Redhat 8.2 - pam tunning using authselect

Some notes about tunning pam on RedHat 8.2



# Some tunning options got wrong, so I used the command below to restore the default configruation to be able to start again:

[root@server1 pam.d]# authselect select sssd --force
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.



# Now I create a backup from the current configuration:

[root@server1 pam.d]# authselect apply-changes -b --backup=sssd.backup
Backup stored at /var/lib/authselect/backups/sssd.backup
Changes were successfully applied.
[root@server1 pam.d]#



# Here the current profile that I force to install with authselect on redhat 8.2

[root@server2 etc]# authselect current
Profile ID: sssd
Enabled features: None
[root@server2 etc]#

[root@server1 pam.d]# authselect current
Profile ID: sssd
Enabled features: None
[root@server1 pam.d]#



# Create a new custom profile named password-policy, we can change to reflect customer policy. This will be copied from the currend ssd configuration:
example:
authselect create-profile password-policy -b sssd --symlink-meta --symlink-pam


# command to run:

authselect create-profile customer_password_policy -b sssd --symlink-meta --symlink-pam



[root@server2 etc]# authselect create-profile customer_password_policy -b sssd --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/customer_password_policy
[root@server2 etc]#

[root@server1 pam.d]# authselect create-profile customer_password_policy -b sssd --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/customer_password_policy
[root@server1 pam.d]#



# Content of the directory policy created:

[root@server2 etc]# ls -ltra /etc/authselect/custom/customer_password_policy
total 20
lrwxrwxrwx  1 root root   46 Aug 11 13:47 system-auth -> /usr/share/authselect/default/sssd/system-auth
lrwxrwxrwx  1 root root   49 Aug 11 13:47 smartcard-auth -> /usr/share/authselect/default/sssd/smartcard-auth
lrwxrwxrwx  1 root root   47 Aug 11 13:47 REQUIREMENTS -> /usr/share/authselect/default/sssd/REQUIREMENTS
lrwxrwxrwx  1 root root   41 Aug 11 13:47 README -> /usr/share/authselect/default/sssd/README
lrwxrwxrwx  1 root root   44 Aug 11 13:47 postlogin -> /usr/share/authselect/default/sssd/postlogin
lrwxrwxrwx  1 root root   48 Aug 11 13:47 password-auth -> /usr/share/authselect/default/sssd/password-auth
-rw-r--r--  1 root root  393 Aug 11 13:47 nsswitch.conf
lrwxrwxrwx  1 root root   51 Aug 11 13:47 fingerprint-auth -> /usr/share/authselect/default/sssd/fingerprint-auth
-rw-r--r--  1 root root  279 Aug 11 13:47 dconf-locks
-rw-r--r--  1 root root  540 Aug 11 13:47 dconf-db
drwxr-xr-x. 3 root root 4096 Aug 11 13:47 ..
drwxr-xr-x  2 root root 4096 Aug 11 13:47 .
[root@server2 etc]#



[root@server1 pam.d]# ls -ltra /etc/authselect/custom/customer_password_policy
total 20
lrwxrwxrwx  1 root root   47 Aug 11 13:47 REQUIREMENTS -> /usr/share/authselect/default/sssd/REQUIREMENTS
lrwxrwxrwx  1 root root   41 Aug 11 13:47 README -> /usr/share/authselect/default/sssd/README
drwxr-xr-x. 3 root root 4096 Aug 11 13:47 ..
lrwxrwxrwx  1 root root   46 Aug 11 13:47 system-auth -> /usr/share/authselect/default/sssd/system-auth
lrwxrwxrwx  1 root root   49 Aug 11 13:47 smartcard-auth -> /usr/share/authselect/default/sssd/smartcard-auth
lrwxrwxrwx  1 root root   44 Aug 11 13:47 postlogin -> /usr/share/authselect/default/sssd/postlogin
lrwxrwxrwx  1 root root   48 Aug 11 13:47 password-auth -> /usr/share/authselect/default/sssd/password-auth
-rw-r--r--  1 root root  393 Aug 11 13:47 nsswitch.conf
lrwxrwxrwx  1 root root   51 Aug 11 13:47 fingerprint-auth -> /usr/share/authselect/default/sssd/fingerprint-auth
-rw-r--r--  1 root root  279 Aug 11 13:47 dconf-locks
-rw-r--r--  1 root root  540 Aug 11 13:47 dconf-db
drwxr-xr-x  2 root root 4096 Aug 11 13:47 .
[root@server1 pam.d]#





# Set the new custom profile, customer_password_policy as the current profile
authselect select custom/customer_password_policy
authselect current




[root@server2 etc]# authselect select custom/customer_password_policy
Profile "custom/customer_password_policy" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.


