Yocto Project - User contributions [en]

PAM Integration

2011-07-28T02:27:01Z

Wfan: /* at */

== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

== Common configure files ==
For convenience, list common configure files here:

common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

common-password
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so

common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

== Recipes with PAM support ==
The following recipes are identified to have PAM support:

=== at ===
* Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test # Verify if the message has been there

* /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':

auth required pam_env.so
auth include common-auth
account include common-account
session include common-session-noninteractive
session required pam_limits.so

* test pam plugins
** pam_env.so
modify /etc/pam.d/atd
auth required pam_env.so debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME DEFAULT="test-at"

log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")

** pam_limits.so
add line to /etc/security/limits.conf
root - nofile 3
'at' job failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:
root - nofile 4
'at' job successed, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

=== cronie ===
* /etc/pam.d/crond:
account required pam_access.so
account include common-password
session required pam_loginuid.so
session include common-session-noninteractive
auth include common-auth

* test commands:
crontab -e # establish a crontab jobs and check if it works
crontab -l # list crontab jobs for current user

* test pam plugins
Verified, test ways and the logs/results please refer to other packages:
** pam_env.so
** pam_access.so
** pam_unix.so
** pam_permit.so
** pam_deny.so

** pam_loginuid.so
TBD

=== cups ===
* /etc/pam.d/cups
auth required pam_unix.so shadow nodelay
account required pam_unix.so

* Modify /etc/cups/cupsd.conf:
...
- Listen localhost:631
+ Port 631
...
# Restrict access to the server...
<Location />
Order allow,deny
+ allow all
</Location>
...
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
+ allow all
</Location>
...

* Test pam plugins
** pam_unix.so
Add debug option to '/etc/pam/cups':
auth required pam_unix.so shadow nodelay debug
account required pam_unix.so debug

Access the cups configure page via web browser:
http://<qemu.ip>:631
Click 'Administration' -> 'Add Printer', start the pop-window for user authentication, input correct user and password:
user: root
pwd: <correct password>

Entry the 'Add Printer' configure page successed.

Input error password:
user: root
pwd: <error password>

Check log in '/var/log/cups/error_log':
E [14/Jul/2011:02:41:26 +0800] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

Modify '/etc/shadow':
-root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7:::
+root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7::1:

Repeat the user authentication steps, check log in '/var/log/cups/error_log':
E [14/Jul/2011:03:05:00 +0800] cupsdAuthorize: pam_acct_mgmt() returned 13 (User account has expired)!

=== dropbear ===
* For supporting pam in dropbear, we need two steps:
* Add configuration "--enable-pam"
* Add patches to open macro definition for supporting in option.h
--- a/ptions.h 2011-07-12 11:32:34.165333202 +0800
+++ b/options.h.new 2011-07-12 11:33:25.757332986 +0800
@@ -149,9 +149,9 @@
* but there's an interface via a PAM module - don't bother using it otherwise.
* You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
+//#define ENABLE_SVR_PASSWORD_AUTH
/* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH*/
+#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH
/* Wether to ake public key options in authorized_keys file into account */

* Test result(dropbear only support simple authentication, account and auth)
** '''Server(account)'''
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
#%PAM-1.0
account required pam_access.so
$vi /etc/security/access.conf
- : root : ALL

** '''Client'''
$ssh username@server-ip
(Disallow access)

** '''log information'''
Jul 14 07:01:48 qemux86 dropbear[407]: pam_access(sshd:account): access denied for user `root' from `ssh'
Jul 14 07:01:48 qemux86 dropbear[407]: pam_acct_mgmt() failed, rc=6, Permission denied
Jul 14 07:01:48 qemux86 dropbear[407]: bad PAM password attempt for 'root' from 192.168.7.1:33633

** '''Server(auth)'''
$vi /etc/pam.d/sshd
auth include common-auth
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so debug
$ passwd -d username <blank password>

** '''Client'''
$ssh username@server-ip
(Disallow access)

** '''log information'''
Jul 14 07:06:42 qemux86 dropbear[421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=yxf
Jul 14 07:06:44 qemux86 dropbear[421]: pam_authenticate() failed, rc=7, Authentication failure
Jul 14 07:06:44 qemux86 dropbear[421]: bad PAM password attempt for 'yxf' from 192.168.7.1:379

=== openssh ===
* Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
* Test Result
** '''Configuration of sshd'''
auth include common-auth
account required pam_nologin.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session required pam_loginuid.so
** '''auth include common-auth --Server'''
$echo 'UsePAM no' >>/etc/ssh/sshd_config
$vi /etc/ssh/sshd_config
PermitEmptyPasswords yes

Other is as same as sudo
** '''log information'''
Jul 12 11:16:21 qemux86 sshd[650]: pam_unix(sshd:session): session opened for user test by (uid=0)

** '''account required pam_nologin.so --Server'''
$touch /etc/nologin

** '''Client'''
$ssh username@server-ip
(Disallow accession)
** '''log information --Server'''
Jul 13 01:43:48 qemux86 sshd[672]: Accepted keyboard-interactive/pam for yxf from 192.168.7.1 port 59877 ssh2
Jul 13 01:43:48 qemux86 sshd[672]: fatal: PAM: pam_setcred(): Failure setting user credentia

** '''account include common-account --Server'''
$vi /etc/ssh/sshd_config
PermitEmptyPasswords no
$vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so
** '''Client'''
$ssh username@server-ip
(Disallow accession)
** '''log information'''
Jul 13 02:11:24 qemux86 sshd[752]: Failed password for root from 192.168.7.1 port 53784 ssh2

** '''password include common-password'''
$vi /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512

It's no use for sshd, So no test result for this item

** '''session optional pam_keyinit.so force revoke --Server'''
No action
** '''Client'''
$ssh username@server-ip
** '''log information'''
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): OPEN 1
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): JOIN = 236576375
** '''Client'''( the same session as the above "client" )
$exit
** '''log information'''
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): CLOSE 1,236576375,1
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): REVOKE 236576375
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]

** '''session include common-session --Server'''
$vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so
** '''Client'''
$ssh username@server-ip
(Disallow accession)
** '''log information'''
Jul 13 05:53:35 qemux86 sshd[960]: error: PAM: pam_open_session(): Permission denied
Jul 13 05:53:35 qemux86 sshd[960]: Received disconnect from 192.168.7.1: 11: disconnected by user
** ''' session required pam_loginuid.so --Server'''(Record user´s login uid to the process attribute)
No action
** '''Client'''
$ssh username@server-ip
** '''log information'''
Jul 13 06:31:32 qemux86 sshd[1028]: pam_warn(sshd:session): function=[pam_sm_open_session] service=[sshd] terminal=[ssh] user=[yxf] ruser= [<unknown>] rhost=[ubuntuwindriver.local]
Jul 13 06:31:32 qemux86 sshd[1028]: pam_unix(sshd:session): session opened for user yxf by (uid=0)

=== polkit ===
Polkit includes four binaries. Only pkexec depends on pam. So I use pkexec to make pam test.
Pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

* '''Pam configuration file of polkit '''
%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
* '''Test Reult'''
** '''Normally pkexec can call pam modules from the above configuration file'''
$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: <---Input root password and press key "Enter"

Jul 14 22:13:18 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.10 [pkexec cat /var/log/auth.log],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:21 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.10,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 14 22:13:21 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 FAILED to authenticate to gain authorization for action
org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:14:37 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.11 [pkexec
cat /var/log/auth.log], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:16:08 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 successfully authenticated as unix-user:root to gain
ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:16:08 emenlow pkexec: pam_unix(polkit-1:session): session opened for user root by root(uid=500)
Jul 14 22:16:08 emenlow pkexec[2507]: yxf: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
Jul 14 22:16:08 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.11,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
** '''auth include common-auth'''
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so nullok_secure

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

log information in /var/log/auth.log
Jul 14 22:23:24 emenlow pkexec[2515]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
** '''account include common-account'''
$ vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_acct_mgmt failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

log information in /var/log/auth.log
Jul 14 22:29:12 emenlow pkexec[2523]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]

** '''password include common-password'''
It is no use for polkit. So I don't test it
** '''session include common-session'''
$ vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===
pam_open_session() failed: Permission denied

log information in /var/log/auth.log
Jul 14 22:35:51 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.17,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

=== screen ===
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth

First start screen:
root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:

Screen used by root <root>.
Password:

In another root terminal, clear the root's password:
password -d root

modify one line in common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
with
auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
Screen used by root <root>.
Password:
Screen used by root <root>.
Password:

then modify the line in common-auth with
auth [success=1 default=ignore] pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:
Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

=== shadow ===
==== chage ====
/etc/pam.d/chage: need patch to replace system-auth to common-auth
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-auth
* test pam_rootok.so
add the only option for pam_rootok.so
auth sufficient pam_rootok.so debug

run command chage as root:
root@qemux86:/etc/pam.d# chage -m 10 test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 06:55:18 qemux86 authpriv.debug chage[575]: pam_rootok(chage:auth): root check succeeded
Jul 12 06:55:18 qemux86 authpriv.info chage[575]: changed password expiry for test

* test pam_unix.so
the content of common-auth are shown at section "Common configure files"

comment the pam_rootok.so line, because it will make pam return success:
#auth sufficient pam_rootok.so

and modify the pam_unix.so line in common-auth:
auth [success=1 default=ignore] pam_unix.so debug

run commands:
root@qemux86:/etc/pam.d# passwd -d root
root@qemux86:/etc/pam.d# chfn -f testself test # test is a unprivileged user
Password:
chfn: PAM authentication failed

log in /var/log/message:
Jul 12 07:53:16 qemux86 authpriv.notice chfn[673]: pam_unix(chfn:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

==== chfn ====
/etc/pam.d/chfn
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
add option debug to pam_rootok.so
auth sufficient pam_rootok.so debug

* pam_rootok.so
run command chfn as root:
root@qemux86:/etc/pam.d# chfn -f testyayay test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 07:22:59 qemux86 authpriv.debug chfn[638]: pam_rootok(chfn:auth): root check succeeded
Jul 12 07:22:59 qemux86 authpriv.info chfn[638]: changed user 'test' information

* pam_unix.so
please refer to chage test steps.

==== chgpasswd ====
/etc/pam.d/chgpasswd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

test pam_rootok.so and pam_unix.so(common-auth) refer to test steps in chage

==== chpasswd ====
/etc/pam.d/chpasswd
password include common-password
common-password are listed before, we change the pam_unix.so option:
password [success=1 default=ignore] pam_unix.so audit

commands to test:
root@qemux86:/etc/pam.d# chpasswd
test:
Press Ctrl+d, the follow are terminal output:
No password supplied
No password supplied
No password supplied
chpasswd: (user test) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user test) password not changed

syslog info:
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:auth): function=[pam_sm_authenticate] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:account): function=[pam_sm_acct_mgmt] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.notice chpasswd[844]: pam_unix(chpasswd:chauthtok): new password not acceptable

==== chsh ====
/etc/pam.d/chsh
auth required pam_shells.so
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
* pam_shells.so
pam_shells only allows access to the system if the users shell is listed in /etc/shells.It also checks if /etc/shells is a plain file and not world writable.

check /etc/shells first:
qemux86:~$ ls -l /etc/shells
-rw-r--r-- 1 root root 109 Jul 12 06:05 /etc/shells
qemux86:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/ash
/bin/bash
/bin/dash
/bin/ksh
/usr/bin/ksh
/usr/bin/screen
qemux86:~$

login as a unprivileged user, the correct process is:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
qemux86:~$

syslog info:
Jul 15 06:15:18 qemux86 authpriv.debug chsh[1283]: pam_rootok(chsh:auth): root check failed
Jul 15 06:15:21 qemux86 authpriv.info chsh[1283]: changed user 'test' shell to '/bin/ash'

now remove /bin/ash from /etc/shells, then run the same command:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
chsh: /bin/ash is an invalid shell.
qemux86:~$

if you make /etc/shells is writable to all people, chsh will fail with syslog info:
Jul 15 05:38:38 qemux86 authpriv.err chsh[1091]: pam_shells(chsh:auth): /etc/shells is either world writable or not a normal file

* pam_rootok.so
modify pam_rootok.so item:
auth required pam_rootok.so debug

then unprivileged users can't change their shell.
qemux86:~$ chsh -s /bin/ash
Password:
chsh: PAM authentication failed
qemux86:~$

syslog info:
Jul 15 06:43:14 qemux86 authpriv.debug chsh[1350]: pam_rootok(chsh:auth): root check failed

* pam_unix.so
**pam_unix in common-auth: please refer to sudo tests
**pam_unix in common-account and common-password don't have test point.

