Redhat 8.2 - pam tunning using authselect
Some notes about tunning pam on RedHat 8.2
# Some tunning options got wrong, so I used the command below to restore the default configruation to be able to start again:
# Now I create a backup from the current configuration:
# Here the current profile that I force to install with authselect on redhat 8.2
# Create a new custom profile named password-policy, we can change to reflect customer policy. This will be copied from the currend ssd configuration:
example:
# command to run:
# Content of the directory policy created:
# Set the new custom profile, customer_password_policy as the current profile
# pam_faillock is able to read from the file /etc/security/faillock.conf that was edite with limitation if max auth retries for example:
# Now that faillock is enable check your custom policy files, for example, faillock feature can be configured, after enable, on the two files located at :
# Edit the two files below:
# You can if something like that
# Notice that this will only be enable if faillock is enable as feature on authselect.
# Make the required changes for the desired deny and unlock_time, by the way, if you want lock forever a user id, use unlock_time=never
# Example of lines edited for lock user id:
# Remember to edit the password-auth the same way.
# Apply changes:
# You can check if the values were applied inspect the files on /etc/pam.d/
# After enable create home dir you can start and enable the required service as per the output of the command below:
# To enable password history edit the system-auth and password-auth on your custom directory.
# After the pam_pwquality.so line edit the line pam_pwhistory.so like:, conf below will have a history for the last 7 used passwords:
# Apply new configuration with auth-select:
# Result:
# To edit the password minimum required size edit the file /etc/security/pwquality.conf:
# change the option minlen as required for you:
# There are serveral others values that you can change if required as well
More info on the links below:
https://access.redhat.com/solutions/2808101
https://access.redhat.com/solutions/62949
https://access.redhat.com/solutions/4175751
# Some tunning options got wrong, so I used the command below to restore the default configruation to be able to start again:
[root@server1 pam.d]# authselect select sssd --force
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
# Now I create a backup from the current configuration:
[root@server1 pam.d]# authselect apply-changes -b --backup=sssd.backup
Backup stored at /var/lib/authselect/backups/sssd.backup
Changes were successfully applied.
[root@server1 pam.d]#
# Here the current profile that I force to install with authselect on redhat 8.2
[root@server2 etc]# authselect current
Profile ID: sssd
Enabled features: None
[root@server2 etc]#
[root@server1 pam.d]# authselect current
Profile ID: sssd
Enabled features: None
[root@server1 pam.d]#
# Create a new custom profile named password-policy, we can change to reflect customer policy. This will be copied from the currend ssd configuration:
example:
authselect create-profile password-policy -b sssd --symlink-meta --symlink-pam
# command to run:
authselect create-profile customer_password_policy -b sssd --symlink-meta --symlink-pam
[root@server2 etc]# authselect create-profile customer_password_policy -b sssd --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/customer_password_policy
[root@server2 etc]#
[root@server1 pam.d]# authselect create-profile customer_password_policy -b sssd --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/customer_password_policy
[root@server1 pam.d]#
# Content of the directory policy created:
[root@server2 etc]# ls -ltra /etc/authselect/custom/customer_password_policy
total 20
lrwxrwxrwx 1 root root 46 Aug 11 13:47 system-auth -> /usr/share/authselect/default/sssd/system-auth
lrwxrwxrwx 1 root root 49 Aug 11 13:47 smartcard-auth -> /usr/share/authselect/default/sssd/smartcard-auth
lrwxrwxrwx 1 root root 47 Aug 11 13:47 REQUIREMENTS -> /usr/share/authselect/default/sssd/REQUIREMENTS
lrwxrwxrwx 1 root root 41 Aug 11 13:47 README -> /usr/share/authselect/default/sssd/README
lrwxrwxrwx 1 root root 44 Aug 11 13:47 postlogin -> /usr/share/authselect/default/sssd/postlogin
lrwxrwxrwx 1 root root 48 Aug 11 13:47 password-auth -> /usr/share/authselect/default/sssd/password-auth
-rw-r--r-- 1 root root 393 Aug 11 13:47 nsswitch.conf
lrwxrwxrwx 1 root root 51 Aug 11 13:47 fingerprint-auth -> /usr/share/authselect/default/sssd/fingerprint-auth
-rw-r--r-- 1 root root 279 Aug 11 13:47 dconf-locks
-rw-r--r-- 1 root root 540 Aug 11 13:47 dconf-db
drwxr-xr-x. 3 root root 4096 Aug 11 13:47 ..
drwxr-xr-x 2 root root 4096 Aug 11 13:47 .
