PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share/doc/libpam0g/Debian?-PAM-MiniPolicy?.gz for more information on how PAM services should work in Debian).
Each application with PAM support provides a configuration file in /etc/pam.d/ which can be used to modify its behavior:
what backend is used for authentication.
what backend is used for sessions.
how do password checks behave.
PAM offers you the possibility to go through several authentication steps at once, without the user's knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if he authenticates correct in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to requisite, which returns a login failure if one module fails.
If we recall, Debian supports DES passwords, which are smaller than MD5 (see UNIX02/User Accounts And Groups). The first thing I like to do, is to add MD5 support to PAM applications, since this helps protect against dictionary cracks (passwords can be longer if using MD5). The following two lines should be added to all files in /etc/pam.d/ that grant access to the machine, like login and ssh.
# Be sure to install libpam-cracklib first or you will not be able to log in
password required pam_cracklib.so retry=3 minlen=12 difok=3
password required pam_unix.so use_authtok nullok md5
So, what does this incantation do? The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum length of 12 characters, a difference of at least 3 characters from the old password, and allows 3 retries. The second line introduces the standard authentication module with MD5 passwords and allows a zero length password. The use_authtok directive is necessary to hand over the password from the previous module. The package depends in a wordlist (such as wenglish, wspanish, wbritish...), make sure that you install the one appropiate to your language (otherwise it might not be useful at all).
To make sure that the user root can only log into the system from local terminals, the following line should be enabled in /etc/pam.d/login:
auth requisite pam_securetty.so
Then you should add the terminals from which the user root can log into the system, in /etc/security/access.conf. Last but not least the following line should be enabled if you want to set up user limits.
session required pam_limits.so
This restricts the system resources that users are allowed. For example, you could restrict the number of concurrent logins (of a given group of users, or system-wide) you may have, the number of processes, the memory size...
Now edit /etc/pam.d/passwd and change the first line. You should add the option "md5" to use MD5 passwords, change the minimum length of password from 4 to 6 (or more) and set a maximum length, if you desire. The resulting line will look something like:
If you want to protect su, so that only some people can use it to become root on your system, you need to add a new group "wheel" to your system (that is the cleanest way, since no file has such a group permission yet). Add root and the other users that should be able to su to the root user to this group. Then add the following line to /etc/pam.d/su:
auth requisite pam_wheel.so group=wheel debug
This makes sure that only people from the group "wheel" can use su to become root. Other users will not be able to become root. In fact they will get a denied message if they try to become root.
If you want only certain users to authenticate at a PAM service, this is quite easy to achieve by using files where the users who are allowed to login (or not) are stored. Imagine you only want to allow user 'ref' to log in via ssh. So you put him into /etc/sshusers-allowed and write the following into /etc/pam.d/ssh: