Welcome back to securing Linux systems. This is the third course in the Linux Foundation specialization. In this module, we want to think about how we can increase our Linux security by looking at how you administer access and authentication. By the time you're done with this module, I want you to be able to do several things. One is utilize PAM to enforce strong passwords and we'll drill into what that means. I want you to be able to describe PKI. You should be able to use Secure Shell and lastly, should be able to setup a virtual private network. In lesson 1, we're going to drill into what are called pluggable authentication modules, PAM. Pluggable authentication modules provide centralized authentication services for Linux and applications. There are configuration files that are located in the /etc/pam.d/directory. The records in a PAM configuration file have the following options; the type, the control-flag, the PAM module, and then any module options. There are different types in PAM, so we have account types. This implements account validation services, so for example, enforcing the time of the day restrictions, as well as determining if the account is expired. We have authentication types which provide account authentication management services, for example prompting for a password and verifying the password. We have password types in PAM which manages account passwords for example, minimum password lengths and limiting incorrect password entry attempts. Lastly, session types, which provide authentication account session management for a session start and session end, for example logging when the session began and ended, as well as mounting the accounts home directories, those sorts of things. We said there's a control-flag in PAM. There's several different ones. So include; this adds status codes in response ratings from the designated PAM configuration files into the final status. We have optional, this is conditionally adding the module status code to the final status. If this is the only record for the PAM service type, it is included, if not, the status code is ignored. Requisite; if the module returns a fail status code, a final fail status is immediately returned to the application without returning the rest of the modules within the configuration file. Required; if the module type returns a fail status code, a fail status will be returned to the application but only after the rest of the modules within the configuration file have run. A substack forces the included configuration files of a particular type to act together as a single unit, returning a single status code to the main module stack. Lastly, sufficient; if the module returns a success status code and no preceding stack modules have returned a fail status code, a final success status is immediately returned to the application without running the rest of the modules within the configuration file. If a module returns a fail status code, that is ignored. PAM modules, so there's several of them here, so pam_unix.so. Remember.so is a shared library. This performs authentication using account and password data stored in the etc password and etc shadow files. We have pam_pwhistory.so, this checks a user's newly entered password against a history database to prevent a user from reusing an old password. We have pam_pwquality.so, this can enforce rules for new passwords so for example, setting a minimum password length. We have pam_tally2.so and pam_faillock.so; these implement account lockout features and lastly pam_securetty.so, this essentially restricts root account logins. A little review here. PAM provides centralized authentication services for Linux and applications. PAM modules can enforce password rules. PAM modules can lock out accounts. PAM modules can do lots of additional things around authentication. I'll see you in the next lesson.