==== groupadd ====
/etc/pam.d/groupadd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

*pam_unix.so in common-password doesn't has test point

==== groupdel ====
/etc/pam.d/groupdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

==== groupmems ====
/etc/pam.d/groupmems
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

*pam_rootok:
refer to chage tests

*pam_unix in common-password doesn't has test point

==== groupmod ====
/etc/pam.d/groupmod
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-password

* pam_rootok
refer to chage tests

* pam_unix in common-password
no test point

==== login ====
/etc/pam.d/login
auth optional pam_faildelay.so delay=3000000
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
auth include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

account include common-account
password include common-password
session include common-session

* pam_faildelay
this plugin an be used to set the delay on failure per-application. We increase "delay" to make it more obviously
auth optional pam_faildelay.so delay=10000000

run login as root:
root@qemux86:~# login
qemux86 login: ''root''
Password: ''<-- enter a wrong password here, then will wait for 10 seconds to show next "login:"''

Login incorrect
qemux86 login:

syslog info:
Jul 17 07:22:17 qemux86 authpriv.notice login[2223]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/2 ruser= rhost= user=root
Jul 17 07:22:26 qemux86 authpriv.notice login[2223]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'root', Authentication failure

* pam_securetty
pam_securetty allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securetty.

test steps:
# ssh to yocto linux
$ ssh root@192.168.7.2
root@qemux86:~# tty
/dev/pts/1
root@qemux86:~# login
qemux86 login: root
<-- don't ask for password, failed directly
Login incorrect
qemux86 login:

syslog info
Jul 17 07:52:32 qemux86 authpriv.warn login[2341]: pam_securetty(login:auth): access denied: tty 'pts/1' is not secure !
Jul 17 07:52:35 qemux86 authpriv.notice login[2341]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'root', Authentication failure

Then add "pts/1" to file /etc/securetty, run commonds:
root@qemux86:~# login
qemux86 login: ''root''
Password:
Last login: Sun Jul 17 07:52:21 UTC 2011 from k-desktop.local on pts/1
root@qemux86:~#

syslog info
Jul 17 07:56:00 qemux86 authpriv.notice login[2348]: ROOT LOGIN on '/dev/pts/1'

* pam_nologin
pam_nologin prevents non-root users from logging into the system when /etc/nologin exists.

test steps
root@qemux86:~# ls /etc/nologin
ls: /etc/nologin: No such file or directory
root@qemux86:~# login
qemux86 login: test
Last login: Sun Jul 17 07:19:24 UTC 2011 on pts/2
qemux86:~$ logout
root@qemux86:~# touch /etc/nologin
root@qemux86:~# login
qemux86 login: test

Login incorrect
qemux86 login:

syslog info
Jul 17 08:08:07 qemux86 authpriv.info login[2366]: pam_unix(login:session): session opened for user test by root(uid=0)
Jul 17 08:08:08 qemux86 authpriv.info login[2366]: pam_unix(login:session): session closed for user test
Jul 17 08:08:51 qemux86 authpriv.notice login[2371]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'test', Authentication failure

* pam_env
refer to su tests

* pam_unix in common-auth
refer to chage tests

* pam_group
pam_group grants group memberships to the user. Its configure file is /etc/security/group.conf.

First get your current tty by run
root@qemux86:/etc/pam.d# tty
/dev/pts/2
root@qemux86:/etc/pam.d#

then add a item to /etc/security/group.conf
login; pts/* ;%root;Al0000-2400;'''plugdev,test
'''
after that run commands
root@qemux86:/etc/pam.d# id
uid=0(root) gid=0(root) groups=0(root)
root@qemux86:/etc/pam.d# login
qemux86 login: root

Password:
Last login: Mon Jul 18 00:20:47 UTC 2011 on pts/2
root@qemux86:~# id
uid=0(root) gid=0(root) groups=0(root),'''46(plugdev),1001(test)'''
root@qemux86:~#

* pam_limits
pam_limits sets limits on the system resources that can be obtained in a user-session.

Its default configure file is /etc/security/limits.conf, modify it with
test - maxlogins 1

Login unprivileged user "test"
root@qemux86:/etc/pam.d# login
qemux86 login: '''test'''
Last login: Sun Jul 17 08:08:07 UTC 2011 on pts/1
qemux86:~$
And login in another terminal
root@qemux86:~# login
qemux86 login: test
Too many logins for 'test'.
Last login: Mon Jul 18 01:21:54 UTC 2011 on pts/2

Permission denied

syslog info:
Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): reading settings from '/etc/security/limits.conf'
Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): process_limit: processing - maxlogins 1 for USER
Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): checking logins for 'test' (maximum of 1)
Jul 18 01:39:55 qemux86 authpriv.warn login[2668]: pam_limits(login:session): Too many logins (max 1) for test
Jul 18 01:39:55 qemux86 authpriv.info login[2668]: pam_unix(login:session): session opened for user test by root(uid=0)
Jul 18 01:39:55 qemux86 authpriv.err login[2668]: Permission denied

* pam_lastlog
pam_lastlog is to display date of last login.
add options to pam_lastlog
session optional pam_lastlog.so debug nodate

run commands and you can check that no last login date information shows
root@qemux86:~# login
qemux86 login: test
Last login: on pts/2
qemux86:~$

* pam_motd
pam_motd can be used to display arbitrary motd (message of the day) files after a successful login. By default the /etc/motd file is shown.

test steps:
root@qemux86:~# cat /etc/motd
root@qemux86:~# echo "Welcome to Yocto" > /etc/motd
root@qemux86:~# login
qemux86 login: root
Password:
Last login: on pts/1
'''Welcome to Yocto'''
root@qemux86:~#

* pam_mail
refer to su tests

==== newusers ====
/etc/pam.d/newusers
password include common-password

*pam_unix
modify the pam_unix item in common-password
password [success=1 default=ignore] pam_unix.so debug

run command:
root@qemux86:~# newusers
a::::::
No password supplied
No password supplied
No password supplied
newusers: (user a) pam_chauthtok() failed, error:
Authentication token manipulation error
newusers: (line 1, user a) password not changed

syslog info:
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.notice newusers[1560]: pam_unix(newusers:chauthtok): new password not acceptable

==== passwd ====
/etc/pam.d/passwd
password include common-password

* pam_unix in common-password
modify the item to make password length not less than 4 characters:
password [success=1 default=ignore] pam_unix.so minlen=4 debug

run test commands:
qemux86:~$ passwd
Changing password for test.
(current) UNIX password: <-- input 123 here
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password
Enter new UNIX password: <-- input 1234 here
Retype new UNIX password:
passwd: password updated successfully
qemux86:~$

syslog doesn't has detail informatiaon
Jul 17 02:00:39 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:41 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:49 qemux86 authpriv.notice passwd[1649]: pam_unix(passwd:chauthtok): password changed for test

==== su ====
/etc/pam.d/su
auth sufficient pam_rootok.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_mail.so nopen
auth include common-auth
account include common-account
session include common-session

* pam_rootok
refer to chage tests

* pam_env
option readenv=1 means read configure file pointed by variable envfile, default is /etc/environment

We will add a variable named YOCTO to /etc/environment.
First we will check there is no var YOCTO after su
root@qemux86:~# su test
test@qemux86:/home/root$ echo $YOCTO

test@qemux86:/home/root$

after add YOCTO=yoctolinux to /etc/environment, then test again
root@qemux86:~# su test
test@qemux86:/home/root$ echo $YOCTO
yoctolinux
test@qemux86:/home/root$

* pam_mail
The mailx in Yocto can NOT run correctly, so didn't test it.
Test steps should be as follows.
First remove option nopen which prevents show user mails
#session optional pam_mail.so nopen
session optional pam_mail.so

Then mail a user, such as root(run test on Fedora 14)
[packager@F14 ~]$ mail root
Subject: ''test''
''test''
EOT
[packager@F14 ~]$ export LANG=C
[packager@F14 ~]$ su -
Password:
'''You have old mail in folder /var/mail/root.'''
[root@F14 ~]#

* pam_unix in common-auth
refer to chage tests

* pam_unix in common-account/common-session has no test point

==== useradd ====
/etc/pam.d/useradd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password:
no test point

==== userdel ====
/etc/pam.d/userdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password:
no test point

==== usermod ====
/etc/pam.d/usermod(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password
no test point

=== sudo ===
*/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_keyinit.so revoke
session required pam_limits.so
and content of common-auth has been show above.

*test pam plugins
**pam_unix.so
modify common-auth:
auth [success=1 default=ignore] pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
qemux86:~$ sudo rm /test
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost= user=test-pam
Jul 8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_deny.so
mv line
auth requisite pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_permit.so
comment this line
auth required pam_permit.so

sudo will fail without ask user to enter password:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test

**pam_limits.so
add line to /etc/security/limits.conf
* - nofile 3
then sudo will fail:
qemux86:~$ sudo rm /test
Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:
* - nofile 4
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
Jul 8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT

** pam_keyinit
add option debug
session optional pam_keyinit.so revoke debug

log shows pam_keyinit was called:
Jul 7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0] GID:0 [1000]
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

* screen: check Fedora screen.pam

* util-linux: check Fedora source file util-linux-remote.pamd

* at: check Fedora util-linux-remote.pamd

* cups: check Fedora cups-1.1.16-system-auth.patch

* openssh: check Fedora sshd.pam

== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code. Right now we spit it as a sub-package libpam-xtests.

All test cases are:
tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
tst-pam_dispatch4 tst-pam_dispatch5 \
tst-pam_cracklib1 tst-pam_cracklib2 \
tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 tst-pam_unix4 \
tst-pam_access1 tst-pam_access2 tst-pam_access3 \
tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
tst-pam_pwhistory1 tst-pam_time1

On build machine after install package libpam-xtests, go to the xtexts directory and run tests
cd /usr/share/Linux-PAM/xtests
./run-xtests.sh `pwd` ALL_TESTS # replace All_TESTS with the tests listed above

If you want to run sigle test case, just run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1

Two unit tests may NOT passed, they need some prerequisite:
* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib first, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
cp /usr/share/cracklib/cracklib-small /tmp
gzip /tmp/cracklib-small
create-cracklib-dict /tmp/cracklib-small.gz

== Notes ==
=== image to run tests ===
We test the packages both on core-image-sato and core-image-lsb
* on sato, edit the /etc/syslog.conf, set
DESTINATION="file"
then you can check the log via /var/log/message
* on lsb, the log information are send to /var/log/auth.log

=== Packages dropped ===
At the beginning we got a list of packages that use pam. After more work, some of them are dropped.
* consolekit provides a pam plugin module pam_ck_connector.so and not the package that use pam. Drop it.
* gnome-keyring can't call configuration file like "/etc/pam.d/gnome-keyring" because it is called by other program like "gnome-screensave" and "gdm". If we want test "pam_gnome_keyring.so", we need write .bb files to cross-compile gnome-screensave or gdm. So drop it.
* util-linux: 3 programs chfn chsh and login in util-linux will use libpam. Right now these programs are provided by package shadow. In util-linux.inc, EXTRA_OECONF has option "--disable-login-utils " which will disable to build them. Drop it.
* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.
* xserver: based on following 2 reason drop it.
** the code use pam is old. Add xserver to original list to be pam-enabled by "bzgrep" tar balls. But in xserver the code to use pam only in os/utils.c function CheckUserAuthorization. No configure mechanism is provided to define macro USE_PAM to make the pam codes enabled. According to the comments, pam authentication only done for setuid servers (uid != euid). Our Xorg is not a setuid server, so we don't need it .
** Xorg in Fedora doesn't support pam. Once I check the xorg-x11-server.spec, and it installs a pam related configure file, so I thought it is pam enabled. But I check the executable file /usr/bin/Xorg , that /usr/bin/Xorg even doesn't link to libpam or libpam_misc. The config file "xserver" is also from Fedora 15, because it is not supported by Fedora itself we don't have any reason to support the configure file in oe.

=== Common configure files ===
When import pam related configure file for each package from Fedora, it may contains "include system-auth". System-auth is the Fedora common configure file and it is autogenerated by command authconfig. It contain all 4 types(auth, account, session, password) rules. But in Yocto these common rules are seperated according pam type, and they are common-auth, common-account, common-session and common-password.

So if configure files from Fedora contains system-auth, we use the seperated common configure files instead.

PAM Integration

2011-07-14T07:26:47Z

Wfan: /* cronie */

== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

== Common configure files ==
For convenience, list common configure files here:

common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

common-password
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so

common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

== Recipes with PAM support ==
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:

=== at ===
* Open issue:
** It can't be ran by a non-root user, error message is:
Can't signal atd (permission denied)

* Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test # Verify if the message has been there

* /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':

auth required pam_env.so
auth include common-auth
account include common-account
session include common-session-noninteractive
session required pam_limits.so

* test pam plugins
** pam_env.so
modify /etc/pam.d/atd
auth required pam_env.so debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME DEFAULT="test-at"

log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")

** pam_limits.so
add line to /etc/security/limits.conf
root - nofile 3
'at' job failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:
root - nofile 4
'at' job successed, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

=== consolekit ===
Consolekit provides a pam plugin module pam_ck_connector.so and not the package that use pam.
Drop it.

