Linux PAM Administration | Imran Afzal | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

14 Lessons (1h 52m)
    • 1. 1 Linux PAM Administration Intro

    • 2. 2 Linux PAM Administration Course overview

    • 3. 1 Download and Install VirtualBox

    • 4. 2 Creating First Virtual Machine

    • 5. 3 Linux Installation

    • 6. 4 Linux CentOS8 Installation

    • 7. 1 What is PAM

    • 8. 2 The Importance of PAM

    • 9. 3 The PAM File Configuration Format

    • 10. 4 The PAM File Configuration Module Interface

    • 11. 5 Account Access Through PAM

    • 12. 6 The PAM Configuration File – Control Flags

    • 13. 7 The PAM Configuration File – Modules (SO)

    • 14. 8 PAM Aware Services and Stacks

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

You will rarely find any course out there that will cover PAM security configuration in Linux.  This course will introduce the PAM (Pluggable Authentication Modules) in Linux. We will go over the background and inner workings of PAM and then also show examples on a live system on how to configure PAM. Students will be able understand why PAM is important and how to configure it. 


What will I learn? 

  • Account access through PAM 
  • PAM aware services 
  • Control flags 
  • Modules 
  • Module’s interface 
  • PAM file configuration etc. 


Who is the target audience? 

  • Linux administrators and beginners 
  • Anyone interested in learning about security in Linux servers 

Meet Your Teacher

Teacher Profile Image

Imran Afzal

Systems Manager / Instructor




Hello, I'm Imran Afzal and here is my education and experience:



About Me:

Imran Afzal



Bachelors in Computer Information Systems (Baruch College, City University of New York)

Master of Business Administration (New York Institute of Technolgy)



- Over 20 Years of IT Infrastructure experience

- 7 years of training experience in Linux, VMWare, Windows and many other IT technologies

- 5 years of IT Infrastructure management experience



- Linux Systems Management (New York University, NY)

