Questions tagged [pam]

16 questions
4
votes
1 answer

How were attackers able to login to the Apache Foundation's infrastructure over ssh with passwords? (2010)

SSH passwords should not have been enabled for login over the Internet. Although the Infrastructure Team had attempted to configure the sshd daemon to disable password-based logins, having UsePAM yes set meant that password-based logins were still…
Luc
  • 31,973
  • 8
  • 71
  • 135
2
votes
0 answers

Is it possible to use Argon2id hashes with PAM?

I was wondering if it's possible to implement more secure KDF like bcrypt, scrypt, pbkdf2 and argon2id in PAM authentication. Ideally I would like to have their hashes instead of SHA-512 ones directly in /etc/shadow, but we all know what Ulrich…
Polizi8
  • 63
  • 4
2
votes
1 answer

Is Privileged Access Management secured without regular Patch Update?

It is well know Privileged Access Management (PAM) is a solution that helps organizations restrict privileged access within an existing Active Directory environment. Many big company use it to address their Privileged Access. The issue is PAM…
Shahrul
  • 21
  • 1
2
votes
0 answers

Combining passwords and PAM

I'm researching the ways to implement an authentication server capable of 2FA - I want to be able to validate a short password along with a TOTP (probably Google authenticate). But I want to support some legacy applications which only have the…
symcbean
  • 18,278
  • 39
  • 73
1
vote
0 answers

Is "pam_ssh_agent_auth" more secure than passwords for sudo on a remote server?

I read about "pam_ssh_agent_auth" in combination with sudo, which can use a ssh agent to authenticate instead of using the users password: https://manpages.ubuntu.com/manpages/jammy/en/man8/pam_ssh_agent_auth.8.html Is using a forwarded agent with…
student_at_work
  • 101
  • 1
  • 9
1
vote
1 answer

At-rest encryption. Use SFTP log-in credentials to unlock/decrypt encrypted drive or folder on an Ubuntu Linux server

I have a simple file server running on a small Ubuntu machine that facilitates file sharing and 2 way folder syncing between my and my girlfriend's 4 computers through SFTP over a private network. The setup works great for this purpose. I like how…
1
vote
0 answers

linuxpam-pam unix-security-bypass

https://exchange.xforce.ibmcloud.com/vulnerabilities/31739 linuxpam-pamunix-security-bypass (31739) reported Jan 23, 2007 Linux-PAM could allow a remote attacker to bypass security restrictions, caused by a vulnerability in pam_unix.so when…
David
  • 95
  • 1
  • 7
1
vote
1 answer

Is it good or bad to use group in sudoers file instead of using aliases?

I have used user groups heavily while designing access control policies. I find user groups very convenient as it's very easy to implement with PAM. Another reason I have organized the users with various groups is to implement (minimal) RBAC. But…
arif
  • 1,088
  • 13
  • 24
1
vote
0 answers

Preventing Linux brute force concurrent su/sudo attempts

Its well known that popular Linux distros use the PAM default to slightly delay incorrect login attempts, thus mitigating brute-force attacks against a user account (for example, running su repeatedly with different password input). The PAM delay is…
tasket
  • 171
  • 1
  • 4
1
vote
0 answers

OpenVPN Invalid Logins lock with PAM

We are getting dinged on a federal audit because OpenVPN does not appear to support invalid login restrictions (i.e., only 3 before the account is locked). Has anyone else experienced this? We are leveraging local Linux accounts via PAM for the VPN…
thak
  • 41
  • 5
0
votes
1 answer

Creating Password from 2 different part

I’m looking for Term Or Some platform for managing Password Authentication with this way : Password construct from 2 Part , First one is static and you can make it and second Part Generate From TOTP System as an example : In 13:00 Jinx password for…
0
votes
1 answer

Does a solution exist to permit account sharing without revealing the account password?

I'm looking for a process to replace the status quo of notepad and Excel. We've tested a market-leading password manager. An issue that comes up with this is that the secure sharing password facility has some significant vulnerabilities. We want to…
Jay
  • 71
  • 4
0
votes
3 answers

How good/bad are these transparent Linux consumer FDE setup options? (e.g. for auto-unlocking LUKS)

UPDATED Summary: I'm looking at Linux FDE options that are transparent to the user (my parents) in that the user doesn't need to enter 2 passwords. I found/thought of several options and tried to think through the security implications of each...…
zpangwin
  • 321
  • 2
  • 9
0
votes
1 answer

server access to application owners

I am looking for the right practice to provide access to application owners. As of now they are part of system admins groups. whoever part of the group login tho the servers any time and do any stuff. should PAM solution with shared ID with…
moorthyrv
  • 1
  • 1
0
votes
3 answers

Service Account Best Practices

I am getting a presentation together for a topic I am not SUPER knowledgeable in. I am an admin within a nameless system, and of the opinion that a service account should be created for each individual integration(rather than sharing an…
1
2