=== cronie ===
* /etc/pam.d/crond:
account required pam_access.so
account include common-password
session required pam_loginuid.so
session include common-session-noninteractive
auth include common-auth

* test commands:
crontab -e # establish a crontab jobs and check if it works
crontab -l # list crontab jobs for current user

* test pam plugins
Verified, test ways and the logs/results please refer to other packages:
** pam_env.so
** pam_access.so
** pam_unix.so
** pam_permit.so
** pam_deny.so

** pam_loginuid.so
TBD

=== cups ===
* /etc/pam.d/cups
auth required pam_unix.so shadow nodelay
account required pam_unix.so

* Modify /etc/cups/cupsd.conf:
...
- Listen localhost:631
+ Port 631
...
# Restrict access to the server...
<Location />
Order allow,deny
+ allow all
</Location>
...
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
+ allow all
</Location>
...

* Test pam plugins
** pam_unix.so
Add debug option to '/etc/pam/cups':
auth required pam_unix.so shadow nodelay debug
account required pam_unix.so debug

Access the cups configure page via web browser:
http://<qemu.ip>:631
Click 'Administration' -> 'Add Printer', start the pop-window for user authentication, input correct user and password:
user: root
pwd: <correct password>

Entry the 'Add Printer' configure page successed.

Input error password:
user: root
pwd: <error password>

Check log in '/var/log/cups/error_log':
E [14/Jul/2011:02:41:26 +0800] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

Modify '/etc/shadow':
-root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7:::
+root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7::1:

Repeat the user authentication steps, check log in '/var/log/cups/error_log':
E [14/Jul/2011:03:05:00 +0800] cupsdAuthorize: pam_acct_mgmt() returned 13 (User account has expired)!

=== dropbear ===
** For supporting pam in dropbear, we need two steps:
** Add configuration "--enable-pam"
** Add patches to open macro definition for supporting in option.h
--- a/ptions.h 2011-07-12 11:32:34.165333202 +0800
+++ b/options.h.new 2011-07-12 11:33:25.757332986 +0800
@@ -149,9 +149,9 @@
* but there's an interface via a PAM module - don't bother using it otherwise.
* You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
+//#define ENABLE_SVR_PASSWORD_AUTH
/* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH*/
+#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH
/* Wether to ake public key options in authorized_keys file into account */

** Test result(dropbeat only support simple authentication, account and auth)
*** '''Server(account)'''
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
#%PAM-1.0
account required pam_access.so
$vi /etc/security/access.conf
- : root : ALL

*** '''Client'''
$ssh username@server-ip
(Disallow access)

*** '''log information'''
Jul 14 07:01:48 qemux86 dropbear[407]: pam_access(sshd:account): access denied for user `root' from `ssh'
Jul 14 07:01:48 qemux86 dropbear[407]: pam_acct_mgmt() failed, rc=6, Permission denied
Jul 14 07:01:48 qemux86 dropbear[407]: bad PAM password attempt for 'root' from 192.168.7.1:33633

*** '''Server(auth)'''
$vi /etc/pam.d/sshd
auth include common-auth
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so debug
$ passwd -d username <blank password>

*** '''Client'''
$ssh username@server-ip
(Disallow access)

*** '''log information'''
Jul 14 07:06:42 qemux86 dropbear[421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=yxf
Jul 14 07:06:44 qemux86 dropbear[421]: pam_authenticate() failed, rc=7, Authentication failure
Jul 14 07:06:44 qemux86 dropbear[421]: bad PAM password attempt for 'yxf' from 192.168.7.1:379

=== gnome-keyring ===
* gnome-keyring can't call configuration file like "/etc/pam.d/gnome-keyring" because it is called by other program like "gnome-screensave" and "gdm". If we want test "pam_gnome_keyring.so", we need write .bb files to cross-compile gnome-screensave or gdm.

=== openssh ===
** Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
** Test Result
*** '''Configuration of sshd'''
auth include common-auth
account required pam_nologin.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session required pam_loginuid.so
*** '''auth include common-auth --Server'''
$echo 'UsePAM no' >>/etc/ssh/sshd_config
$vi /etc/ssh/sshd_config
PermitEmptyPasswords yes

Other is as same as sudo
*** '''log information'''
Jul 12 11:16:21 qemux86 sshd[650]: pam_unix(sshd:session): session opened for user test by (uid=0)

*** '''account required pam_nologin.so --Server'''
$touch /etc/nologin

*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information --Server'''
Jul 13 01:43:48 qemux86 sshd[672]: Accepted keyboard-interactive/pam for yxf from 192.168.7.1 port 59877 ssh2
Jul 13 01:43:48 qemux86 sshd[672]: fatal: PAM: pam_setcred(): Failure setting user credentia

*** '''account include common-account --Server'''
$vi /etc/ssh/sshd_config
PermitEmptyPasswords no
$vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 02:11:24 qemux86 sshd[752]: Failed password for root from 192.168.7.1 port 53784 ssh2

*** '''password include common-password'''
$vi /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512

It's no use for sshd, So no test result for this item

*** '''session optional pam_keyinit.so force revoke --Server'''
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): OPEN 1
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): JOIN = 236576375
*** '''Client'''( the same session as the above "client" )
$exit
*** '''log information'''
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): CLOSE 1,236576375,1
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): REVOKE 236576375
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]

*** '''session include common-session --Server'''
$vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 05:53:35 qemux86 sshd[960]: error: PAM: pam_open_session(): Permission denied
Jul 13 05:53:35 qemux86 sshd[960]: Received disconnect from 192.168.7.1: 11: disconnected by user
*** ''' session required pam_loginuid.so --Server'''(Record user´s login uid to the process attribute)
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 06:31:32 qemux86 sshd[1028]: pam_warn(sshd:session): function=[pam_sm_open_session] service=[sshd] terminal=[ssh] user=[yxf] ruser= [<unknown>] rhost=[ubuntuwindriver.local]
Jul 13 06:31:32 qemux86 sshd[1028]: pam_unix(sshd:session): session opened for user yxf by (uid=0)

=== polkit ===
Polkit includes four binaries. Only pkexec depends on pam. So I use pkexec to make pam test.
Pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

* '''Pam configuration file of polkit '''
%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
* '''Test Reult'''
*** '''Normally pkexec can call pam modules from the above configuration file'''
$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: <---Input root password and press key "Enter"

Jul 14 22:13:18 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.10 [pkexec cat /var/log/auth.log],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:21 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.10,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 14 22:13:21 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 FAILED to authenticate to gain authorization for action
org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:14:37 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.11 [pkexec
cat /var/log/auth.log], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:16:08 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 successfully authenticated as unix-user:root to gain
ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:16:08 emenlow pkexec: pam_unix(polkit-1:session): session opened for user root by root(uid=500)
Jul 14 22:16:08 emenlow pkexec[2507]: yxf: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
Jul 14 22:16:08 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.11,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
*** '''auth include common-auth'''
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so nullok_secure

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

log information in /var/log/auth.log
Jul 14 22:23:24 emenlow pkexec[2515]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
*** '''account include common-account'''
$ vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_acct_mgmt failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

log information in /var/log/auth.log
Jul 14 22:29:12 emenlow pkexec[2523]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]

*** '''password include common-password'''
It is no use for polkit. So I don't test it
*** '''session include common-session'''
$ vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===
pam_open_session() failed: Permission denied

log information in /var/log/auth.log
Jul 14 22:35:51 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.17,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

=== screen ===
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth

First start screen:
root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:

Screen used by root <root>.
Password:

In another root terminal, clear the root's password:
password -d root

modify one line in common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
with
auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
Screen used by root <root>.
Password:
Screen used by root <root>.
Password:

then modify the line in common-auth with
auth [success=1 default=ignore] pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:
Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

=== shadow ===
==== chage ====
/etc/pam.d/chage: need patch to replace system-auth to common-auth
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-auth
* test pam_rootok.so
add the only option for pam_rootok.so
auth sufficient pam_rootok.so debug

run command chage as root:
root@qemux86:/etc/pam.d# chage -m 10 test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 06:55:18 qemux86 authpriv.debug chage[575]: pam_rootok(chage:auth): root check succeeded
Jul 12 06:55:18 qemux86 authpriv.info chage[575]: changed password expiry for test

* test pam_unix.so
the content of common-auth are shown at section "Common configure files"

comment the pam_rootok.so line, because it will make pam return success:
#auth sufficient pam_rootok.so

and modify the pam_unix.so line in common-auth:
auth [success=1 default=ignore] pam_unix.so debug

run commands:
root@qemux86:/etc/pam.d# passwd -d root
root@qemux86:/etc/pam.d# chfn -f testself test # test is a unprivileged user
Password:
chfn: PAM authentication failed

log in /var/log/message:
Jul 12 07:53:16 qemux86 authpriv.notice chfn[673]: pam_unix(chfn:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

==== chfn ====
/etc/pam.d/chfn
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
add option debug to pam_rootok.so
auth sufficient pam_rootok.so debug

* pam_rootok.so
run command chfn as root:
root@qemux86:/etc/pam.d# chfn -f testyayay test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 07:22:59 qemux86 authpriv.debug chfn[638]: pam_rootok(chfn:auth): root check succeeded
Jul 12 07:22:59 qemux86 authpriv.info chfn[638]: changed user 'test' information

* pam_unix.so
please refer to chage test steps.

==== chgpasswd ====
/etc/pam.d/chgpasswd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

test pam_rootok.so and pam_unix.so(common-auth) refer to test steps in chage

==== chpasswd ====
/etc/pam.d/chpasswd
password include common-password
common-password are listed before, we change the pam_unix.so option:
password [success=1 default=ignore] pam_unix.so audit

commands to test:
root@qemux86:/etc/pam.d# chpasswd
test:
Press Ctrl+d, the follow are terminal output:
No password supplied
No password supplied
No password supplied
chpasswd: (user test) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user test) password not changed

syslog info:
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:auth): function=[pam_sm_authenticate] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:account): function=[pam_sm_acct_mgmt] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.notice chpasswd[844]: pam_unix(chpasswd:chauthtok): new password not acceptable

==== chsh ====
/etc/pam.d/chsh
auth required pam_shells.so
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
* pam_shells.so
pam_shells only allows access to the system if the users shell is listed in /etc/shells.It also checks if /etc/shells is a plain file and not world writable.

check /etc/shells first:
qemux86:~$ ls -l /etc/shells
-rw-r--r-- 1 root root 109 Jul 12 06:05 /etc/shells
qemux86:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/ash
/bin/bash
/bin/dash
/bin/ksh
/usr/bin/ksh
/usr/bin/screen
qemux86:~$

login as a unprivileged user, the correct process is:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
qemux86:~$

syslog info:
Jul 15 06:15:18 qemux86 authpriv.debug chsh[1283]: pam_rootok(chsh:auth): root check failed
Jul 15 06:15:21 qemux86 authpriv.info chsh[1283]: changed user 'test' shell to '/bin/ash'

now remove /bin/ash from /etc/shells, then run the same command:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
chsh: /bin/ash is an invalid shell.
qemux86:~$

if you make /etc/shells is writable to all people, chsh will fail with syslog info:
Jul 15 05:38:38 qemux86 authpriv.err chsh[1091]: pam_shells(chsh:auth): /etc/shells is either world writable or not a normal file

* pam_rootok.so
modify pam_rootok.so item:
auth required pam_rootok.so debug

then unprivileged users can't change their shell.
qemux86:~$ chsh -s /bin/ash
Password:
chsh: PAM authentication failed
qemux86:~$

syslog info:
Jul 15 06:43:14 qemux86 authpriv.debug chsh[1350]: pam_rootok(chsh:auth): root check failed

* pam_unix.so
**pam_unix in common-auth: please refer to sudo tests
**pam_unix in common-account and common-password don't have test point.