- UNIX Operating Systems

- Linux System Administration and System Internals<... See full profile

Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. 1 Linux PAM Administration Intro: Hello everyone. It's so good to see you here. Welcome to my course, Linux Pam administration. Pamp stands for pluggable authentication module. And this is one of the security feature and Linux that allows you to control access of users and many other security features. Also, if you wanted to set the password policy for a user, this is the right place to go to. And I'm telling you once you complete this course, you're going to learn so many things about Pam. And it's going to be so easier for you to actually learn and understand that you have actually never, ever learned before. My name is Enron absolute, and I've been in IT since 2000. I had been teaching thousands and thousands of students worldwide. I have helped so many of my students getting a job of their dream. When I teach, I make sure you understand every single concept of that topic. I actually graduated from Baruch College City University of New York, and my concentration was computers Information Systems. I did my master's in business administration from New York Institute of Technology. I have worked for Fortune 500 companies in New York City. So all I'm telling you, once you're going to take my course, at the end of the course, you're going to learn everything you need to know about that specific topic. So what are you waiting for? Let's go ahead and enroll. 2. 2 Linux PAM Administration Course overview: Hello everyone and welcome to the course overview. This is the course overview for Linux Pam administration. Pamps stands for pluggable authentication module. Just give me a couple of minutes and I want you to come with me and spend these two minutes to understand what exactly are we going to cover in this entire course. Section one is about the introduction and course overview. And excuse me, as you know, we have already covered introduction about myself, my background. Quick introduction of this course, then the course overview which we are going through right now. And you will have the option to download this syllabus at the end. Section two is all about lab setup. So if you already have a Linux virtual machine running in your environment, then it's good. You could go ahead and skip this section. If not, you could go ahead and follow it. First, we'll start with download and install Oracle VirtualBox. Oracle VirtualBox is a software that allows you to have multiple operating system on a single hardware or a host. Then we'll go ahead and create our first virtual machine, and then we'll do the installation of Linux. In this installation, I am going with the installation of CentOS. You could pick a different flavor as well, but I would recommend that you stick with this CentOS. Moving on to section 3, which is the main section of this entire course, the PAM administration. And let's see what we're covering one by one. The first thing is we'll talk about what exactly Pam is. Then the importance of pam, pam file configuration format. We'll talk about PAM module interfaces. We'll see how you could access the accounts through Pam. And then we'll get into Pam control, flags, PAM module, SLOs and Pam aware services and stacks. These other things we have to go through it. And as I said before, Pam is a very complicated subject and I have tried my best to go through it and make you understand. I'm sure it will help you a lot. Last thing I want you to do is of course, do your homework, go through with me on each lecture, and then also review the handouts that have attached with the course. Good luck. I'll see you in the next lecture. 3. 1 Download and Install VirtualBox: In this lecture, we are going to cover the Oracle Virtual Box. We will go through the download and installation of virtual box. Now, as I said previously, the oracle VirtualBox is, it is a virtual environment which allows you to run multiple operating system on the same hardware. There are other virtual platform that is available out there that you could use. You don't have to go with VirtualBox if you don't like it, you could use VMware player B and player workstation as well as other open source virtual environment. But anyway, I would prefer if you stick with Oracle VirtualBox. So this way we could go through the course together. Alright, so we'll go open up Maya Firefox browser, so I could download the VirtualBox software. Use any browser you like. Then I'm going to the Google page. And in the Google page I'm searching for Oracle VirtualBox. When you click on it, you're going to see the first link as Oracle VM VirtualBox. So you can click on it and then go to download. Or you could go straight to the download page. On the download page you're going to see the section where it says VirtualBox version platform packages. Now depending on when you are downloading this VirtualBox, the version will be higher, maybe 12 or whichever the version at that time you're downloading. It doesn't matter. Don't be confused. Oh, the one I am showing you is 6 dot o and the one you're seeing is a different version. Basically what we wanted the end is a virtual platform that we could run our guess instances or guest operating system on it. Anyway, if you are using Windows AD your main host wherever you will run the Linux CentOS as a VM. Then pick Windows host. If you are using OSX host, meaning if you are using Apple, then you could use this one. For Linux, for Solaris, for other operating systems, you could pick depending on your requirement of your actual operating system. Go ahead and click on Windows host. Because I am running Windows host and that's where I'm going to run my virtual box. Now here it is, asking me to save the file and you can click, but I'm now going to clip the saved file because I have already saved it to save some time. So if you have not saved it previously, so go ahead and click on this. And it will ask you to the location to save it. So I'm going to cancel it since as I