Difficulties tweaking PAM
Posted: 2019/08/11 23:22:18
So it turns out PAM was WAY harder than I thought it would be once I started to dig into it. I’m trying to make some policy changes on a CentOS 7.6 min install server and I have a few questions I can’t seem to find answers for in the documentation or in the googlesphere.
1) I get that I can’t modify /etc/pam.d/system-auth and /etc/pam.d/password-auth directly or they will be overwritten by authconfig the next time it’s run, but I can’t find a similar warning for /etc/security/pwquality.conf. Does that mean I’m OK to directly modify that file without fear of it being over-written? I can’t find anything to the contrary, but I don’t want to risk implementing a password policy and thinking it’s working when it’s not. If I can’t modify it directly, what is the proper way to modify those parameters? The options I want are also in authconfig. Should I use authconfig instead?
2) Speaking of authconfig, I see in /etc/sysconfig/authconfig that there’s a FAILLOCKARGS=”deny=4 unlock_time=1200” parameter I would like to modify but I can’t see any reference to pam_faillock.so in any of the pam.d files, so I was wondering how that was being enforced. Now I’m questioning whether or not it is as I logged out and entered my username with a bad password 4 times in a row and then was able to log in the 5th time with the system telling me there had just been 4 bad logins. Does anyone have any insight into how that parameter and the system interact? If some of the parameters in /etc/sysconfig/authconfig are just not effective, is there a list of which are and which aren’t? None of the lines appear to be commented, so I don’t think it’s that. My fundamental desire here is to set a failed login policy, myself. I was wondering if it was just a sudo authconfig --faillockargs=”deny=x unlock_time=y” --update or can I modify /etc/sysconfig/authconfig directly since there’s no warning in that file not to do so and then reboot. However, I don’t want to mess with this until I have a better idea what’s going on because I worry I’ve found a bug and if I start messing with this, I’ll have to reinstall to demonstrate it as I’m presently working directly on hardware.
3) How can I enable password reuse restrictions? If I can’t add the remember argument to either pam_unix.so or pam_pwhistory.so module calls directly in system-auth or password-auth and there’s no option for it in authconfig, what does that leave me with?
If I can’t use the available tools to do what I need, I’m tempted to make the needed modifications in the files directly and hobble authconfig to keep it from overwriting my changes on reboot / package update / application installer call or whatever, but that seems like a SUPER inelegant solution. Has anyone run into this and / or figured out a solution that worked for them and was sustainable?
Thanks,
Scott
1) I get that I can’t modify /etc/pam.d/system-auth and /etc/pam.d/password-auth directly or they will be overwritten by authconfig the next time it’s run, but I can’t find a similar warning for /etc/security/pwquality.conf. Does that mean I’m OK to directly modify that file without fear of it being over-written? I can’t find anything to the contrary, but I don’t want to risk implementing a password policy and thinking it’s working when it’s not. If I can’t modify it directly, what is the proper way to modify those parameters? The options I want are also in authconfig. Should I use authconfig instead?
2) Speaking of authconfig, I see in /etc/sysconfig/authconfig that there’s a FAILLOCKARGS=”deny=4 unlock_time=1200” parameter I would like to modify but I can’t see any reference to pam_faillock.so in any of the pam.d files, so I was wondering how that was being enforced. Now I’m questioning whether or not it is as I logged out and entered my username with a bad password 4 times in a row and then was able to log in the 5th time with the system telling me there had just been 4 bad logins. Does anyone have any insight into how that parameter and the system interact? If some of the parameters in /etc/sysconfig/authconfig are just not effective, is there a list of which are and which aren’t? None of the lines appear to be commented, so I don’t think it’s that. My fundamental desire here is to set a failed login policy, myself. I was wondering if it was just a sudo authconfig --faillockargs=”deny=x unlock_time=y” --update or can I modify /etc/sysconfig/authconfig directly since there’s no warning in that file not to do so and then reboot. However, I don’t want to mess with this until I have a better idea what’s going on because I worry I’ve found a bug and if I start messing with this, I’ll have to reinstall to demonstrate it as I’m presently working directly on hardware.
3) How can I enable password reuse restrictions? If I can’t add the remember argument to either pam_unix.so or pam_pwhistory.so module calls directly in system-auth or password-auth and there’s no option for it in authconfig, what does that leave me with?
If I can’t use the available tools to do what I need, I’m tempted to make the needed modifications in the files directly and hobble authconfig to keep it from overwriting my changes on reboot / package update / application installer call or whatever, but that seems like a SUPER inelegant solution. Has anyone run into this and / or figured out a solution that worked for them and was sustainable?
Thanks,
Scott