==== groupadd ====
/etc/pam.d/groupadd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

*pam_unix.so in common-password doesn't has test point

==== groupdel ====
/etc/pam.d/groupdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

==== groupmems ====
/etc/pam.d/groupmems
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

*pam_rootok:
refer to chage tests

*pam_unix in common-password doesn't has test point

==== groupmod ====
/etc/pam.d/groupmod
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-password

* pam_rootok
refer to chage tests

* pam_unix: FIXME

==== login ====
/etc/pam.d/login
auth optional pam_faildelay.so delay=3000000
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
auth include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

account include common-account
password include common-password
session include common-session

==== newusers ====
/etc/pam.d/newusers
password include common-password

*pam_unix
modify the pam_unix item in common-password
password [success=1 default=ignore] pam_unix.so debug

run command:
root@qemux86:~# newusers
a::::::
No password supplied
No password supplied
No password supplied
newusers: (user a) pam_chauthtok() failed, error:
Authentication token manipulation error
newusers: (line 1, user a) password not changed

syslog info:
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.notice newusers[1560]: pam_unix(newusers:chauthtok): new password not acceptable

==== passwd ====
/etc/pam.d/passwd
password include common-password

* pam_unix in common-password
modify the item to make password length not less than 4 characters:
password [success=1 default=ignore] pam_unix.so minlen=4 debug

run test commands:
qemux86:~$ passwd
Changing password for test.
(current) UNIX password: <-- input 123 here
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password
Enter new UNIX password: <-- input 1234 here
Retype new UNIX password:
passwd: password updated successfully
qemux86:~$

syslog doesn't has detail informatiaon
Jul 17 02:00:39 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:41 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:49 qemux86 authpriv.notice passwd[1649]: pam_unix(passwd:chauthtok): password changed for test

==== su ====
/etc/pam.d/su
==== useradd ====
/etc/pam.d/useradd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

==== userdel ====
/etc/pam.d/userdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password:
no test point

==== usermod ====
/etc/pam.d/usermod(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

=== sudo ===
*/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_keyinit.so revoke
session required pam_limits.so
and content of common-auth has been show above.

*test pam plugins
**pam_unix.so
modify common-auth:
auth [success=1 default=ignore] pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
qemux86:~$ sudo rm /test
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost= user=test-pam
Jul 8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_deny.so
mv line
auth requisite pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_permit.so
comment this line
auth required pam_permit.so

sudo will fail without ask user to enter password:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test

**pam_limits.so
add line to /etc/security/limits.conf
* - nofile 3
then sudo will fail:
qemux86:~$ sudo rm /test
Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:
* - nofile 4
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
Jul 8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT

** pam_keyinit
add option debug
session optional pam_keyinit.so revoke debug

log shows pam_keyinit was called:
Jul 7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0] GID:0 [1000]
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

=== util-linux ===
Three programs chfn chsh and login in util-linux will use libpam. Right now these programs are provided by package shadow. In util-linux.inc, EXTRA_OECONF has option "--disable-login-utils " which will disable to build them.

Drop it.

=== xserver-xf86-lite ===

=== Notes ===

* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.

== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

* screen: check Fedora screen.pam

* util-linux: check Fedora source file util-linux-remote.pamd

* at: check Fedora util-linux-remote.pamd

* cups: check Fedora cups-1.1.16-system-auth.patch

* openssh: check Fedora sshd.pam

== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.

On build machine run
bitbake libpam -c patch
to get the libpam source code Linux-PAM-1.1.4, and scp it to host(target) machine.

On the target machine under Linux-PAM-1.1.4, run
./configure
make xtests
will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1

Some unit test can NOT pass(15/28), they need some pam plugin libraies:
* tst-pam_access1
* tst-pam_access2
* tst-pam_access3
* tst-pam_access4
**the tst-pam_access test cases need pam_access.so, install package pam-plugin-access will make them pass the test
* tst-pam_authsucceed
**need pam_debug.so, install pam-plugin-debug to make it pass

* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
create-cracklib-dict /usr/share/cracklib/cracklib-small

* tst-pam_dispatch1
* tst-pam_dispatch2
* tst-pam_dispatch3
* tst-pam_dispatch4
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_pwhistory1
**need /lib/security/pam_pwhistory.so, install pam-plugin-pwhistory to make it pass

* tst-pam_substack2
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_succeed_if1
**install pam-plugin-succeed-if to make it pass

* tst-pam_time1
**install pam-plugin-time to make it pass

PAM Integration

2011-07-14T07:19:41Z

Wfan: /* cups */

== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

== Common configure files ==
For convenience, list common configure files here:

common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

common-password
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so

common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

== Recipes with PAM support ==
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:

=== at ===
* Open issue:
** It can't be ran by a non-root user, error message is:
Can't signal atd (permission denied)

* Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test # Verify if the message has been there

* /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':

auth required pam_env.so
auth include common-auth
account include common-account
session include common-session-noninteractive
session required pam_limits.so

* test pam plugins
** pam_env.so
modify /etc/pam.d/atd
auth required pam_env.so debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME DEFAULT="test-at"

log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")

** pam_limits.so
add line to /etc/security/limits.conf
root - nofile 3
'at' job failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:
root - nofile 4
'at' job successed, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

=== consolekit ===
Consolekit provides a pam plugin module pam_ck_connector.so and not the package that use pam.
Drop it.

=== cronie ===
* /etc/pam.d/crond:
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth

* /etc/pam.d/password-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

* test commands:
crontab -e # establish a crontab jobs and check if it works
crontab -l # list crontab jobs for current user

* test pam plugins
Verified, test ways and the logs/results please refer to other packages:
** pam_env.so
** pam_access.so
** pam_unix.so
** pam_permit.so
** pam_keyinit.so

** pam_localuser.so
copy '/etc/passwd' to '/tmp/passwd' and delete the entry for 'root';
modify /etc/pam.d/password-auth:
account requisite pam_localuser.so file=/tmp/passwd debug

log in /var/log/auth.log:
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): set filename to "/tmp/passwd"
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): checking "daemon:x:1:1:daemon:/usr/sbin:/bin/sh "
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): checking "bin:x:2:2:bin:/bin:/bin/sh "
...

** pam_succeed_if.so
account requisite pam_succeed_if.so uid > 500 debug

log in /var/log/auth.log:
Jul 12 03:14:14 qemux86 crontab: pam_succeed_if(crond:account): 'uid' resolves to '0'
Jul 12 03:14:14 qemux86 crontab: pam_succeed_if(crond:account): requirement "uid > 500" not met by user "root"

** pam_loginuid.so
TBD

** pam_systemd.so
no this module

=== cups ===
* /etc/pam.d/cups
auth required pam_unix.so shadow nodelay
account required pam_unix.so

* Modify /etc/cups/cupsd.conf:
...
- Listen localhost:631
+ Port 631
...
# Restrict access to the server...
<Location />
Order allow,deny
+ allow all
</Location>
...
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
+ allow all
</Location>
...

* Test pam plugins
** pam_unix.so
Add debug option to '/etc/pam/cups':
auth required pam_unix.so shadow nodelay debug
account required pam_unix.so debug

Access the cups configure page via web browser:
http://<qemu.ip>:631
Click 'Administration' -> 'Add Printer', start the pop-window for user authentication, input correct user and password:
user: root
pwd: <correct password>

Entry the 'Add Printer' configure page successed.

Input error password:
user: root
pwd: <error password>

Check log in '/var/log/cups/error_log':
E [14/Jul/2011:02:41:26 +0800] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

Modify '/etc/shadow':
-root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7:::
+root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7::1:

Repeat the user authentication steps, check log in '/var/log/cups/error_log':
E [14/Jul/2011:03:05:00 +0800] cupsdAuthorize: pam_acct_mgmt() returned 13 (User account has expired)!

=== dropbear ===
** For supporting pam in dropbear, we need two steps:
** Add configuration "--enable-pam"
** Add patches to open macro definition for supporting in option.h
--- a/ptions.h 2011-07-12 11:32:34.165333202 +0800
+++ b/options.h.new 2011-07-12 11:33:25.757332986 +0800
@@ -149,9 +149,9 @@
* but there's an interface via a PAM module - don't bother using it otherwise.
* You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
+//#define ENABLE_SVR_PASSWORD_AUTH
/* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH*/
+#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH
/* Wether to ake public key options in authorized_keys file into account */

** Test result(dropbeat only support simple authentication, account and auth)
*** '''Server(account)'''
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
#%PAM-1.0
account required pam_access.so
$vi /etc/security/access.conf
- : root : ALL

*** '''Client'''
$ssh username@server-ip
(Disallow access)

*** '''log information'''
Jul 14 07:01:48 qemux86 dropbear[407]: pam_access(sshd:account): access denied for user `root' from `ssh'
Jul 14 07:01:48 qemux86 dropbear[407]: pam_acct_mgmt() failed, rc=6, Permission denied
Jul 14 07:01:48 qemux86 dropbear[407]: bad PAM password attempt for 'root' from 192.168.7.1:33633

*** '''Server(auth)'''
$vi /etc/pam.d/sshd
auth include common-auth
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so debug
$ passwd -d username <blank password>

*** '''Client'''
$ssh username@server-ip
(Disallow access)

*** '''log information'''
Jul 14 07:06:42 qemux86 dropbear[421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=yxf
Jul 14 07:06:44 qemux86 dropbear[421]: pam_authenticate() failed, rc=7, Authentication failure
Jul 14 07:06:44 qemux86 dropbear[421]: bad PAM password attempt for 'yxf' from 192.168.7.1:379

=== gnome-keyring ===
* gnome-keyring can't call configuration file like "/etc/pam.d/gnome-keyring" because it is called by other program like "gnome-screensave" and "gdm". If we want test "pam_gnome_keyring.so", we need write .bb files to cross-compile gnome-screensave or gdm.

=== openssh ===
** Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
** Test Result
*** '''Configuration of sshd'''
auth include common-auth
account required pam_nologin.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session required pam_loginuid.so
*** '''auth include common-auth --Server'''
$echo 'UsePAM no' >>/etc/ssh/sshd_config
$vi /etc/ssh/sshd_config
PermitEmptyPasswords yes

Other is as same as sudo
*** '''log information'''
Jul 12 11:16:21 qemux86 sshd[650]: pam_unix(sshd:session): session opened for user test by (uid=0)

*** '''account required pam_nologin.so --Server'''
$touch /etc/nologin

*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information --Server'''
Jul 13 01:43:48 qemux86 sshd[672]: Accepted keyboard-interactive/pam for yxf from 192.168.7.1 port 59877 ssh2
Jul 13 01:43:48 qemux86 sshd[672]: fatal: PAM: pam_setcred(): Failure setting user credentia

*** '''account include common-account --Server'''
$vi /etc/ssh/sshd_config
PermitEmptyPasswords no
$vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 02:11:24 qemux86 sshd[752]: Failed password for root from 192.168.7.1 port 53784 ssh2

*** '''password include common-password'''
$vi /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512

It's no use for sshd, So no test result for this item

*** '''session optional pam_keyinit.so force revoke --Server'''
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): OPEN 1
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): JOIN = 236576375
*** '''Client'''( the same session as the above "client" )
$exit
*** '''log information'''
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): CLOSE 1,236576375,1
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): REVOKE 236576375
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]

*** '''session include common-session --Server'''
$vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 05:53:35 qemux86 sshd[960]: error: PAM: pam_open_session(): Permission denied
Jul 13 05:53:35 qemux86 sshd[960]: Received disconnect from 192.168.7.1: 11: disconnected by user
*** ''' session required pam_loginuid.so --Server'''(Record user´s login uid to the process attribute)
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 06:31:32 qemux86 sshd[1028]: pam_warn(sshd:session): function=[pam_sm_open_session] service=[sshd] terminal=[ssh] user=[yxf] ruser= [<unknown>] rhost=[ubuntuwindriver.local]
Jul 13 06:31:32 qemux86 sshd[1028]: pam_unix(sshd:session): session opened for user yxf by (uid=0)

=== polkit ===
Polkit includes four binaries. Only pkexec depends on pam. So I use pkexec to make pam test.
Pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

* '''Pam configuration file of polkit '''
%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
* '''Test Reult'''
*** '''Normally pkexec can call pam modules from the above configuration file'''
$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: <---Input root password and press key "Enter"

Jul 14 22:13:18 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.10 [pkexec cat /var/log/auth.log],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:21 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.10,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 14 22:13:21 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 FAILED to authenticate to gain authorization for action
org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:14:37 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.11 [pkexec
cat /var/log/auth.log], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:16:08 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 successfully authenticated as unix-user:root to gain
ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:16:08 emenlow pkexec: pam_unix(polkit-1:session): session opened for user root by root(uid=500)
Jul 14 22:16:08 emenlow pkexec[2507]: yxf: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
Jul 14 22:16:08 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.11,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
*** '''auth include common-auth'''
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so nullok_secure

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

log information in /var/log/auth.log
Jul 14 22:23:24 emenlow pkexec[2515]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
*** '''account include common-account'''
$ vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_acct_mgmt failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

log information in /var/log/auth.log
Jul 14 22:29:12 emenlow pkexec[2523]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]

*** '''password include common-password'''
It is no use for polkit. So I don't test it
*** '''session include common-session'''
$ vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===
pam_open_session() failed: Permission denied

log information in /var/log/auth.log
Jul 14 22:35:51 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.17,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

=== screen ===
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth

First start screen:
root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:

Screen used by root <root>.
Password:

In another root terminal, clear the root's password:
password -d root

modify one line in common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
with
auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
Screen used by root <root>.
Password:
Screen used by root <root>.
Password:

then modify the line in common-auth with
auth [success=1 default=ignore] pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:
Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

=== shadow ===
==== chage ====
/etc/pam.d/chage: need patch to replace system-auth to common-auth
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-auth
* test pam_rootok.so
add the only option for pam_rootok.so
auth sufficient pam_rootok.so debug

run command chage as root:
root@qemux86:/etc/pam.d# chage -m 10 test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 06:55:18 qemux86 authpriv.debug chage[575]: pam_rootok(chage:auth): root check succeeded
Jul 12 06:55:18 qemux86 authpriv.info chage[575]: changed password expiry for test

* test pam_unix.so
the content of common-auth are shown at section "Common configure files"

comment the pam_rootok.so line, because it will make pam return success:
#auth sufficient pam_rootok.so

and modify the pam_unix.so line in common-auth:
auth [success=1 default=ignore] pam_unix.so debug

run commands:
root@qemux86:/etc/pam.d# passwd -d root
root@qemux86:/etc/pam.d# chfn -f testself test # test is a unprivileged user
Password:
chfn: PAM authentication failed

log in /var/log/message:
Jul 12 07:53:16 qemux86 authpriv.notice chfn[673]: pam_unix(chfn:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

==== chfn ====
/etc/pam.d/chfn
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
add option debug to pam_rootok.so
auth sufficient pam_rootok.so debug

* pam_rootok.so
run command chfn as root:
root@qemux86:/etc/pam.d# chfn -f testyayay test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 07:22:59 qemux86 authpriv.debug chfn[638]: pam_rootok(chfn:auth): root check succeeded
Jul 12 07:22:59 qemux86 authpriv.info chfn[638]: changed user 'test' information

* pam_unix.so
please refer to chage test steps.