said, I have already saved it. I have my virtual box executable saved on my desktop. And here is the executable. All I have to do is go ahead and double-click so it could start the installation. Once you double-click on it, it will ask you, do you want to run this file? Click on Run. Now the visit has started. It says Welcome to the Oracle VM VirtualBox 6 dot 0 dot 14 setup a virtual setup wizard. This setup wizard will install or KVM VirtualBox on your computer. Click Next to continue or cancel to exit the setup visit. Go ahead and click Next. Select it the way you want features to be installed. So by default, Virtual Box application has been selected and the other features that comes with it, I'm going to leave everything default. And it's also tells you the version installing the feature requires 227 megabyte that you should have on your desk. So go ahead and click Next. Choose, please choose from the options below. Create Start menu entry. Create a shortcut on desktop. Create a shortcut on quick launch bar, register file Association. I, I like them all leave them default except I don't like create a shortcut in quick launch bar. So I'm going to uncheck it again. That's my preference. You can leave all of them selected. Click Next. Now, Warning Network Interface installing the Oracle VM VirtualBox networking feature will reset your network connection and temporarily disconnect you from the network. Proceed with the installation. So that's fine. So make sure you are not connected to the Internet or if you are, make sure you're not doing any type of work that you will lose. So go ahead and click Yes. And click Install to begin the installation. Installed. I am going to fast forward at this part because I don't want you wait, I don't want to waste your time. So I'm going to just simplify it fast forward. Okay, so the Oracle VM Virtual Box installation is complete. You can leave the checkmarks will start a backup. Backup, and you can click on Finish. Congratulations, you have completed the download and installation of Oracle VirtualBox. Now the next step is to create a test virtual machine. And then of course, we will go ahead and do the actual operating system installed on that Virtual Machine. 4. 2 Creating First Virtual Machine: Hello everyone. In this lecture we are going to create a virtual machine on our virtual box, the VirtualBox application that we have downloaded in the previous lecture. And now I'm going to show you how you could create a virtual machine. So I'm going to start up the word Fill box. This is what I have it open already. And the version that I'm using for the virtual box is when you go to Help and click on about VirtualBox. We're VirtualBox 6 dot o. If you're using a little later version or updated version, that is perfectly fine, every version would just work fine. Now, as an example is a test. We are going to create a new virtual machine. So I want you to go ahead and click on a new. And here I want you to type for example, my Linux VM. So now as you type this, it's going to tell you where it's going to save the information of the Linux machine. So it picked up this location by default. Next one it says the type. The type is Linux, of course, because I have typed the name, it automatically picked it up that it's, it's assuming there is a Linux machine and the version is Linux six, 2006, 3, 4 or whichever version, and it says 64 bit. Now, if your computer right now or your virtual machine settings showing 32 bit, which is this. And you do have 64 bit operating system, then you, what you need to do is you need to enable virtualization technology in your bios settings. So again, if it is showing 32 bit, then first thing you need to confirm is that your computer that were you running this virtual box actually is 64. So I could confirm by going into my computer. I could go into my computer right here, right-click on it. Go to properties. And in my computer properties you're going to see that I have a system type as 64 bit operating system. So if this is your system type showing right now 64 bit operating system and you still seeing this aversion showing up as 32-bit, then it means that you have to go into your computer bios setting to enable virtualization and how to do that. I have included an article in this lecture and the description that will make, make you go through how you can enable that anyway. So once you have it enabled, good a reboot your machine and it will show up as 64 bit. Now the next thing is you need to define the memory. Memory is the memory of your virtual machine. It's just like if you are going to store, let's say if you're going to Best Buy or any computer store, and you pick up the laptop and, or computers and you ask how much memory it has. This is exact same way that you are doing, but the difference is that now you are the manufacturer. You are the one who is putting in the memory inside of your computer. By default, I'm going to leave it as 12 or 24 megabyte, which is one gig. The next part is hard desk. Create a virtual hard disk. Now, leave that as default and click on Create. Then it says, the file size here is Eight. Get by default it's picking it up. I want you to pick 10 gig just to make sure we have enough space when we are going through all the exercises of our training. All right, so then hard disk file type is VDI virtual Box disk image, which is by default, is the right file type. So leave that as is storage on physical hard disk dynamically allocated. Leave that as DePaul as well. If you need to know more about it, what's the difference between each one of them? I'm sure you could go and click on guided mode or you could also look it up online on the difference of each of these hard disk type. Go ahead and click Create. And now you're gonna see right here, it's going to show you my Linux VM and its configuration or specification of that VM. The job information showing up here, the system information is up here, the displayed storage or your network or USB shared folders, all that. It is just like as if you have an actual machine. So anyway, you have created your virtual machine. This is, this is the lecture I wanted to go through how you could create a virtual machine. When I am going to go through the next lecture where we will do the actual CentOS or Linux installation. Then I will ask you to create the virtual machine again. So for this lab purposes, I just, just go ahead, click on the machine, then right-click and click on Remove. And then there's click on Delete. All files. Beautiful. All right, so that was just an exercise. Let's move on. 5. 