Security Handbook/PAM
PAM is a suite of shared libraries that provide an alternate way of providing user authentication in programs. The pam USE flag is enabled by default in Gentoo. Article description::Although the default PAM settings in Gentoo are reasonable, there is always room for improvement.
First install sys-libs/cracklib to allow password policies to be set:
root #emerge --ask sys-libs/cracklib/etc/pam.d/passwdauth required pam_unix.so shadow nullok account required pam_unix.so password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 password required pam_unix.so md5 use_authtok session required pam_unix.so
This will add the cracklib which will ensure that the user passwords are at least 8 characters and contain a minimum of 2 digits, 2 other characters, and are more than 3 characters different from the last password. The PAM cracklib documentation can be reviewed for more available options.
/etc/pam.d/sshdauth required pam_unix.so nullok auth required pam_shells.so auth required pam_nologin.so auth required pam_env.so account required pam_unix.so password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 use_authtok password required pam_unix.so shadow md5 session required pam_unix.so session required pam_limits.so
Every service not configured with a PAM file in /etc/pam.d will use the rules in /etc/pam.d/other. The defaults are set to deny, as they should be.
Also, pam_warn.so can be added to generate more elaborate logging. And pam_limits can be used, which is controlled by /etc/security/limits.conf. See the /etc/security/limits.conf section for more on these settings.
/etc/pam.d/otherauth required pam_deny.so auth required pam_warn.so account required pam_deny.so account required pam_warn.so password required pam_deny.so password required pam_warn.so session required pam_deny.so session required pam_warn.so
See also
- PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.