==== chgpasswd ====
/etc/pam.d/chgpasswd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

test pam_rootok.so and pam_unix.so(common-auth) refer to test steps in chage

==== chpasswd ====
/etc/pam.d/chpasswd
password include common-password
common-password are listed before, we change the pam_unix.so option:
password [success=1 default=ignore] pam_unix.so audit

commands to test:
root@qemux86:/etc/pam.d# chpasswd
test:
Press Ctrl+d, the follow are terminal output:
No password supplied
No password supplied
No password supplied
chpasswd: (user test) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user test) password not changed

syslog info:
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:auth): function=[pam_sm_authenticate] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:account): function=[pam_sm_acct_mgmt] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.notice chpasswd[844]: pam_unix(chpasswd:chauthtok): new password not acceptable

==== chsh ====
/etc/pam.d/chsh
auth required pam_shells.so
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
* pam_shells.so
pam_shells only allows access to the system if the users shell is listed in /etc/shells.It also checks if /etc/shells is a plain file and not world writable.

check /etc/shells first:
qemux86:~$ ls -l /etc/shells
-rw-r--r-- 1 root root 109 Jul 12 06:05 /etc/shells
qemux86:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/ash
/bin/bash
/bin/dash
/bin/ksh
/usr/bin/ksh
/usr/bin/screen
qemux86:~$

login as a unprivileged user, the correct process is:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
qemux86:~$

syslog info:
Jul 15 06:15:18 qemux86 authpriv.debug chsh[1283]: pam_rootok(chsh:auth): root check failed
Jul 15 06:15:21 qemux86 authpriv.info chsh[1283]: changed user 'test' shell to '/bin/ash'

now remove /bin/ash from /etc/shells, then run the same command:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
chsh: /bin/ash is an invalid shell.
qemux86:~$

if you make /etc/shells is writable to all people, chsh will fail with syslog info:
Jul 15 05:38:38 qemux86 authpriv.err chsh[1091]: pam_shells(chsh:auth): /etc/shells is either world writable or not a normal file

* pam_rootok.so
modify pam_rootok.so item:
auth required pam_rootok.so debug

then unprivileged users can't change their shell.
qemux86:~$ chsh -s /bin/ash
Password:
chsh: PAM authentication failed
qemux86:~$

syslog info:
Jul 15 06:43:14 qemux86 authpriv.debug chsh[1350]: pam_rootok(chsh:auth): root check failed

* pam_unix.so
**pam_unix in common-auth: please refer to sudo tests
**pam_unix in common-account and common-password don't have test point.

==== groupadd ====
/etc/pam.d/groupadd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

*pam_unix.so in common-password doesn't has test point

==== groupdel ====
/etc/pam.d/groupdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

==== groupmems ====
/etc/pam.d/groupmems
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

*pam_rootok:
refer to chage tests

*pam_unix in common-password doesn't has test point

==== groupmod ====
/etc/pam.d/groupmod
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-password

* pam_rootok
refer to chage tests

* pam_unix: FIXME

==== login ====
/etc/pam.d/login
auth optional pam_faildelay.so delay=3000000
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
auth include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

account include common-account
password include common-password
session include common-session

==== newusers ====
/etc/pam.d/newusers
password include common-password

*pam_unix
modify the pam_unix item in common-password
password [success=1 default=ignore] pam_unix.so debug

run command:
root@qemux86:~# newusers
a::::::
No password supplied
No password supplied
No password supplied
newusers: (user a) pam_chauthtok() failed, error:
Authentication token manipulation error
newusers: (line 1, user a) password not changed

syslog info:
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.notice newusers[1560]: pam_unix(newusers:chauthtok): new password not acceptable

==== passwd ====
/etc/pam.d/passwd
password include common-password

* pam_unix in common-password
modify the item to make password length not less than 4 characters:
password [success=1 default=ignore] pam_unix.so minlen=4 debug

run test commands:
qemux86:~$ passwd
Changing password for test.
(current) UNIX password: <-- input 123 here
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password
Enter new UNIX password: <-- input 1234 here
Retype new UNIX password:
passwd: password updated successfully
qemux86:~$

syslog doesn't has detail informatiaon
Jul 17 02:00:39 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:41 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:49 qemux86 authpriv.notice passwd[1649]: pam_unix(passwd:chauthtok): password changed for test

==== su ====
/etc/pam.d/su
==== useradd ====
/etc/pam.d/useradd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

==== userdel ====
/etc/pam.d/userdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password:
no test point

==== usermod ====
/etc/pam.d/usermod(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

=== sudo ===
*/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_keyinit.so revoke
session required pam_limits.so
and content of common-auth has been show above.

*test pam plugins
**pam_unix.so
modify common-auth:
auth [success=1 default=ignore] pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
qemux86:~$ sudo rm /test
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost= user=test-pam
Jul 8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_deny.so
mv line
auth requisite pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_permit.so
comment this line
auth required pam_permit.so

sudo will fail without ask user to enter password:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test

**pam_limits.so
add line to /etc/security/limits.conf
* - nofile 3
then sudo will fail:
qemux86:~$ sudo rm /test
Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:
* - nofile 4
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
Jul 8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT

** pam_keyinit
add option debug
session optional pam_keyinit.so revoke debug

log shows pam_keyinit was called:
Jul 7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0] GID:0 [1000]
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

=== util-linux ===
Three programs chfn chsh and login in util-linux will use libpam. Right now these programs are provided by package shadow. In util-linux.inc, EXTRA_OECONF has option "--disable-login-utils " which will disable to build them.

Drop it.

=== xserver-xf86-lite ===

=== Notes ===

* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.

== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

* screen: check Fedora screen.pam

* util-linux: check Fedora source file util-linux-remote.pamd

* at: check Fedora util-linux-remote.pamd

* cups: check Fedora cups-1.1.16-system-auth.patch

* openssh: check Fedora sshd.pam

== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.

On build machine run
bitbake libpam -c patch
to get the libpam source code Linux-PAM-1.1.4, and scp it to host(target) machine.

On the target machine under Linux-PAM-1.1.4, run
./configure
make xtests
will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1

Some unit test can NOT pass(15/28), they need some pam plugin libraies:
* tst-pam_access1
* tst-pam_access2
* tst-pam_access3
* tst-pam_access4
**the tst-pam_access test cases need pam_access.so, install package pam-plugin-access will make them pass the test
* tst-pam_authsucceed
**need pam_debug.so, install pam-plugin-debug to make it pass

* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
create-cracklib-dict /usr/share/cracklib/cracklib-small

* tst-pam_dispatch1
* tst-pam_dispatch2
* tst-pam_dispatch3
* tst-pam_dispatch4
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_pwhistory1
**need /lib/security/pam_pwhistory.so, install pam-plugin-pwhistory to make it pass

* tst-pam_substack2
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_succeed_if1
**install pam-plugin-succeed-if to make it pass

* tst-pam_time1
**install pam-plugin-time to make it pass

PAM Integration

2011-07-14T07:18:06Z

Wfan: /* cups */ Add test results for cups

== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

== Common configure files ==
For convenience, list common configure files here:

common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

common-password
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so

common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

== Recipes with PAM support ==
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:

=== at ===
* Open issue:
** It can't be ran by a non-root user, error message is:
Can't signal atd (permission denied)

* Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test # Verify if the message has been there

* /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':

auth required pam_env.so
auth include common-auth
account include common-account
session include common-session-noninteractive
session required pam_limits.so

* test pam plugins
** pam_env.so
modify /etc/pam.d/atd
auth required pam_env.so debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME DEFAULT="test-at"

log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")

** pam_limits.so
add line to /etc/security/limits.conf
root - nofile 3
'at' job failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:
root - nofile 4
'at' job successed, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

=== consolekit ===
Consolekit provides a pam plugin module pam_ck_connector.so and not the package that use pam.
Drop it.

=== cronie ===
* /etc/pam.d/crond:
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth

* /etc/pam.d/password-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

* test commands:
crontab -e # establish a crontab jobs and check if it works
crontab -l # list crontab jobs for current user

* test pam plugins
Verified, test ways and the logs/results please refer to other packages:
** pam_env.so
** pam_access.so
** pam_unix.so
** pam_permit.so
** pam_keyinit.so

** pam_localuser.so
copy '/etc/passwd' to '/tmp/passwd' and delete the entry for 'root';
modify /etc/pam.d/password-auth:
account requisite pam_localuser.so file=/tmp/passwd debug

log in /var/log/auth.log:
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): set filename to "/tmp/passwd"
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): checking "daemon:x:1:1:daemon:/usr/sbin:/bin/sh "
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): checking "bin:x:2:2:bin:/bin:/bin/sh "
...

** pam_succeed_if.so
account requisite pam_succeed_if.so uid > 500 debug

log in /var/log/auth.log:
Jul 12 03:14:14 qemux86 crontab: pam_succeed_if(crond:account): 'uid' resolves to '0'
Jul 12 03:14:14 qemux86 crontab: pam_succeed_if(crond:account): requirement "uid > 500" not met by user "root"

** pam_loginuid.so
TBD

** pam_systemd.so
no this module

=== cups ===
* /etc/pam.d/cups
auth required pam_unix.so shadow nodelay
account required pam_unix.so

* Modify /etc/cups/cupsd.conf:
...
- Listen localhost:631
+ Port 631
...
# Restrict access to the server...
<Location />
Order allow,deny
+ allow all
</Location>
...
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
+ allow all
</Location>
...

* Test pam plugins
** pam_unix.so
Add debug option to '/etc/pam/cups':
auth required pam_unix.so shadow nodelay debug
account required pam_unix.so debug

Access the cups configure page via web browser:
http://<qemu.ip>:631
Click 'Administration' -> 'Add Printer', start the pop-window for user authentication, input correct user and password:
user: root
pwd: <correct password>

Entry the 'Add Printer' configure page successed.

Input error password:
user: root
pwd: <error password>

Check log in '/var/log/cups/error_log':
E [14/Jul/2011:02:41:26 +0800] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

Modify '/etc/shadow':
-root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7:::
+root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7::1:

Repeat the user authentication steps, check log in '/var/log/cups/error_log':
E [14/Jul/2011:03:05:00 +0800] cupsdAuthorize: pam_acct_mgmt() returned 13 (User account has expired)!

=== dropbear ===
** For supporting pam in dropbear, we need two steps:
** Add configuration "--enable-pam"
** Add patches to open macro definition for supporting in option.h
--- a/ptions.h 2011-07-12 11:32:34.165333202 +0800
+++ b/options.h.new 2011-07-12 11:33:25.757332986 +0800
@@ -149,9 +149,9 @@
* but there's an interface via a PAM module - don't bother using it otherwise.
* You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
+//#define ENABLE_SVR_PASSWORD_AUTH
/* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH*/
+#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH
/* Wether to ake public key options in authorized_keys file into account */

** Test result(dropbeat only support simple authentication, account and auth)
*** '''Server(account)'''
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
#%PAM-1.0
account required pam_access.so
$vi /etc/security/access.conf
- : root : ALL

*** '''Client'''
$ssh username@server-ip
(Disallow access)

*** '''log information'''
Jul 14 07:01:48 qemux86 dropbear[407]: pam_access(sshd:account): access denied for user `root' from `ssh'
Jul 14 07:01:48 qemux86 dropbear[407]: pam_acct_mgmt() failed, rc=6, Permission denied
Jul 14 07:01:48 qemux86 dropbear[407]: bad PAM password attempt for 'root' from 192.168.7.1:33633

*** '''Server(auth)'''
$vi /etc/pam.d/sshd
auth include common-auth
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so debug
$ passwd -d username <blank password>

*** '''Client'''
$ssh username@server-ip
(Disallow access)

*** '''log information'''
Jul 14 07:06:42 qemux86 dropbear[421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=yxf
Jul 14 07:06:44 qemux86 dropbear[421]: pam_authenticate() failed, rc=7, Authentication failure
Jul 14 07:06:44 qemux86 dropbear[421]: bad PAM password attempt for 'yxf' from 192.168.7.1:379

=== gnome-keyring ===
* gnome-keyring can't call configuration file like "/etc/pam.d/gnome-keyring" because it is called by other program like "gnome-screensave" and "gdm". If we want test "pam_gnome_keyring.so", we need write .bb files to cross-compile gnome-screensave or gdm.