3 Linux Installation: Hello everyone. Let's get into the fun part where you will do the Linux download and installation. And for the installation that I have picked is a CentOS operating system. Centos operating system is just like a Red Hat operating system and it's a free. And I will definitely recommend you using CentOS for this course because a lot of companies out there, the user Red Hat for the corporate environment. Now for the version part I am using CentOS 7. There's also a version 8 that is out there already. If you want to use Version 8, you can. That is perfectly fine because my course follow both 78. But my recommendation is that you stick that seven because a lot of companies, I would say 95 to 99 percent of them are still using older versions like 567. So it will take them at least 34 years to get onto eight. So if you're in the job market or you want to get into the market, I would recommend you that you stick to seven. Now for those who wants to go with the Red, Red Hat aid or centralized eight. Perfectly fine. You could skip this lecture and go to the very next lecture which has CentOS 8 instructions for download installation. All right, without further ado, let me get into the download part. For the download which you have to do, you have to go into your browser, whichever browsers July go to Google or any search engine and type Central CentOS download ISO. Now by default will give you the first page which will have the link to CentOS 8. We don't want eight again be 17. So let's go back and I want you to type specifically CentOS 7, download ISO, and go to the second link which says index of CentOS 7. Click on that. Now click on X86 underscore 64-bit. Now again, every image, if you click on it, you probably going to get different lengths. The marriage, you could pick any one that gives you that CentOS 7. It doesn't really matter. I'll go to the second one and I click on the 64-bit. Your architecture has to be 64-bit. If you're 32, search for 32-bit, then click on any mirror that you like and it will start the download. So you go into this ISO CentOS 7 X86 1908, doesn't matter which version of which build it has. Maybe you have a later one, maybe you have an older one. It doesn't really matter. What matters is it's sent to a seven. So go ahead and click on ISO and Save. I will not save it because I have already saved it earlier. To save time, save your time and save my time. So I'm gonna go ahead and cancel. So anyway, for, in your case, once you click, you click on Okay, it will start downloading and it will show up here. If you're using Firefox. Once it's downloaded completed, then you need to go to your Oracle VM VirtualBox. Now if you do not have virtual box, that is the latest version. This one, the one I have is six total. If you do not have six ADL, I recommend that you upgraded to the new version. So now I will go ahead and create a new virtual machine. I'll click on New. And the name that I will pick is my first Linux VM. That's just the name of this virtual machine on the Virtual Box. You could pick any name, but if you wanted to go along with me, pick that name by default you see is picking up Linux type because I typed in the name as Linux. And the version it's giving up as Linux, 2.63 dot x for x or 64. If you do not see 64 here, you see 32-bit, then you'd need to change your bias configuration of when you go to, when you start up your own laptop or PC, you have to go to your bios settings and enable virtualization. You need instructions. I have included instruction. I have given the, the link to an article which you will walk you through one-by-one as how you could enable that virtualization and your bias. So anyway, if you, if it is showing 64-bit perfect, Go ahead and click next. The memory size is one gig, 1024 megabyte, which equates to one gigabyte. That's good to leave as default. Next, create a virtual hard disk. By default, it's telling me the recommended size is eight gig. You could leave a gig or you could change it. We will change in the next one in the next slide. So create a virtual disk, click Create VDI, which is the default one. Leave a default click Next. Dynamically allocated, yes, leave a default click Next. And now the size by default is set. It's clear that gave you eight. But for, for this lab, I want you to type 10 and click on Create. Now, our virtual machine is created, as you can see, it's right here saying my first Linux VM. So let me go back in here, and this way I have a clear background. All right, so now what you need to do is once your VM is created, go ahead and click on start. All right, So once you started by default, it will ask you, I do not have any operating system, of course, this is just the empty shell or empty virtual machine. Now I need to attach an ISO image to it, and that ISO image is the same ISA amazed that we downloaded earlier. That is CentOS 7 ISO image. So go ahead and click on this little folder. And now it will ask you where is your ISO image located? My ISO image is located in my personal folder and in my ISO and I have right here is a CentOS 7. So go ahead and select that and now click on start. Okay, and on this page by default, it will come on this option which says test this media and installed CentOS. I do not want to test. Sometimes this option is good if you are installing with the actual CD ROM, the physical one, the CD because sometimes it has scratches and it could impact your installation. So that's why you should always test that media before you do the installation. But