Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

LCFG Ubuntu Project

LCFG Ubuntu Project

Progress reports on the LCFG Ubuntu Project

PAM configuration

This week I have been mainly focussed on preparing the PAM configuration required for DICE Ubuntu machines. Comprehending all the PAM config is always a bit of a brain-melting process, the syntax is horrid, the options are myriad and the potential for introducing a security hole is high. I’ve taken the chance to modernise parts of the config and rework some of it so that we do things in the “Debian way”. Generally I like the Debian approach to common shared configuration. On Redhat we’ve always had a single system-auth file which contains the config for all 4 sections auth, account, password and session. That doesn’t help with readability, the separate file for each approach of Debian is a little easier to handle (common-auth, common-account, common-password and common-session).

The way we manage the authorization of access to machines has also been improved so that we have the option of a more flexible approach in the future. This was previously done in the common configuration which meant that all services were using the same approach, mostly that has suited our needs, but being able to limit different services (e.g. sshd and local login) to different groups of people could be very useful.

As part of the process I also finally took the chance to actually document how our PAM configuration is meant to work, it’s important to share this information amongst our team so that it’s not just one person who understands it all and if nothing else it won’t be so hard to remember next time.

Although most of the changes were in our DICE configuration a few bits have been tweaked at the LCFG level:

  • cinnamonscreensaver was dropped from the default list of services, it will be re-added in a separate header.
  • The pam_gnomekeyring module was removed from the commonpass configuration. The relevant package isn’t installed in our base set which meant this was causing annoying warning messages in syslog
  • The pam_group module was dropped from the default login configuration. It’s unlikely anyone will need it and there are some security implications with having it enabled.
  • All references to the pam_selinux module were removed from the default configuration. If you want them back you need to define the USE_SELINUX macro to a true value in your profile or site-wide header.
  • The pam_mail module was removed from various configurations. It’s unlikely to be useful in a world where most people get their email via IMAP.

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.