[root@server2 etc]#
[root@server1 pam.d]# ls -ltra /etc/authselect/custom/customer_password_policy
total 20
lrwxrwxrwx 1 root root 47 Aug 11 13:47 REQUIREMENTS -> /usr/share/authselect/default/sssd/REQUIREMENTS
lrwxrwxrwx 1 root root 41 Aug 11 13:47 README -> /usr/share/authselect/default/sssd/README
drwxr-xr-x. 3 root root 4096 Aug 11 13:47 ..
lrwxrwxrwx 1 root root 46 Aug 11 13:47 system-auth -> /usr/share/authselect/default/sssd/system-auth
lrwxrwxrwx 1 root root 49 Aug 11 13:47 smartcard-auth -> /usr/share/authselect/default/sssd/smartcard-auth
lrwxrwxrwx 1 root root 44 Aug 11 13:47 postlogin -> /usr/share/authselect/default/sssd/postlogin
lrwxrwxrwx 1 root root 48 Aug 11 13:47 password-auth -> /usr/share/authselect/default/sssd/password-auth
-rw-r--r-- 1 root root 393 Aug 11 13:47 nsswitch.conf
lrwxrwxrwx 1 root root 51 Aug 11 13:47 fingerprint-auth -> /usr/share/authselect/default/sssd/fingerprint-auth
-rw-r--r-- 1 root root 279 Aug 11 13:47 dconf-locks
-rw-r--r-- 1 root root 540 Aug 11 13:47 dconf-db
drwxr-xr-x 2 root root 4096 Aug 11 13:47 .
[root@server1 pam.d]#
# Set the new custom profile, customer_password_policy as the current profile
authselect select custom/customer_password_policy
authselect current
[root@server2 etc]# authselect select custom/customer_password_policy
Profile "custom/customer_password_policy" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
[root@server2 etc]# authselect current
Profile ID: custom/customer_password_policy
Enabled features: None
[root@server2 etc]#
[root@server1 pam.d]# authselect select custom/customer_password_policy
Profile "custom/customer_password_policy" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
[root@server1 pam.d]# authselect current
Profile ID: custom/customer_password_policy
Enabled features: None
[root@server1 pam.d]#
# To enable features like create home user at login and faillock to lock password after many tries, you can use:
authselect enable-feature with-mkhomedir
authselect enable-feature with-faillock
# Faillock enabled with the command below:
authselect enable-feature with-faillock
# pam_faillock is able to read from the file /etc/security/faillock.conf that was edite with limitation if max auth retries for example:
[root@server1 pam.d]# authselect enable-feature with-faillock
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
[root@server1 pam.d]#
# Now that faillock is enable check your custom policy files, for example, faillock feature can be configured, after enable, on the two files located at :
/etc/authselect/custom/customer_password_policy
# Edit the two files below:
system-auth
password-auth
# You can if something like that
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
# Notice that this will only be enable if faillock is enable as feature on authselect.
# Make the required changes for the desired deny and unlock_time, by the way, if you want lock forever a user id, use unlock_time=never
# Example of lines edited for lock user id:
[root@server1 customer_password_policy]# grep lock system-auth
auth required pam_faillock.so preauth silent deny=5 unlock_time=never {include if "with-faillock"}
auth required pam_faillock.so authfail deny=5 unlock_time=never {include if "with-faillock"}
account required pam_faillock.so {include if "with-faillock"}
[root@server1 customer_password_policy]#
# Remember to edit the password-auth the same way.
# Apply changes:
authselect apply-changes
# You can check if the values were applied inspect the files on /etc/pam.d/
# After enable create home dir you can start and enable the required service as per the output of the command below:
[root@server1 pam.d]# authselect enable-feature with-mkhomedir
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled
- systemctl enable oddjobd.service
- systemctl start oddjobd.service
[root@server1 pam.d]# systemctl enable oddjobd.service
Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
[root@server1 pam.d]# systemctl start oddjobd.service
[root@server1 pam.d]#
# To enable password history edit the system-auth and password-auth on your custom directory.
# After the pam_pwquality.so line edit the line pam_pwhistory.so like:, conf below will have a history for the last 7 used passwords:
password requisite pam_pwhistory.so remember=7 use_authtok
# Apply new configuration with auth-select:
# Result:
grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/system-auth
grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/password-auth
[root@server1 pam.d]# grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/system-auth
password requisite pam_pwhistory.so remember=7 use_authtok
[root@server1 pam.d]# grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/password-auth
password requisite pam_pwhistory.so remember=7 use_authtok
[root@server1 pam.d]#
# To edit the password minimum required size edit the file /etc/security/pwquality.conf:
# change the option minlen as required for you:
cp -p /etc/security/pwquality.conf /etc/security/pwquality.conf.bkp.`date +%m%d%Y%`
vi /etc/security/pwquality.conf
minlen = 15
# There are serveral others values that you can change if required as well
More info on the links below:
https://access.redhat.com/solutions/2808101
https://access.redhat.com/solutions/62949
https://access.redhat.com/solutions/4175751
Comentários
Postar um comentário