since we did the ISO image download, and I am very hopeful and I'm sure that the installation or sorry, the download was not corrupted. So I'm going to use my up and down arrow key and I'm going to select the first one which says install CentOS 7, and I'm going to hit enter. Now what it's going to do now is it's going to read the content of the ISO. It will copy the content of the eyes. So the ones that it needs to start the installation, it will bring it into the memory. And then it will start an installation wizard that's called Anaconda. That's, that's just a name of the visit the CentOS uses. And we'll start and it will help us going through the installer process from one step to another. All right, So right here you're going to see it's is the virtual machine reports that the guest OS supports mouse pointer integration. This means that you do not need to capture the mouse pointer. That is fine. You could go ahead and cancel that. By the way, if you are, if your mouse is stuck inside of this window, you could use the right-click. You see right here, this little thing says the right control key. This is a control key on your key, keypad, and that is on your right-hand side. So once you press that key, then it will release your mouse. But if it is your mouses really going outside, perfect. Anyway, let's get into it. Now. What language would you like to use during the installation process? I am in United States and of course English speaker. So I'm gonna go ahead and pick English and the English for the United States. If you are in a different country, depending on your preferred language, you could go ahead and select the desired language. Now go ahead and click on Continue. In the next page it says installation a summary. And this is US is basically the keyboard that has been selected. You don't need to click on that. The first thing you need to click is date and time. So date and time is by default. For me, it is already selected. My US time. I am in New York, it's already it actually, I didn't actually recognize that, so I'm going to leave that as default. And I'm going to click on Done. Then it's going to say language support. And as I said previously, the selected English and for the English United States, go ahead and click Done. If you wanted to change it, you could change it here as well. By default, it picks up my keyboard as United States English keyboard. If you are again in different country, you could pick according to your requirement. Now comes to the part. Let's scroll down on the right-hand side by grabbing the scroll bar. And then it says The next one is a software installation source, which is local media, which is our ISO image that is attached to this virtual box. So you can leave that as is. Software selection is as minimal install. When you pick minimal install, it will not install the GUI. It will only install the text way or command line on your operating system. But for this lab, I want you to go ahead and click on it. And I want you to select server with GUI. This way you have the server with the graphical user interface. And you will see certain things that you could add remove using the GUI. But again, I would say about 80% of the corporate environment do not use Goofy's. They always use a command line interface because GUI takes a lot of resources. It also makes your system little vulnerable for the security threats. So if you are in production or corporate environment, check with your company policy and then you should select the software selection. Also. If you are building a server for different purposes, you're going to see that the servers has a lot of add-ons that you could do. So when you go to minimal install, you're gonna see it has security tools, smart card support system administration tools, and you go to compute node. It has all the other add ons selected as tools and software that are available to you. Again, it depends on what kind of application you will run on this operating system. Based on that, you could select any tools or any add-ons, tools or applications that you want. Similarly, when you go to infrastructure server, you probably heard of many of the servers like FTP server, NFS server, DNS server, all that stuff. If you wanted to have them installed, you could actually select them here. So it will install that package. But anyway, if you do not select any package right now at this point, and you remember later on that you need to install, Not to worry about, you could just simply the yum install command, which we will cover later in other lectures that I will show you how you could install the ad on selected add on packages. Again, file and print server will give you different options, basic. So web servers, I do want you to go through them one by one. I don't want you to select any of them. But again, if you want to select, that's perfectly fine. But I just want you to get familiar with what are the options that are available on this menu. But for this lab purposes, for this training, I just want you to select this server with GUI. And now I want you to go ahead and click Done. Now it's actually checking the software from the eyes though it is basically the software selection is going to the ISO and has an asking, Hey, I, so I've been asked to select server with GUI. Do you have the required package? So that's what it's kind of like going back and forth and checking. So anyway, wireless checking will go into the next one where it says system and it says installation destination. By the way, it's finished and it worked. It came back and says, Yes, I do. The next one is installation destination may wear, meaning where do you want to install this operating system? Which disk? You remember we picked ten gig of disk. So we'll go ahead and select this one. And by default, it has already selected ten gig. Then it has checkmark on it and other storage options. It says petitioning. It says automatically configure partitioning. So we are not going to petition it ourself, we will let Linux pick the partitions for its own, which is a default