Linux PAM Resources

Pluggable authentication modules (PAM) are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independent of the underlying authentication scheme. PAM was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development in Red Hat Linux 3.0.4 in August 1996. PAM is currently supported in the AIX operating system, DragonFly BSD,[1] FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris.

Below is a list of good resources related to PAM that you can use to improve your Linux security model.

Linux PAM Admin Guide

NetBSD PAM Guide

Nice PAM Tutorial

Redhat Reference for PAM Modules

PAM Manual

How to Install Firewall Builder 5 In Ubuntu


Firewall Builder is a GUI application that allows you to create sophisticated firewall rules. Currently only version 4 is available in the Ubuntu repositories, so here is how to install version 5 in Ubuntu:

1. From a Terminal window type: wget http://www.fwbuilder.org/PACKAGE-GPG-KEY-fwbuilder.asc -0- | sudo apt-key add - 

2. Add the line deb http://packages.fwbuilder.org/deb/stable/ VersionName contrib
   Where VersionName is the string of your Ubuntu version such as natty. 

3. From a Terminal window type: sudo apt-get update

4. From a Terminal window type: sudo apt-get install fwbuilder

Linux Foundation Breach

I was actually browsing through the Freedombox site to look at the project and when I clicked on one of the links to the Linux Foundation I received the breach notification that now reads (Condensed Version):

“Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.”

They make the statement of “..security best practices”. If they were using security best practices should they have been breached to begin with? My hope is if and when they discover what happened is that in the interest of Open Source is that they would offer full-disclosure on the details of the incident so the Linux community can learn from the mistakes that appears to have affected kernel.org and now the Linux Foundation.

What I find interesting is that as a result of the kernel.org breach, Linux Torvalds has moved the Linux Kernel project to GitHub. So I’m wondering what assurance Linus feels that GitHub will give him that kernel.org could not? It really comes to is that they have not been breached yet.

Top 5 Books for the UNIX Security Geek

Here is Justin’s top 5 UNIX security books.

Title Author ISBN
Practical UNIX and Internet Security Garfinkel and Spafford 1-56592-148-8
UNIX System Security David Curry 0-201-60640-2
The UNIX Programming Environment Kernighan and Pike 0-13-937681-X
UNIX & Linux System Administration Handbook Nemeth et al 0-13-151051-7
Building Internet Firewalls O’Reilly and Assoc 1-56592-124-0

How to move window buttons back to right in Ubuntu 10.X

As the Ubuntu’s new tag line says “It’s time for a change.”, indeed a lot of change has been implemented to the operating system, applications and the interface. There are few which you will find it interesting and useful and while few others might annoy you because of a sudden change.

I never liked Ubuntu much, and it seems many people are complaining against it saying that the move to have the buttons at the left hand side (close, maximize, minimize) like we have in Apple OS was a bad one. People find the sudden shift hard to come to terms with.

Tell you what, it’s extremely easy to move the buttons back to the right hand side. All you need is a bit of configuration tweaking from Gnome Configuration Editor and you are done. To begin, open gconf-editor. Either type it in terminal and hit enter or press Alt+F2 and run it from there.

Once you open gconf-editor, navigate to

/apps/metacity/general

You can see the top class ‘app‘ in the left hand pane. Now navigate to the path mentioned above. Then, in the right hand pane, change the value of the key button_layout from

close,minimize,maximize:menu

to

menu:minimize,maximize,close

You can either right click the key value and edit it, or just double click it and start typing. Once you have changed the value, hit the enter key and that’s it. All the windows will now have buttons on the right.

There is still one problem however, as you can see, the graphics used for the buttons are not the same for all 3 buttons, so they look a bit weird. You can either change the theme, or change the graphics for the buttons to get a smoother blending.

Installing Emacs on Ubuntu 10.04 from Source

Here is how you can compile the mother of all editors on Ubuntu 10.04 from source:

1. Obtain the source archive for Emacs from ftp://ftp.gnu.org/gnu/emacs/

2. Open a Terminal in Ubuntu and type:

A. sudo apt-get install build-essential libxpm-dev libgif-dev libtiff4-dev

B. This will install the necessary packages to compile Emacs.

3. Extract the Emacs archive downloaded in step 1 by typing: tar xvzf emacs-major_version-minor_version.tar.gz.

4. Change to the Emacs source directory. a.k.a. cd emacs-major_version-minor_version

5. Type: ./configure

6. Type: make

7. Type: sudo make install

Enjoy.

SSH Hardening

Here is some code that will add some security to your /etc/sshd_config file:

  • Enable X11Forwarding
  • Force Version 2 of the protocol
  • Disable all the usual RHosts garbage
  • Disable root logons
  • Disable the use of empty passwords

Copy the code below to a text file and make it executable then run it using the sudo command. Remember to restart your SSH service after the changes have been made.


#!/bin/sh
SSH_DIR=/etc/ssh
# unalias cp rm mv
cd $SSH_DIR
cp ssh_config ssh_config.tmp
cat $SSH_DIR/ssh_config.tmp | grep -v Protocol | sed ‘$a\\nProtocol 2’
> $SSH_DIR/ssh_config
rm ssh_config.tmp
cp sshd_config sshd_config.tmp
awk ‘/^#? *Protocol/ { print “Protocol 2”; next };
/^#? *X11Forwarding/ \
{ print “X11Forwarding yes”; next };
/^#? *IgnoreRhosts/ \
{ print “IgnoreRhosts yes”; next };
/^#? *RhostsAuthentication/ \
{ print ” RhostsAuthentication no”; next };
/^#? *RhostsRSAAuthentication/ \
{ print “RhostsRSAAuthentication no”; next };
/^#? *HostbasedAuthentication/ \
{ print “HostbasedAuthentication no”; next };
/^#? *PermitRootLogin/ \
{ print “PermitRootLogin no”; next };
/^#? *PermitEmptyPasswords/ \
{ print “PermitEmptyPasswords no”; next };
/^#? *Banner/ \
{ print “Banner /etc/issue.net”; next };
{print}’ sshd_config.tmp > sshd_config
rm sshd_config.tmp