=== openssh ===
** Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
** Test Result
*** '''Configuration of sshd'''
auth include common-auth
account required pam_nologin.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session required pam_loginuid.so
*** '''auth include common-auth --Server'''
$echo 'UsePAM no' >>/etc/ssh/sshd_config
$vi /etc/ssh/sshd_config
PermitEmptyPasswords yes

Other is as same as sudo
*** '''log information'''
Jul 12 11:16:21 qemux86 sshd[650]: pam_unix(sshd:session): session opened for user test by (uid=0)

*** '''account required pam_nologin.so --Server'''
$touch /etc/nologin

*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information --Server'''
Jul 13 01:43:48 qemux86 sshd[672]: Accepted keyboard-interactive/pam for yxf from 192.168.7.1 port 59877 ssh2
Jul 13 01:43:48 qemux86 sshd[672]: fatal: PAM: pam_setcred(): Failure setting user credentia

*** '''account include common-account --Server'''
$vi /etc/ssh/sshd_config
PermitEmptyPasswords no
$vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 02:11:24 qemux86 sshd[752]: Failed password for root from 192.168.7.1 port 53784 ssh2

*** '''password include common-password'''
$vi /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512

It's no use for sshd, So no test result for this item

*** '''session optional pam_keyinit.so force revoke --Server'''
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): OPEN 1
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): JOIN = 236576375
*** '''Client'''( the same session as the above "client" )
$exit
*** '''log information'''
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): CLOSE 1,236576375,1
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): REVOKE 236576375
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]

*** '''session include common-session --Server'''
$vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 05:53:35 qemux86 sshd[960]: error: PAM: pam_open_session(): Permission denied
Jul 13 05:53:35 qemux86 sshd[960]: Received disconnect from 192.168.7.1: 11: disconnected by user
*** ''' session required pam_loginuid.so --Server'''(Record user´s login uid to the process attribute)
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 06:31:32 qemux86 sshd[1028]: pam_warn(sshd:session): function=[pam_sm_open_session] service=[sshd] terminal=[ssh] user=[yxf] ruser= [<unknown>] rhost=[ubuntuwindriver.local]
Jul 13 06:31:32 qemux86 sshd[1028]: pam_unix(sshd:session): session opened for user yxf by (uid=0)

=== polkit ===
Polkit includes four binaries. Only pkexec depends on pam. So I use pkexec to make pam test.
Pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

* '''Pam configuration file of polkit '''
%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
* '''Test Reult'''
*** '''Normally pkexec can call pam modules from the above configuration file'''
$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: <---Input root password and press key "Enter"

Jul 14 22:13:18 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.10 [pkexec cat /var/log/auth.log],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:21 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.10,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 14 22:13:21 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 FAILED to authenticate to gain authorization for action
org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:14:37 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.11 [pkexec
cat /var/log/auth.log], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:16:08 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 successfully authenticated as unix-user:root to gain
ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:16:08 emenlow pkexec: pam_unix(polkit-1:session): session opened for user root by root(uid=500)
Jul 14 22:16:08 emenlow pkexec[2507]: yxf: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
Jul 14 22:16:08 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.11,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
*** '''auth include common-auth'''
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so nullok_secure

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

log information in /var/log/auth.log
Jul 14 22:23:24 emenlow pkexec[2515]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
*** '''account include common-account'''
$ vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_acct_mgmt failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

log information in /var/log/auth.log
Jul 14 22:29:12 emenlow pkexec[2523]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]

*** '''password include common-password'''
It is no use for polkit. So I don't test it
*** '''session include common-session'''
$ vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===
pam_open_session() failed: Permission denied

log information in /var/log/auth.log
Jul 14 22:35:51 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.17,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

=== screen ===
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth

First start screen:
root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:

Screen used by root <root>.
Password:

In another root terminal, clear the root's password:
password -d root

modify one line in common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
with
auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
Screen used by root <root>.
Password:
Screen used by root <root>.
Password:

then modify the line in common-auth with
auth [success=1 default=ignore] pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:
Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

=== shadow ===
==== chage ====
/etc/pam.d/chage: need patch to replace system-auth to common-auth
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-auth
* test pam_rootok.so
add the only option for pam_rootok.so
auth sufficient pam_rootok.so debug

run command chage as root:
root@qemux86:/etc/pam.d# chage -m 10 test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 06:55:18 qemux86 authpriv.debug chage[575]: pam_rootok(chage:auth): root check succeeded
Jul 12 06:55:18 qemux86 authpriv.info chage[575]: changed password expiry for test

* test pam_unix.so
the content of common-auth are shown at section "Common configure files"

comment the pam_rootok.so line, because it will make pam return success:
#auth sufficient pam_rootok.so

and modify the pam_unix.so line in common-auth:
auth [success=1 default=ignore] pam_unix.so debug

run commands:
root@qemux86:/etc/pam.d# passwd -d root
root@qemux86:/etc/pam.d# chfn -f testself test # test is a unprivileged user
Password:
chfn: PAM authentication failed

log in /var/log/message:
Jul 12 07:53:16 qemux86 authpriv.notice chfn[673]: pam_unix(chfn:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

==== chfn ====
/etc/pam.d/chfn
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
add option debug to pam_rootok.so
auth sufficient pam_rootok.so debug

* pam_rootok.so
run command chfn as root:
root@qemux86:/etc/pam.d# chfn -f testyayay test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 07:22:59 qemux86 authpriv.debug chfn[638]: pam_rootok(chfn:auth): root check succeeded
Jul 12 07:22:59 qemux86 authpriv.info chfn[638]: changed user 'test' information

* pam_unix.so
please refer to chage test steps.

==== chgpasswd ====
/etc/pam.d/chgpasswd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

test pam_rootok.so and pam_unix.so(common-auth) refer to test steps in chage

==== chpasswd ====
/etc/pam.d/chpasswd
password include common-password
common-password are listed before, we change the pam_unix.so option:
password [success=1 default=ignore] pam_unix.so audit

commands to test:
root@qemux86:/etc/pam.d# chpasswd
test:
Press Ctrl+d, the follow are terminal output:
No password supplied
No password supplied
No password supplied
chpasswd: (user test) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user test) password not changed

syslog info:
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:auth): function=[pam_sm_authenticate] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:account): function=[pam_sm_acct_mgmt] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.notice chpasswd[844]: pam_unix(chpasswd:chauthtok): new password not acceptable

==== chsh ====
/etc/pam.d/chsh
auth required pam_shells.so
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
* pam_shells.so
pam_shells only allows access to the system if the users shell is listed in /etc/shells.It also checks if /etc/shells is a plain file and not world writable.

check /etc/shells first:
qemux86:~$ ls -l /etc/shells
-rw-r--r-- 1 root root 109 Jul 12 06:05 /etc/shells
qemux86:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/ash
/bin/bash
/bin/dash
/bin/ksh
/usr/bin/ksh
/usr/bin/screen
qemux86:~$

login as a unprivileged user, the correct process is:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
qemux86:~$

syslog info:
Jul 15 06:15:18 qemux86 authpriv.debug chsh[1283]: pam_rootok(chsh:auth): root check failed
Jul 15 06:15:21 qemux86 authpriv.info chsh[1283]: changed user 'test' shell to '/bin/ash'

now remove /bin/ash from /etc/shells, then run the same command:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
chsh: /bin/ash is an invalid shell.
qemux86:~$

if you make /etc/shells is writable to all people, chsh will fail with syslog info:
Jul 15 05:38:38 qemux86 authpriv.err chsh[1091]: pam_shells(chsh:auth): /etc/shells is either world writable or not a normal file

* pam_rootok.so
modify pam_rootok.so item:
auth required pam_rootok.so debug

then unprivileged users can't change their shell.
qemux86:~$ chsh -s /bin/ash
Password:
chsh: PAM authentication failed
qemux86:~$

syslog info:
Jul 15 06:43:14 qemux86 authpriv.debug chsh[1350]: pam_rootok(chsh:auth): root check failed

* pam_unix.so
**pam_unix in common-auth: please refer to sudo tests
**pam_unix in common-account and common-password don't have test point.

==== groupadd ====
/etc/pam.d/groupadd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

*pam_unix.so in common-password doesn't has test point

==== groupdel ====
/etc/pam.d/groupdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

==== groupmems ====
/etc/pam.d/groupmems
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

*pam_rootok:
refer to chage tests

*pam_unix in common-password doesn't has test point

==== groupmod ====
/etc/pam.d/groupmod
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-password

* pam_rootok
refer to chage tests

* pam_unix: FIXME

==== login ====
/etc/pam.d/login
auth optional pam_faildelay.so delay=3000000
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
auth include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

account include common-account
password include common-password
session include common-session

==== newusers ====
/etc/pam.d/newusers
password include common-password

*pam_unix
modify the pam_unix item in common-password
password [success=1 default=ignore] pam_unix.so debug

run command:
root@qemux86:~# newusers
a::::::
No password supplied
No password supplied
No password supplied
newusers: (user a) pam_chauthtok() failed, error:
Authentication token manipulation error
newusers: (line 1, user a) password not changed

syslog info:
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.notice newusers[1560]: pam_unix(newusers:chauthtok): new password not acceptable

==== passwd ====
/etc/pam.d/passwd
password include common-password

* pam_unix in common-password
modify the item to make password length not less than 4 characters:
password [success=1 default=ignore] pam_unix.so minlen=4 debug

run test commands:
qemux86:~$ passwd
Changing password for test.
(current) UNIX password: <-- input 123 here
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password
Enter new UNIX password: <-- input 1234 here
Retype new UNIX password:
passwd: password updated successfully
qemux86:~$

syslog doesn't has detail informatiaon
Jul 17 02:00:39 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:41 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:49 qemux86 authpriv.notice passwd[1649]: pam_unix(passwd:chauthtok): password changed for test

==== su ====
/etc/pam.d/su
==== useradd ====
/etc/pam.d/useradd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

==== userdel ====
/etc/pam.d/userdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password:
no test point

==== usermod ====
/etc/pam.d/usermod(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

=== sudo ===
*/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_keyinit.so revoke
session required pam_limits.so
and content of common-auth has been show above.

*test pam plugins
**pam_unix.so
modify common-auth:
auth [success=1 default=ignore] pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
qemux86:~$ sudo rm /test
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost= user=test-pam
Jul 8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_deny.so
mv line
auth requisite pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_permit.so
comment this line
auth required pam_permit.so

sudo will fail without ask user to enter password:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test

**pam_limits.so
add line to /etc/security/limits.conf
* - nofile 3
then sudo will fail:
qemux86:~$ sudo rm /test
Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:
* - nofile 4
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
Jul 8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT

** pam_keyinit
add option debug
session optional pam_keyinit.so revoke debug

log shows pam_keyinit was called:
Jul 7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0] GID:0 [1000]
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

=== util-linux ===
Three programs chfn chsh and login in util-linux will use libpam. Right now these programs are provided by package shadow. In util-linux.inc, EXTRA_OECONF has option "--disable-login-utils " which will disable to build them.

Drop it.

=== xserver-xf86-lite ===

=== Notes ===

* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.

== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

* screen: check Fedora screen.pam

* util-linux: check Fedora source file util-linux-remote.pamd

* at: check Fedora util-linux-remote.pamd

* cups: check Fedora cups-1.1.16-system-auth.patch

* openssh: check Fedora sshd.pam

== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.

On build machine run
bitbake libpam -c patch
to get the libpam source code Linux-PAM-1.1.4, and scp it to host(target) machine.