[root@server2 etc]# authselect current
Profile ID: custom/customer_password_policy
Enabled features: None
[root@server2 etc]#

[root@server1 pam.d]# authselect select custom/customer_password_policy
Profile "custom/customer_password_policy" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

[root@server1 pam.d]# authselect current
Profile ID: custom/customer_password_policy
Enabled features: None
[root@server1 pam.d]#




# To enable features like create home user at login and faillock to lock password after many tries, you can use:


authselect enable-feature with-mkhomedir

authselect enable-feature with-faillock





# Faillock enabled with the command below:

authselect enable-feature with-faillock


# pam_faillock is able to read from the file /etc/security/faillock.conf that was edite with limitation if max auth retries for example:



[root@server1 pam.d]# authselect enable-feature with-faillock
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

[root@server1 pam.d]#


# Now that faillock is enable check your custom policy files, for example, faillock feature can be configured, after enable, on the two files located at :
/etc/authselect/custom/customer_password_policy


# Edit the two files below:

system-auth
password-auth



# You can if something like that

auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}


# Notice that this will only be enable if faillock is enable as feature on authselect.
# Make the required changes for the desired deny and unlock_time, by the way, if you want lock forever a user id, use unlock_time=never

# Example of lines edited for lock user id:

[root@server1 customer_password_policy]# grep lock system-auth
auth        required                                     pam_faillock.so preauth silent deny=5 unlock_time=never {include if "with-faillock"}
auth        required                                     pam_faillock.so authfail deny=5 unlock_time=never       {include if "with-faillock"}
account     required                                     pam_faillock.so                                        {include if "with-faillock"}
[root@server1 customer_password_policy]#




# Remember to edit the password-auth the same way.


# Apply changes:

authselect apply-changes


# You can check if the values were applied inspect the files on /etc/pam.d/



# After enable create home dir you can start and enable the required service as per the output of the command below:

[root@server1 pam.d]# authselect enable-feature with-mkhomedir
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service

[root@server1 pam.d]# systemctl enable oddjobd.service
Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
[root@server1 pam.d]# systemctl start oddjobd.service
[root@server1 pam.d]#




# To enable password history edit the system-auth and password-auth on your custom directory.
# After the pam_pwquality.so line edit the line pam_pwhistory.so like:, conf below will have a history for the last 7 used passwords:

password    requisite     pam_pwhistory.so remember=7 use_authtok



# Apply new configuration with auth-select:


# Result:



grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/system-auth
grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/password-auth



[root@server1 pam.d]# grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/system-auth
password    requisite                      pam_pwhistory.so remember=7 use_authtok
[root@server1 pam.d]# grep pam_pwhistory.so /etc/authselect/custom/customer_password_policy/password-auth
password    requisite                      pam_pwhistory.so remember=7 use_authtok
[root@server1 pam.d]#



# To edit the password minimum required size edit the file /etc/security/pwquality.conf:
# change the option minlen as required for you:

cp -p /etc/security/pwquality.conf /etc/security/pwquality.conf.bkp.`date +%m%d%Y%`
vi /etc/security/pwquality.conf

minlen = 15


# There are serveral others values that  you can change if required as well



More info on the links below:

https://access.redhat.com/solutions/2808101
https://access.redhat.com/solutions/62949
https://access.redhat.com/solutions/4175751

Comentários

Postar um comentário

Postagens mais visitadas deste blog

Transformando o Linksys WRT54G2 V1 em bridge, repetidor

Imagem
Eu tenho aqui um linksys WRT54G2 V1, o modelo abaixo: infodepot.wikia.com Estava encostado em um canto devido eu ter comprado um Netgear WNR1000. Eis que preciso expandir minha rede wi-fi, assim com um roteador principal no meu quarto, queria deixar outro router na sala por exemplo e conectar algum outro computador por lá. Mas o firmware que vem nesse router é uma negação e não permite transforma-lo em um repetidor, bridge ou o que for, então precisei instalar um firmware customizado provido pelo dd-wrt.com, a vantagem desse firmware é que ele expande as funções para o seu roteador, depois de instalado pude transformar meu roteador em um cliente, que no caso apenas pega o sinal do roteador principal e passa para as portas ethernets como se fosse um hub, existe outra configuração para transforma-lo em um repetido, fazendo assim com  que o sinal wi-fi fique disponível a uma maior distância. Para entender melhor isso, visite esse endereço no fórum hardmod , que
Leia mais

Recuperando partições deletadas

Imagem
--> Há um tempo atrás tive um sério problema, ao tentar formatar meu hd e instalar o windows, acabei sem querer deletando minha partição onde estavam todos os meus dados importantes, nem preciso dizer que fiquei desesperado, mas nada que um pouco de conhecimento e um bom software não pudessem resolver, o que fiz então, usei um software chamado testdisk para recuperar a partição deletada. Antes de mostrar como eu fiz isso, vou explicar melhor alguns pontos chave, já que talvez quem esteja lendo esse texto não seja nenhum perito em informática, então é necessário saber algumas coisas para que se possa usar o software sem problemas. O HD Todos devem conhecer o bom e velho HD (Hard Disk): Agora vemos suas p artes internas: Bem, isso é só uma elucidação básica, se quiser saber mais detalhes, veja este artigo o InfoWester . Bom, mas o que precisamos saber aqui é como o TestDisk trabalha, basicamente ele recupera a tabela de partição que foi deletada (apaga
Leia mais

How to install YUM and other rpm packages on VIOs and AIX manually

[Download rpm.rte] Download the rpm.rte from ibm site and update it. https://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/INSTALLP/ppc/rpm.rte.4.9.1.3 installp -acgXYd rpm.rte or use smitty update_all [Download the yum_bundle.tar] This file have all the necessary packages to install yum in a AIX system. NOTE: is very import to update the rpm.rte first, if you not update it first you can have errors messages if you try to install yum. As part of the installation of the rpm.rte, it runs as well the updtvpkg command to update the rpm database that have reference for new libs on the system that are used when you try to install new packages. wget -c https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/yum_bundle.tar try to install using the command rpm -Uvh *.rpm Sometimes the command will fail due readline and glib packages, you can exclude them, sometimes you will already have some packages installed, you can exclude them using: rpm -Uvh $(ls *
Leia mais