exploring Pluggable Authentication Modules
The exercise to perform
Login as root on virtual terminal 1. Change directory to /etc/pam.d. We're going
to change some files, so make copies of them first to ensure you will be able to
restore things back to their original state.
cd /etc/pam.d
cp system-auth system-auth.org
cp login login.org
cp su su.org
cp /etc/securetty /etc/securetty.org
cp /etc/security/time.conf /etc/security/time.conf.org
cd -
In /etc/pam.d/system-auth change retries from 3 to 4. That is, change
password requisite pam_pwquality.so try_first_pass retry=3 authtok_ type=
to
password requisite pam_pwquality.so try_first_pass
retry=4 authtok_ type=
then become tom
su tom
Have tom try to change his password
passwd
but try very short passwords, repeatedly. The system won't let you choose
passwords that are too short. How many times is tom allowed to continue
proposing too-short passwords? Change "retry=4" back to
"retry=3" and repeat the test.
---
Switch to virtual terminal 2. Try to log in as tom, note success. Then exit.
As root, create file /etc/nologin:
touch /etc/nologin
Try to log in as tom on virtual terminal2, note failure.
Edit /etc/pam.d/login. Comment out the line "account required pam_nologin.so".
Try to log in as tom on virtual terminal 2, note success despite the presence of /etc/nologin.
Cleanup: uncomment, remove file.
---
As root, su tom; note no password required. Then exit back out.
Edit /etc/pam.d/su. Comment out the line "auth sufficient pam_rootok.so".
Again as root, su tom; note a password is required this time. Give tom's
password and become tom. Then exit back out, to root once again.
Cleanup: uncomment
---
As root, edit /etc/securetty. Comment out the line that reads "tty2".
Switch to virtual terminal 2. Try to log in as root there, note failure.
Edit /etc/pam.d/login. Comment out the line that reads "auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so".
Switch to virtual terminal 2. Try to log in as root there, note success despite
the absence of tty2 from /etc/securetty. Exit out.
Cleanup: uncomment both comments
---
As root, edit /etc/pam.d/login. Add the line:
account required pam_time.so
Edit /etc/security/time.conf. Add:
login ; tty2 | tty4 ; tom | harry ; !Al1800-2200
Switch to virtual terminals tty2 and tty4. At those terminals, try to log in as tom
and as harry. Note failure. Try the same thing on any of the other tty's. Note
success. Try it on tty2 and tty4 as a user other than tom or harry, such a dick.
Note success.
Cleanup: remove the lines you added to both files
---