On the target machine under Linux-PAM-1.1.4, run
./configure
make xtests
will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1

Some unit test can NOT pass(15/28), they need some pam plugin libraies:
* tst-pam_access1
* tst-pam_access2
* tst-pam_access3
* tst-pam_access4
**the tst-pam_access test cases need pam_access.so, install package pam-plugin-access will make them pass the test
* tst-pam_authsucceed
**need pam_debug.so, install pam-plugin-debug to make it pass

* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
create-cracklib-dict /usr/share/cracklib/cracklib-small

* tst-pam_dispatch1
* tst-pam_dispatch2
* tst-pam_dispatch3
* tst-pam_dispatch4
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_pwhistory1
**need /lib/security/pam_pwhistory.so, install pam-plugin-pwhistory to make it pass

* tst-pam_substack2
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_succeed_if1
**install pam-plugin-succeed-if to make it pass

* tst-pam_time1
**install pam-plugin-time to make it pass

PAM Integration

2011-07-14T06:49:03Z

Wfan: /* cronie */

== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

== Common configure files ==
For convenience, list common configure files here:

common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

common-password
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so

common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so

== Recipes with PAM support ==
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:

=== at ===
* Open issue:
** It can't be ran by a non-root user, error message is:
Can't signal atd (permission denied)

* Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test # Verify if the message has been there

* /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':

auth required pam_env.so
auth include common-auth
account include common-account
session include common-session-noninteractive
session required pam_limits.so

* test pam plugins
** pam_env.so
modify /etc/pam.d/atd
auth required pam_env.so debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME DEFAULT="test-at"

log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")

** pam_limits.so
add line to /etc/security/limits.conf
root - nofile 3
'at' job failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:
root - nofile 4
'at' job successed, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

=== consolekit ===
Consolekit provides a pam plugin module pam_ck_connector.so and not the package that use pam.
Drop it.

=== cronie ===
* /etc/pam.d/crond:
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth

* /etc/pam.d/password-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

* test commands:
crontab -e # establish a crontab jobs and check if it works
crontab -l # list crontab jobs for current user

* test pam plugins
Verified, test ways and the logs/results please refer to other packages:
** pam_env.so
** pam_access.so
** pam_unix.so
** pam_permit.so
** pam_keyinit.so

** pam_localuser.so
copy '/etc/passwd' to '/tmp/passwd' and delete the entry for 'root';
modify /etc/pam.d/password-auth:
account requisite pam_localuser.so file=/tmp/passwd debug

log in /var/log/auth.log:
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): set filename to "/tmp/passwd"
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): checking "daemon:x:1:1:daemon:/usr/sbin:/bin/sh "
Jul 12 02:58:51 qemux86 crontab: pam_localuser(crond:account): checking "bin:x:2:2:bin:/bin:/bin/sh "
...

** pam_succeed_if.so
account requisite pam_succeed_if.so uid > 500 debug

log in /var/log/auth.log:
Jul 12 03:14:14 qemux86 crontab: pam_succeed_if(crond:account): 'uid' resolves to '0'
Jul 12 03:14:14 qemux86 crontab: pam_succeed_if(crond:account): requirement "uid > 500" not met by user "root"

** pam_loginuid.so
TBD

** pam_systemd.so
no this module

=== cups ===

=== dropbear ===
** For supporting pam in dropbear, we need two steps:
** Add configuration "--enable-pam"
** Add patches to open macro definition for supporting in option.h
--- a/ptions.h 2011-07-12 11:32:34.165333202 +0800
+++ b/options.h.new 2011-07-12 11:33:25.757332986 +0800
@@ -149,9 +149,9 @@
* but there's an interface via a PAM module - don't bother using it otherwise.
* You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
+//#define ENABLE_SVR_PASSWORD_AUTH
/* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH*/
+#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH
/* Wether to ake public key options in authorized_keys file into account */

** Test result(dropbeat only support simple authentication, account and auth)
*** '''Server(account)'''
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
account required pam_access.so
$vi /etc/security/access.conf
- : root : ALL

*** '''Client'''
$ssh username@server-ip
(Disallow access)

*** '''Server(auth)'''
$vi /etc/pam.d/sshd
auth include common-auth
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so debug

*** '''Client'''
$ssh username@server-ip
(Disallow access)

=== gnome-keyring ===
* gnome-keyring can't call configuration file like "/etc/pam.d/gnome-keyring" because it is called by other program like "gnome-screensave" and "gdm". If we want test "pam_gnome_keyring.so", we need write .bb files to cross-compile gnome-screensave or gdm.

=== openssh ===
** Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
** Test Result
*** '''Configuration of sshd'''
auth include common-auth
account required pam_nologin.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session required pam_loginuid.so
*** '''auth include common-auth --Server'''
$echo 'UsePAM no' >>/etc/ssh/sshd_config
$vi /etc/ssh/sshd_config
PermitEmptyPasswords yes

Other is as same as sudo
*** '''log information'''
Jul 12 11:16:21 qemux86 sshd[650]: pam_unix(sshd:session): session opened for user test by (uid=0)

*** '''account required pam_nologin.so --Server'''
$touch /etc/nologin

*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information --Server'''
Jul 13 01:43:48 qemux86 sshd[672]: Accepted keyboard-interactive/pam for yxf from 192.168.7.1 port 59877 ssh2
Jul 13 01:43:48 qemux86 sshd[672]: fatal: PAM: pam_setcred(): Failure setting user credentia

*** '''account include common-account --Server'''
$vi /etc/ssh/sshd_config
PermitEmptyPasswords no
$vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 02:11:24 qemux86 sshd[752]: Failed password for root from 192.168.7.1 port 53784 ssh2

*** '''password include common-password'''
$vi /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512

It's no use for sshd, So no test result for this item

*** '''session optional pam_keyinit.so force revoke --Server'''
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): OPEN 1
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): JOIN = 236576375
*** '''Client'''( the same session as the above "client" )
$exit
*** '''log information'''
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): CLOSE 1,236576375,1
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): REVOKE 236576375
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0] GID:1000 [0]

*** '''session include common-session --Server'''
$vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so
*** '''Client'''
$ssh username@server-ip
(Disallow accession)
*** '''log information'''
Jul 13 05:53:35 qemux86 sshd[960]: error: PAM: pam_open_session(): Permission denied
Jul 13 05:53:35 qemux86 sshd[960]: Received disconnect from 192.168.7.1: 11: disconnected by user
*** ''' session required pam_loginuid.so --Server'''(Record user´s login uid to the process attribute)
No action
*** '''Client'''
$ssh username@server-ip
*** '''log information'''
Jul 13 06:31:32 qemux86 sshd[1028]: pam_warn(sshd:session): function=[pam_sm_open_session] service=[sshd] terminal=[ssh] user=[yxf] ruser= [<unknown>] rhost=[ubuntuwindriver.local]
Jul 13 06:31:32 qemux86 sshd[1028]: pam_unix(sshd:session): session opened for user yxf by (uid=0)

=== polkit ===
Polkit includes four binaries. Only pkexec depends on pam. So I use pkexec to make pam test.
Pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

* '''Pam configuration file of polkit '''
%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
* '''Test Reult'''
*** '''Normally pkexec can call pam modules from the above configuration file'''
$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: <---Input root password and press key "Enter"

Jul 14 22:13:18 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.10 [pkexec cat /var/log/auth.log],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:21 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.10,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 14 22:13:21 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 FAILED to authenticate to gain authorization for action
org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:14:37 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.11 [pkexec
cat /var/log/auth.log], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:16:08 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 successfully authenticated as unix-user:root to gain
ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:16:08 emenlow pkexec: pam_unix(polkit-1:session): session opened for user root by root(uid=500)
Jul 14 22:16:08 emenlow pkexec[2507]: yxf: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
Jul 14 22:16:08 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.11,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
*** '''auth include common-auth'''
$vi /etc/pam.d/common-auth
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=0 default=ignore] pam_unix.so nullok_secure

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

log information in /var/log/auth.log
Jul 14 22:23:24 emenlow pkexec[2515]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
*** '''account include common-account'''
$ vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore] pam_unix.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_acct_mgmt failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

log information in /var/log/auth.log
Jul 14 22:29:12 emenlow pkexec[2523]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]

*** '''password include common-password'''
It is no use for polkit. So I don't test it
*** '''session include common-session'''
$ vi /etc/pam.d/common-session
#session [default=1] pam_permit.so
session [default=0] pam_permit.so

$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===
pam_open_session() failed: Permission denied

log information in /var/log/auth.log
Jul 14 22:35:51 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.17,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

=== screen ===
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth

First start screen:
root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:

Screen used by root <root>.
Password:

In another root terminal, clear the root's password:
password -d root

modify one line in common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
with
auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
Screen used by root <root>.
Password:
Screen used by root <root>.
Password:

then modify the line in common-auth with
auth [success=1 default=ignore] pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:
Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

=== shadow ===
==== chage ====
/etc/pam.d/chage: need patch to replace system-auth to common-auth
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-auth
* test pam_rootok.so
add the only option for pam_rootok.so
auth sufficient pam_rootok.so debug

run command chage as root:
root@qemux86:/etc/pam.d# chage -m 10 test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 06:55:18 qemux86 authpriv.debug chage[575]: pam_rootok(chage:auth): root check succeeded
Jul 12 06:55:18 qemux86 authpriv.info chage[575]: changed password expiry for test

* test pam_unix.so
the content of common-auth are shown at section "Common configure files"

comment the pam_rootok.so line, because it will make pam return success:
#auth sufficient pam_rootok.so

and modify the pam_unix.so line in common-auth:
auth [success=1 default=ignore] pam_unix.so debug

run commands:
root@qemux86:/etc/pam.d# passwd -d root
root@qemux86:/etc/pam.d# chfn -f testself test # test is a unprivileged user
Password:
chfn: PAM authentication failed

log in /var/log/message:
Jul 12 07:53:16 qemux86 authpriv.notice chfn[673]: pam_unix(chfn:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

==== chfn ====
/etc/pam.d/chfn
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
add option debug to pam_rootok.so
auth sufficient pam_rootok.so debug

* pam_rootok.so
run command chfn as root:
root@qemux86:/etc/pam.d# chfn -f testyayay test

log info in /var/log/message shows pam_rootok.so return success:
Jul 12 07:22:59 qemux86 authpriv.debug chfn[638]: pam_rootok(chfn:auth): root check succeeded
Jul 12 07:22:59 qemux86 authpriv.info chfn[638]: changed user 'test' information

* pam_unix.so
please refer to chage test steps.

==== chgpasswd ====
/etc/pam.d/chgpasswd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

test pam_rootok.so and pam_unix.so(common-auth) refer to test steps in chage

==== chpasswd ====
/etc/pam.d/chpasswd
password include common-password
common-password are listed before, we change the pam_unix.so option:
password [success=1 default=ignore] pam_unix.so audit

commands to test:
root@qemux86:/etc/pam.d# chpasswd
test:
Press Ctrl+d, the follow are terminal output:
No password supplied
No password supplied
No password supplied
chpasswd: (user test) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user test) password not changed

syslog info:
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:auth): function=[pam_sm_authenticate] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:account): function=[pam_sm_acct_mgmt] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
Jul 15 04:53:41 qemux86 authpriv.notice chpasswd[844]: pam_unix(chpasswd:chauthtok): new password not acceptable

==== chsh ====
/etc/pam.d/chsh
auth required pam_shells.so
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
session include common-session
* pam_shells.so
pam_shells only allows access to the system if the users shell is listed in /etc/shells.It also checks if /etc/shells is a plain file and not world writable.

check /etc/shells first:
qemux86:~$ ls -l /etc/shells
-rw-r--r-- 1 root root 109 Jul 12 06:05 /etc/shells
qemux86:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/ash
/bin/bash
/bin/dash
/bin/ksh
/usr/bin/ksh
/usr/bin/screen
qemux86:~$

login as a unprivileged user, the correct process is:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
qemux86:~$

syslog info:
Jul 15 06:15:18 qemux86 authpriv.debug chsh[1283]: pam_rootok(chsh:auth): root check failed
Jul 15 06:15:21 qemux86 authpriv.info chsh[1283]: changed user 'test' shell to '/bin/ash'

now remove /bin/ash from /etc/shells, then run the same command:
qemux86:~$ chsh -s /bin/ash
Password: <-- Enter password here
chsh: /bin/ash is an invalid shell.
qemux86:~$

if you make /etc/shells is writable to all people, chsh will fail with syslog info:
Jul 15 05:38:38 qemux86 authpriv.err chsh[1091]: pam_shells(chsh:auth): /etc/shells is either world writable or not a normal file

* pam_rootok.so
modify pam_rootok.so item:
auth required pam_rootok.so debug

then unprivileged users can't change their shell.
qemux86:~$ chsh -s /bin/ash
Password:
chsh: PAM authentication failed
qemux86:~$

syslog info:
Jul 15 06:43:14 qemux86 authpriv.debug chsh[1350]: pam_rootok(chsh:auth): root check failed

* pam_unix.so
**pam_unix in common-auth: please refer to sudo tests
**pam_unix in common-account and common-password don't have test point.

