Skip to content

Security on Linux

Security on Linux🔗

Encryption🔗

Opening and mounting an encrypted device

1
2
sudo cryptsetup luksOpen /dev/sdxx cr_dev
udisksctl mount -b /dev/mapper/cr_dev

Unmounting and closing

1
2
udisksctl unmount -b /dev/mapper/cr_dev
sudo cryptsetup luksClose cr_dev

Sandboxing🔗

Authentication🔗

PAM (Pluggable Authentication Module)🔗

PAM (Pluggable Authentication Modules): centralised authentication mechanism
Tags: #linux/PAM

General & config🔗

  • can break security/system if configured incorrectly (allow any password or none at all)
  • a library for programs like SSH to authenticate users
  • configuration files in /etc/pam.d
  • in our puppet modules the configuration is not written directly, but through the Debian program pam-auth-update which is part of the libpam-runtime package

This is a handy tool for testing (on linux)

1
git clone https://github.com/pbrezina/pam-test

You can use it by defining /etc/pam.d/pam_test

1
2
3
4
5
6
7
auth  [success=3 default=ignore]  pam_unix.so nullok try_first_pass
auth  required                  pam_sss.so use_first_pass
auth    [success=1]                     /home/user/test/lib/security/pam_2fa.so config=/home/user/.config/netiq.json
## here's the fallback if no module succeeds
auth  requisite      pam_deny.so
auth  required      pam_permit.so
auth  required                        pam_group.so use_first_pass

and then running

1
./pam_test auth foobar

from the pam_test directory.

Modules🔗

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# pam_exec
auth [succeed=1, default=ignore]  pam_exec.so quiet exposeauthk /path/to/file
# pam_succeed_if
# pam_regex
# https://www.gnu.org.ua/software/pam-modules/manual/html_chapter/regex.html
# Seems not be available in default Ubuntu PAM installation and has to be compiled manually. :facepalm:
# - can be used to transform for example username, say to all lower case
auth [...] pam_regex.so extended regex=... transform=s/.*/\L&/g
# pam_ssh_agent_auth
# Package: `libpam-ssh-agent-auth`

References🔗