partition for the 10 gig disk. And now we go ahead and click on Done. Now installation destination is done. K dump is when there's something goes wrong with your system and it crashes, it has to log something that wide crashes. And that kind of kernel dump is when you, if you have it enabled, then it will actually spit out all the information to a log file. So when you have it enabled, That's only when you have it in. It will spit out logs only when you have it enabled. Okay? So network and host name. So that's where we need to define the network and the host name of the operating system. So you go ahead and click on it. And a host name right here you see the host name dot local domain. I want you to highlight the entire entry and type in my first Linux VM, and click on apply. As soon as you click on Apply, you see right here says current host name, which is local host, which it had before. So once you click on Apply, it will change it right here, my first Linux VM. So you probably notice that I put an uppercase, the first letters, and it changed it to lowercase. Because remember, Linux is case sensitive operating system, meaning it matters if you put it in uppercase and lowercase, but it prefers that you always use lowercase letters. All right, so now let's go into the network. Is Ethernet, E&P 0, S3. Right now this is the network port that is assigned on your virtual box. So right now you see it has a hardware which is a MAC address. It has a speed of one gig and a subnet mask is, by default, is picking up its local IP. So what do we need to do is we need to click on Configure because you see right now it's turned off. Let's go ahead and click on Configure. And the only thing I want you to pick and configure is guru general and click on automatically connect to this network when it is available. Now what this does is it actually Start your network or pick up an IP whenever your computer or your operating system restarts. So go ahead and click on Save. And you're gonna see right away it picked up. And by the way, this is going to be a Wi-Fi network adapters that is given to you by your virtual box. So now go ahead and click on Done. All right, the last part is security profile. So we do not have any security profile, but if you are doing this installation for your company, check with your company and check with your security folks, see if they have any security that they use or any template, then you can attach it here, which will apply all the security settings. But anyway, this is lab and this is something we're going to be learning later on. So now I want you to go ahead and click on Begin installation. All right, In this next page, you're going to get two options while it's going to run the reconfiguration or pre installation checks and stuff. It has asking It's asking us to create a root password. So go ahead and click on root password. By default route is a system administrative password in Linux. So I want you to pick a root password. I picked a weak password that it's saying this yellow thing at the bottom, it says the path that you have provided this week. Password fails that the dictionary check. It is based on a dictionary word. You will have to press Done a twice to confirm. So if your password is Vk right now as what I have, my password is weak, so you'd have to select it done. And another time you have to click done twice. Second option is your user creation. I want you to go ahead and click on user creation. And this is a regular user, not a root or not administrative user. So I am going to create my account. I'm going to pick my name, Enron upsell, and the username by default, it'll pick my first initial followed by the last name, and the password. Leave the other settings as default. Again, my password is weak, so now I have to select done twice, 12. All right, so now you notice right here it's saying installing genome user dogs and installing this and that these are all the packages that it needs to install to complete my installation. And the packages, total packages it needs to install is 1353. And so far it has installed 58. Now, this whole process could take anywhere from 10 minutes to half an hour or 45 minutes, depending on the speed of your computer where you are running this virtual box. What I will do is from this point on, I'm going to fast-forward this entire installation. So if you are sitting now, I will I will ask you to go ahead and take a break, take a coffee break, or get something to eat. And once it's done, we'll start right from there. So I'm going to fast forward right away and see you under this side. All right. Congratulations. The installation has been completed. As you can see at the bottom right here is a CentOS is now successfully installed and ready for you to use, go ahead and reboot to start using it. And also a little messy at the bottom it says use of this product is subject to license agreement found at this location. But anyway, you will get the license confirmation that you can read through an accepted in the next ones it reboots. So go ahead and click on reboot. Okay, in this message appears, you can go ahead and close this. Since it is starting the first time your operating system is starting the first time, it could take us a little while for it to start back again, but that's fine, perfectly fine. Now let's licensing part. I want you to go ahead and click on licensing information. It says license not accepted. Go ahead and click on it. And right here, read through it and click, I accept the license agreement and click Done network and host name. We already configured that earlier so you don't need to configure it again. Now click on Finish configuration. Now it is going to start the GUI, the CentOS operating system GUI now. Alright, perfect. So now you see it hashes you on the top, it shows you the time some network information speaker. You can power it off from here, just like as if you see an a Windows environment. Now go ahead and click on your name because this is the account that you created. I hope you did not pick him run