≡ Menu


Vsftpd supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as ssh or smtp.
[click to continue…]

Every IT shop has a mix of Windows and Linux system. Sometime you need to authenticate your Linux desktop system against Microsoft Active Directory service. You can save time, effort and IT infrastructure by sharing authentication server. This article explains how to setup the Linux desktop computers with Active Directory using Samba and winbind.

From the article:
Starting with Windows 2000, Microsoft moved from NTLM to Active Directory and its integrated Kerberos authentication services. Kerberos was considerably more secure than NTLM, and it scaled better, too. And Kerberos was an industry standard already used by Linux and UNIX systems, which opened the door to integrating those platforms with Windows.

Most Linux distributions come with several PAM authentication modules, including modules that support authentication to an LDAP directory and authentication using Kerberos. You can use these modules to authenticate to Active Directory, but there are some significant limitations, as I will discuss later in this article.

=> Authenticate Linux Clients with Active Directory

Under CentOS Linux it is possible to lock out a user login after failed login attempts. This is a security feature. You can also automatically unlock account after some time.

pam_tally - login counter (tallying) module

This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.


Use /etc/pam.d/system-auth configuration file to configure attempted login accesses and other related activities. Append following AUTH configuration to /etc/pam.d/system-auth file:
auth required pam_tally.so onerr=fail deny=5 unlock_time=21600
(a)deny=5 - Deny access if tally for this user exceeds 5 times.

(b) unlock_time=21600 - Allow access after 21600 seconds (6 hours) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.

(c) onerr=fail - If something weird happens (like unable to open the file), return with PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM error code.

Default file /var/log/faillog is used to keep login counts.

The above PAM module is part of all Linux distribution and configuration should work with any Linux distribution.

See also:

  1. man pages faillog, pam.conf, pam.d, pam, and pam_tally
  2. pam_tally - login counter (tallying) module documentation.
  3. CentOS Linux project

Restrict the use of su command

su is used to become another user during a login session. Invoked without a username, su defaults to becoming the super user. The user will be prompted for a password, if appropriate. Invalid passwords will produce an error message. All attempts, both valid and invalid, are logged to detect abuses of the system.

By default almost all distro allows to use su command. However you can restrict the use of su command for security reasons.

Both UNIX and Linux have a group called wheel. If user is member of this group she can use su command. We can add user to this group.

For example add existing user rocky to wheel group
# usermod -G wheel rocky

Now open /etc/pam.d/su PAM config file:
# vi /etc/pam.d/su
Append line as follows:
auth required /lib/security/pam_wheel.so use_uid
auth required pam_wheel.so use_uid

Save and close the file.

Because of above setting only members of the administrative group wheel can use the su command. However I still recommend sudo over su for better control, security and ease of use. This is also default behavior on FreeBSD.

Under Linux password related utilities and config file(s) comes from shadow password suite. The /etc/login.defs file defines the site-specific configuration for this suite. This file is a readable text file, each line of the file describing one configuration parameter. The lines consist of a configuration name and value, separated by whitespace.

You need to set default password expiry using /etc/login.defs file (password aging controls parameters):

  1. PASS_MAX_DAYS : Maximum number of days a password may be used. If the password is older than this, a password change will be forced.
  2. PASS_MIN_DAYS : Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected
  3. PASS_WARN_AGE : Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

Open file /etc/login.defs using text editor:
# vi /etc/login.defs
Setup (sample) values as follows:

Close and save the file.

See also:

Please note that much of the functionality that used to be provided by the shadow password suite is now handled by PAM suite. Next time I will write about PAM configuration.