==== groupadd ====
/etc/pam.d/groupadd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

*pam_unix.so in common-password doesn't has test point

==== groupdel ====
/etc/pam.d/groupdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)
* pam_rootok
please refer to chage tests

==== groupmems ====
/etc/pam.d/groupmems
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

*pam_rootok:
refer to chage tests

*pam_unix in common-password doesn't has test point

==== groupmod ====
/etc/pam.d/groupmod
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include common-password

* pam_rootok
refer to chage tests

* pam_unix: FIXME

==== login ====
/etc/pam.d/login
auth optional pam_faildelay.so delay=3000000
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
auth include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

account include common-account
password include common-password
session include common-session

==== newusers ====
/etc/pam.d/newusers
password include common-password

*pam_unix
modify the pam_unix item in common-password
password [success=1 default=ignore] pam_unix.so debug

run command:
root@qemux86:~# newusers
a::::::
No password supplied
No password supplied
No password supplied
newusers: (user a) pam_chauthtok() failed, error:
Authentication token manipulation error
newusers: (line 1, user a) password not changed

syslog info:
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
Jul 15 09:50:17 qemux86 authpriv.notice newusers[1560]: pam_unix(newusers:chauthtok): new password not acceptable

==== passwd ====
/etc/pam.d/passwd
password include common-password

* pam_unix in common-password
modify the item to make password length not less than 4 characters:
password [success=1 default=ignore] pam_unix.so minlen=4 debug

run test commands:
qemux86:~$ passwd
Changing password for test.
(current) UNIX password: <-- input 123 here
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password
Enter new UNIX password: <-- input 1234 here
Retype new UNIX password:
passwd: password updated successfully
qemux86:~$

syslog doesn't has detail informatiaon
Jul 17 02:00:39 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:41 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
Jul 17 02:00:49 qemux86 authpriv.notice passwd[1649]: pam_unix(passwd:chauthtok): password changed for test

==== su ====
/etc/pam.d/su
==== useradd ====
/etc/pam.d/useradd(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

==== userdel ====
/etc/pam.d/userdel(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password:
no test point

==== usermod ====
/etc/pam.d/usermod(need patch)
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth(common-password)

* pam_rootok
refer to chage tests

* pam_unix in common-password： FIXME

=== sudo ===
*/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_keyinit.so revoke
session required pam_limits.so
and content of common-auth has been show above.

*test pam plugins
**pam_unix.so
modify common-auth:
auth [success=1 default=ignore] pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
qemux86:~$ sudo rm /test
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost= user=test-pam
Jul 8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_deny.so
mv line
auth requisite pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

**pam_permit.so
comment this line
auth required pam_permit.so

sudo will fail without ask user to enter password:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test

**pam_limits.so
add line to /etc/security/limits.conf
* - nofile 3
then sudo will fail:
qemux86:~$ sudo rm /test
Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:
* - nofile 4
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
Jul 8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT

** pam_keyinit
add option debug
session optional pam_keyinit.so revoke debug

log shows pam_keyinit was called:
Jul 7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0] GID:0 [1000]
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

=== util-linux ===
Three programs chfn chsh and login in util-linux will use libpam. Right now these programs are provided by package shadow. In util-linux.inc, EXTRA_OECONF has option "--disable-login-utils " which will disable to build them.

Drop it.

=== xserver-xf86-lite ===

=== Notes ===

* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.

== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

* screen: check Fedora screen.pam

* util-linux: check Fedora source file util-linux-remote.pamd

* at: check Fedora util-linux-remote.pamd

* cups: check Fedora cups-1.1.16-system-auth.patch

* openssh: check Fedora sshd.pam

== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.

On build machine run
bitbake libpam -c patch
to get the libpam source code Linux-PAM-1.1.4, and scp it to host(target) machine.

On the target machine under Linux-PAM-1.1.4, run
./configure
make xtests
will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1

Some unit test can NOT pass(15/28), they need some pam plugin libraies:
* tst-pam_access1
* tst-pam_access2
* tst-pam_access3
* tst-pam_access4
**the tst-pam_access test cases need pam_access.so, install package pam-plugin-access will make them pass the test
* tst-pam_authsucceed
**need pam_debug.so, install pam-plugin-debug to make it pass

* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
create-cracklib-dict /usr/share/cracklib/cracklib-small

* tst-pam_dispatch1
* tst-pam_dispatch2
* tst-pam_dispatch3
* tst-pam_dispatch4
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_pwhistory1
**need /lib/security/pam_pwhistory.so, install pam-plugin-pwhistory to make it pass

* tst-pam_substack2
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_succeed_if1
**install pam-plugin-succeed-if to make it pass

* tst-pam_time1
**install pam-plugin-time to make it pass

PAM Integration

2011-07-12T09:24:13Z

Wfan: /* cronie */

PAM Integration

2011-07-12T09:23:38Z

Wfan: /* at */

PAM Integration

2011-07-12T09:19:51Z

Wfan: /* cronie */ Add test results for crond

PAM Integration

2011-07-11T09:12:30Z

Wfan: /* at */

== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

== Recipes with PAM support ==
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:

=== at ===
** Open issue:
** It can't be ran by a non-root user, error message is:
Can't signal atd (permission denied)

** Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test # Verify if the message has been there

** /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':

auth required pam_env.so
auth include common-auth
account include common-account
session include common-session-noninteractive
session required pam_limits.so

** test pam plugins
*** pam_env.so
modify /etc/pam.d/atd
auth required pam_env.so debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME DEFAULT="test-at"

log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")

*** pam_limits.so
add line to /etc/security/limits.conf
root - nofile 3
'at' job failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:
root - nofile 4
'at' job successed, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

* consolekit

* cronie

* cups

* dropbear
** For supporting pam in dropbear, we need two steps:
** Add configuration "--enable-pam"
** Add patches to open macro definition for supporting in option.h
** Test result
*** Server
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
account required pam_access.so
$vi /etc/security/access.conf
- : root : ALL

*** Client
$ssh root@192.168.7.2
root@192.168.7.2's password:
Permission denied, please try again.
root@192.168.7.2's password:
Permission denied, please try again.
root@192.168.7.2's password:
Permission denied (publickey,password).

* gnome-keyring

* openssh
** Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
** Test Result
*** Server
$touch /etc/nologin

*** Client
$ssh username@server-ip
(can't log in)
* polkit

* screen
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth

First start screen:
root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:

Screen used by root <root>.
Password:

In another root terminal, clear the root's password:
password -d root

modify one line in common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
with
auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
Screen used by root <root>.
Password:
Screen used by root <root>.
Password:

then modify the line in common-auth with
auth [success=1 default=ignore] pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:
Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

* shadow

* sudo
**/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth
account include common-auth
password include common-auth
session required pam_keyinit.so revoke
session required pam_limits.so
and content of common-auth:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
**test pam plugins
***pam_unix.so
modify common-auth:
auth [success=1 default=ignore] pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
qemux86:~$ sudo rm /test
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost= user=test-pam
Jul 8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

***pam_deny.so
mv line
auth requisite pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

***pam_permit.so
comment this line
auth required pam_permit.so

sudo will fail without ask user to enter password:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test

***pam_limits.so
add line to /etc/security/limits.conf
* - nofile 3
then sudo will fail:
qemux86:~$ sudo rm /test
Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:
* - nofile 4
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
Jul 8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT

*** pam_keyinit
add option debug
session optional pam_keyinit.so revoke debug

log shows pam_keyinit was called:
Jul 7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0] GID:0 [1000]
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

* util-linux

* xserver-xf86-lite

Notes:

* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.

== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

* screen: check Fedora screen.pam

* util-linux: check Fedora source file util-linux-remote.pamd

* at: check Fedora util-linux-remote.pamd

* cups: check Fedora cups-1.1.16-system-auth.patch

* openssh: check Fedora sshd.pam

== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.

On build machine run
bitbake libpam -c patch
to get the libpam source code Linux-PAM-1.1.4, and scp it to host(target) machine.

On the target machine under Linux-PAM-1.1.4, run
./configure
make xtests
will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1

Some unit test can NOT pass(15/28), they need some pam plugin libraies:
* tst-pam_access1
* tst-pam_access2
* tst-pam_access3
* tst-pam_access4
**the tst-pam_access test cases need pam_access.so, install package pam-plugin-access will make them pass the test
* tst-pam_authsucceed
**need pam_debug.so, install pam-plugin-debug to make it pass

* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
create-cracklib-dict /usr/share/cracklib/cracklib-small

* tst-pam_dispatch1
* tst-pam_dispatch2
* tst-pam_dispatch3
* tst-pam_dispatch4
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_pwhistory1
**need /lib/security/pam_pwhistory.so, install pam-plugin-pwhistory to make it pass

* tst-pam_substack2
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_succeed_if1
**install pam-plugin-succeed-if to make it pass

* tst-pam_time1
**install pam-plugin-time to make it pass

=== position ===

PAM Integration

2011-07-11T09:04:23Z

Wfan: /* Recipes with PAM support */ Add test results for at

== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

== Recipes with PAM support ==
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:

=== at ===
** Open issue:
** It can't be ran by a non-root user, error message is:
Can't signal atd (permission denied)

** /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':

auth required pam_env.so
auth include common-auth
account include common-account
session include common-session-noninteractive
session required pam_limits.so

** test pam plugins
*** pam_env.so
modify /etc/pam.d/atd
auth required pam_env.so debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME DEFAULT="test-at"

log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")

*** pam_limits.so
add line to /etc/security/limits.conf
root - nofile 3
at task failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:
root - nofile 4
at task success, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

* consolekit

* cronie

* cups

* dropbear
** For supporting pam in dropbear, we need two steps:
** Add configuration "--enable-pam"
** Add patches to open macro definition for supporting in option.h
** Test result
*** Server
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
account required pam_access.so
$vi /etc/security/access.conf
- : root : ALL

*** Client
$ssh root@192.168.7.2
root@192.168.7.2's password:
Permission denied, please try again.
root@192.168.7.2's password:
Permission denied, please try again.
root@192.168.7.2's password:
Permission denied (publickey,password).

* gnome-keyring

* openssh
** Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
** Test Result
*** Server
$touch /etc/nologin

*** Client
$ssh username@server-ip
(can't log in)
* polkit

* screen
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth

First start screen:
root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:

Screen used by root <root>.
Password:

In another root terminal, clear the root's password:
password -d root

modify one line in common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
with
auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
Screen used by root <root>.
Password:
Screen used by root <root>.
Password:

then modify the line in common-auth with
auth [success=1 default=ignore] pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:
Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=root

* shadow

* sudo
**/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
#%PAM-1.0
auth include common-auth
account include common-auth
password include common-auth
session required pam_keyinit.so revoke
session required pam_limits.so
and content of common-auth:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
**test pam plugins
***pam_unix.so
modify common-auth:
auth [success=1 default=ignore] pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
qemux86:~$ sudo rm /test
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost= user=test-pam
Jul 8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

***pam_deny.so
mv line
auth requisite pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test

***pam_permit.so
comment this line
auth required pam_permit.so

sudo will fail without ask user to enter password:
qemux86:~$ sudo rm /test
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
qemux86:~$

log in /var/log/auth.log:
Jul 7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test

***pam_limits.so
add line to /etc/security/limits.conf
* - nofile 3
then sudo will fail:
qemux86:~$ sudo rm /test
Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:
* - nofile 4
qemux86:~$ sudo rm /test
qemux86:~$

log in /var/log/auth.log:
Jul 8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
Jul 8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
Jul 8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT

*** pam_keyinit
add option debug
session optional pam_keyinit.so revoke debug

log shows pam_keyinit was called:
Jul 7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
Jul 7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0] GID:0 [1000]
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
Jul 7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

* util-linux

* xserver-xf86-lite

Notes:

* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.

== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

* screen: check Fedora screen.pam

* util-linux: check Fedora source file util-linux-remote.pamd

* at: check Fedora util-linux-remote.pamd

* cups: check Fedora cups-1.1.16-system-auth.patch

* openssh: check Fedora sshd.pam

== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.

On build machine run
bitbake libpam -c patch
to get the libpam source code Linux-PAM-1.1.4, and scp it to host(target) machine.

On the target machine under Linux-PAM-1.1.4, run
./configure
make xtests
will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1

Some unit test can NOT pass(15/28), they need some pam plugin libraies:
* tst-pam_access1
* tst-pam_access2
* tst-pam_access3
* tst-pam_access4
**the tst-pam_access test cases need pam_access.so, install package pam-plugin-access will make them pass the test
* tst-pam_authsucceed
**need pam_debug.so, install pam-plugin-debug to make it pass

* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
create-cracklib-dict /usr/share/cracklib/cracklib-small

* tst-pam_dispatch1
* tst-pam_dispatch2
* tst-pam_dispatch3
* tst-pam_dispatch4
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_pwhistory1
**need /lib/security/pam_pwhistory.so, install pam-plugin-pwhistory to make it pass

* tst-pam_substack2
**need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass

* tst-pam_succeed_if1
**install pam-plugin-succeed-if to make it pass

* tst-pam_time1
**install pam-plugin-time to make it pass

=== position ===