absolutely. Because I hope you pick your own name while you're going through the installation. So anyway, go ahead and click on it and I'll provide the password. And once you provide the password click sign in, it will log you in. But going back again, if you wanted to log in as root, then you could click on simply not listed and put in the username as root and put in the password. But anyway, I wanted to login as myself. I'll put my password in and I'll hit Enter. Okay, now we have this a desktop looking type of environment that has two icon on it. One is my home folder, one is the trash can. The pretty big. I usually keep them smaller, so glucagon ahead and right-click on it. And you could do resize icon. And then you could drag and make it smaller, just like that right-click, resize icon and drag and make it smaller. You can also move them around up and down, left and right. So this is your desktop environment now if you wanted to start your terminal. Now by the way, if you are doing this for the first time, this is the first welcome screen after the installation, you could just leave it as welcome. And it's going to say English is for the United States. I have that selected. I'm going to click Next typing. It's already selected for me English. If you want to change that now, you could change it as well. I'll click next. Location services like to keep it disabled. So click on, off and next, connect to your online accounts. I don't like that. I want to keep my Linux machine private secure, so I'll click Skip. And I wanted to click Next is star to using my CentOS Linux. Once I click on that, it will bring me back to my desktop. On the desktop as I was explaining it earlier, you could right-click and click on open terminal. By the way, this help getting started genome helps opened up again. I don't need that. So what I'm gonna do is I'm going to close that. Again. This, this, these windows are popping up because I am using this operating system for the very first time. So I could go ahead and close that and we'll start the terminal back again. So anyway, how you can close that window, anything that shows up like software updates available, you don't have to get it now you can click, click on not now. And this is the terminal that what you wanted to see, and this is your command line terminal where you could run all the commands. And that's where this is our platform, where we will learn everything about lettings. So you're ready, Let's go. 6. 4 Linux CentOS8 Installation: Hello folks, This is where we going to do the CentOS installation version a. Now as I said earlier, that if you do not want to go through with CentOS 7 and you wanted to go to with CentOS 8. Perfectly fine at this entire training or this entire course covers both 78 new feature or feature, everything. And if you, again, if you want, if you prefer, you want to go with eight. Let's go ahead and do it now. The first thing first, we need to have the CentOS 8 ISO downloaded on our computer. We could attach it to our virtual machine and then we could do the installation. So I will go ahead and open up my Firefox, and I already have my Google open, and I will type CentOS, download ISO. The very first link. Again, I will take me to the latest version of CentOS. So the first one I'll pick a CentOS IS so Linux, DVD, ISO. And it will take me to all the mirrors that actually has sent OS version. And I could pick the first one is second one, it doesn't really matter. I would prefer you go with the first one. If it doesn't work, then you go to the second one. Anyway, I pick the first, and now it is asking me to save that file. Now, I have already saved the file previously to save some time. So that is why I'm going to cancel. But if you have not saved it, I would like you to go ahead and click on Okay, and it will actually save it to your default location of your downloads. I'll go ahead and cancel this point. And now once it's downloaded, I want you to go to your Oracle Virtual Box. And one important thing is if you are downloading and installing CentOS 8, please make sure you have Oracle Virtual Box six and above. This is the one that is mostly compatible with the CentOS 8. If you do not have 6 dot o, you could go into the file and click on check for updates. And it will take you to the right link where you could actually upgrade your Oracle VirtualBox. Anyway. Now we are doing CentOS 8. I want you to go ahead and click on Add New and type in cent OS or Linux, CentOS 8, or any name you decide the name is not important. Anything that you could remember or you could relate to. And by default, it will pick type Linux at the version Red Hat 64. You could pick 64 Red Hat, or you could actually pick the one that you picked. Or if it shows up as other 64 doesn't really matter. So I will leave it as default that it picked red Hat 64 and click on Next. The memory one gig leave that default. The storage, create Luke virtual disk Cree, click on Create, leave a default VDI, default dynamic allocated, and now the size of the disk, I will recommend that you pick 20 gig. Go ahead and click Create. And now it has created a yearling CentOS 8. Go ahead and click on power on. Once the window opens up, it will ask you to, to check where is your ISO image file is located. My ISO image file is an allocation. When you click on this little folder, click on that. And if you have your ISO image file downloaded on your desktop, then you go to your desktop or wherever the location is. My location is my personal folder in ISO folder. And here is the ISO image for me, CentOS 8. Click on Open, and now go ahead and click on start. Okay, So this is the page where it gives you two options. The first option it gives you install CentOS Linux 8 dot 0. Second option is test this media and install CentOS Linux dot eight. Now, if you have the physical disk, I'm attached to your virtual machine or your physical machine, then it's always good idea to test the media because many times that physical media has scratches on it. So it will, it will create problems during the