Skip to main content

Configuring PAM

Hands-On Lab

 

Photo of Stosh Oldham

Stosh Oldham

Course Development Director in Content

Length

00:30:00

Difficulty

Intermediate

PAM has become an important part of the standard Linux login and account management subsystem. Systems administrators and security engineers alike should be knowledgeable of how to configure and enable various PAM modules. In this hands-on lab, we will work with the pam_cracklib and pam_tally modules and learn how they can be used to enhance system security.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Configuring PAM

Introduction

PAM has become an important part of the standard Linux login and account management subsystem. Systems administrators and security engineers alike should be knowledgeable of how to configure and enable various PAM modules. In this hands-on lab, we will work with the pam_cracklib and pam_tally modules and learn how they can be used to enhance system security.

Connecting to the Lab

  1. Open your terminal application, and run the following command (remember to replace <PUBLIC_IP> with the public IP you were provided on the lab instructions page):
    ssh cloud_user@<PUBLIC_IP>
  2. Type yes at the prompt.
  3. Enter your password at the prompt.

Install pam_cracklib

  1. Escalate permissions to root.
    sudo su -
  2. Install the necessary libraries for pam_cracklib.
    apt-get install libpam-cracklib
  3. Type y at the prompt.

Configure pam_cracklib

  1. Install the vim text editor.
    apt-get install vim
  2. Edit /etc/pam.d/common-password.
    vim /etc/pam.d/common-password
  3. Locate the password settings within the file.
  4. Change the existing pam_cracklib password configuration to the following:
    password   requisite    pam_cracklib   retry=3 minlen=10
  5. Press Esc, then type :wq to save our changes and exit the vim text editor.

Enable and Configure pam_tally2

  1. Edit /etc/pam.d/common-auth.
    vim /etc/pam.d/common-auth
  2. Create a new line above the default block.
  3. Add the following text to create a pam_tally2 configuration:
    auth     required       pam_tally2.so deny=2 unlock_time=600
  4. Press Esc, then type :wq to save our changes and exit the vim text editor.

Conclusion

Congratulations, you've successfully completed this hands-on lab!