  1. Add the pam_tally2 Module:

Add the following lines to count failed login attempts and lock the account after 5 failed attempts:

auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=600
account required pam_tally2.so
  • deny=5: Locks the account after 5 failed attempts.
  • unlock_time=600: Automatically unlocks the account after 10 minutes (600 seconds).
  1. Save and Exit: Save your changes and exit the text editor.

3. Requiring Multi-Factor Authentication (MFA)

You can add an additional layer of security by requiring multi-factor authentication using PAM modules like pam_google_authenticator.so.

  1. Install Google Authenticator:

Install the Google Authenticator PAM module:

sudo apt-get install libpam-google-authenticator
  1. Configure PAM for MFA:

Open the /etc/pam.d/sshd file:

sudo nano /etc/pam.d/sshd

Add the following line before the @include common-auth line:

auth required pam_google_authenticator.so
  1. Configure SSH to Use MFA:

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Ensure the following lines are set:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Save your changes and restart the SSH service:

sudo systemctl restart ssh

4. Restricting Access to Sudo

To restrict who can use the sudo command, configure PAM to require additional authentication.

  1. Open the sudo file:
sudo nano /etc/pam.d/sudo
  1. Add or Modify the pam_wheel Module:

Add the following line to restrict sudo usage to members of the wheel group:

auth required pam_wheel.so group=wheel

Ensure that only trusted users are added to the wheel group:

sudo usermod -aG wheel username
  1. Save and Exit: Save your changes and exit the text editor.

Backing Up and Restoring PAM Configuration Files

Before making changes to PAM configuration files, it’s a good practice to back them up.

  1. Backup a PAM Configuration File:
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
  1. Restore a Backup:

If you need to revert to the original settings, restore the backup:

sudo mv /etc/pam.d/common-auth.bak /etc/pam.d/common-auth
  1. Restart Services:

After restoring, ensure the changes are applied by restarting the relevant service (e.g., SSH):

sudo systemctl restart ssh

Default ## pam.d File Example

# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password

Conclusion

Configuring PAM on your Raspberry Pi allows you to enforce robust security policies, control access to your system, and customize authentication mechanisms. By understanding the structure and options available in PAM configuration files, you can enhance the security of your Raspberry Pi, whether you're securing SSH access, enforcing strong passwords, or implementing multi-factor authentication. Always remember to back up your configuration files before making changes to avoid accidental lockouts.