pam

Enabling md5 shadow password with authconfig

Sat, 10/02/2010 - 14:44 — sandip

If you notice that /etc/shadow file password is using DES encryption, MD5 encryption can be enabled via:

authconfig --enablemd5 --enableshadow --update

If authconfig is not present edit, "/etc/pam.d/system-auth" and add "md5 shadow" to line starting with "password sufficient pam_unix.so" so it looks like below:

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

sandip's blog
Login or register to post comments
Read more

Setup secure ProFTPd

Fri, 06/12/2009 - 14:42 — sandip

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:

 
<IfModule mod_tls.c>
TLSEngine   &nbsp;    &nbsp;    &nbsp;    &nbsp;    on
TLSRequired   ;     ;     ;     ;   off
TLSRSACertificateFile &nbsp;    &nbsp;    /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile&nbsp;    &nbsp;  /etc/pki/tls/proftpd/server.key.pem 
TLSVerifyClient  &nbsp;    &nbsp;    &nbsp;    off
TLSRenegotiate  &nbsp;    &nbsp;    &nbsp;     required off
TLSLog   &nbsp;    &nbsp;    &nbsp;    &nbsp;    &nbsp;  /var/log/proftpd/tls.log
</IfModule>

chroot and bindsocket to listen to single IP:

 
SocketBindTight  &nbsp;    &nbsp;    &nbsp;    on
DefaultRoot   ;     ;     ;     ;   ~

Setup passive ftp ports:

</Global>
...
...
PassivePorts 50000 51000
</Global>

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

#%PAM-1.0
auth    required   &nbsp;    pam_unix.so   &nbsp; nullok
account required   &nbsp;    pam_unix.so
session required   &nbsp;    pam_unix.so

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>

sandip's blog
Login or register to post comments

set_loginuid failed opening loginuid

Tue, 02/03/2009 - 10:51 — sandip

If this file doesn't exist:

/proc/<pid of crond>/loginuid

It's because the kernel doesn't have AUDIT enabled. So you get a bunch of errors in "/var/log/secure" with "set_loginuid failed opening loginuid".

Recompile kernel with audit support:

CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y

If recompiling of kernel is not an option then:

Comment the below lines from all pam.d files.

session required   pam_loginuid.so

Find files via:

# grep -l pam_loginuid.so /etc/pam.d/* 
/etc/pam.d/atd
/etc/pam.d/crond
/etc/pam.d/login
/etc/pam.d/remote
/etc/pam.d/sshd

Navigation

Home | Forum | Recent Posts | News | Archives | Contact
This site houses a collection of Tips, Tricks, Resources and Guides of Individuals, put together and edited for personal reference into a daily web journal...
Content may not be reproduced without permission from the Individuals.
Copyright © post 2003 L I N U X w e B l o g . C O M