installation. But since we have downloaded the ISO, then its best. And it's perfectly fine if you pick the first option. So you go ahead and hit the up arrow key. And we'll highlight installed CentOS Linux, the very first option. Go ahead and click Enter. If you see this message top, you have the auto capture keyboard option turned on and this will cause the virtual machine to automatically capture the keyboard. That is perfectly fine. You could close it. Basically, what is saying is if you, mouse is stuck inside of this window is because we have certain features enabled, you could get out of this window by clicking the Control key, the right control key on your keyboard. So I will just simply go ahead and ignore these messages by clicking the close. Now basically what this is doing right now is, is actually copying some of the information from the ISO image that we have attached. It is taking that and copying it into its memory. And the memory will actually see, hey, give me the installer that will allow me to go through the installation wizard to do my CentOS 8 installation successfully. So I'm just going to have to wait for it to start that, that GUI, that installer. And once we have that when we go through the installation, by the way, you could also do the command line installations. So on the very first page, you could have done that modification as well. But if you're doing it for the first time, I will definitely recommend you go through the GUI installation. So as you see, it's showing starting installer. So give it give it a minute or less than a minute. I'm very hopeful. All right, on this screen you will get the welcome to CentOS Linux 8 dot 0 or the Build could be 1905 or whatever. What matters is version eight. What language would you like to use? We'll pick English and I'm in the United States, I'm going to pick English in the United States and click on Continue. On the second screen, you're going to see installation summary, CentOS Linux 8. The keyboard is us. You can leave that as is. You don't need to click or chain that the localization at the keyboard. It is automatically testing and it notices that we are in the United States. So it's going to pick the keyboard as English, us. Next one is language support. It's United States and English. The time again, it's America, New York. If you are in a different region, then it should pick up that region. If not, you will click on it and you could select the desired region. Next one is on the software selection. You're gonna see installation source, which is our ISO image. So that shows up as local media. Second one is software selection server with GUI by default, it's going to give you silver. With GUI. You could go ahead and select this option. And you're gonna see in the base environment, the left-hand side, these are the base environment. On the right-hand side are the add-ons for selected environment. Every base environment As all these add-ons. So if you go to, for example, server, you're gonna see these different servers that you can run, or these different applications that you can run on your server. You probably heard of FTP, NFS, DNS, all the services that actually runs on Linux or on a server. You could pick based on your requirement. Or if you're doing in the production, you could pick depending on your application team requirement. Again, minimal install, meaning when you pick this one, it will not install Kuwait. But with that minimal install, you can also pick some of the tools that you think are appropriate to do your troubleshooting or systems tool configuration workstation. And this is a workstation is a user-friendly desktop system for laptops or PC custom operating system virtualization host. I actually want you to go through each one of them, go through each and every ad on package, and just make sure you understand and make yourself aware what are the packages or add ons we have available. But for this training, I want you to simply select a server with GUI which was previously selected as a default. And go ahead and click Done. Okay, once that is done, you're going to notice that it checking with this ISO image. Hey, I need server with GUI. Do you have all the required packages and the local media, which is ISO image, it says, okay, let me check. And it goes back and look through the packages and says yes, I do. That's why you see both of them now into the black fought. The next one we have right here is installation Destination, meaning where do you want to install your operating system? Which desk do you want to install it on? And you remember when we were configuring the virtual machine, we carved out. 20 gig, and by default, it has that 20 kicks selected, as you can see right here in the story configuration, I'm going to leave it as automatic, which means I am going to let Linux decide how it wants to petition this 20 gig. If I click on Custom than I would have to specify meaning, I want you to give five good to home. I want you to get like five gig to war. I want you to give the remaining two root. That comes into custom. So this is a very beginning. I don't want you to get into this because it requires some extra skills. If you are doing it the installation for the first time, then my suggestion is leave it as automatic and go ahead and click on Done. Okay, next option under this system is K damp. K DEM stands for kernel dump. If something goes wrong with your system, something crashes. And if you have that k1 enabled, then it will log all the errors and those messages. So you could go back and review what cause the server to crash. So I'm going to leave that as enabled or which is selected by default. Next one is network and host name. You click on it and let's change the host name right now it shows up a local host, local domain, which is, which shows all the right-hand sides is current host name localhost. Let's go ahead and change it to Linux, sent OS eight, and click on Apply. Again. You could pick any host name that you like, and then you could apply it and it will show up on the right-hand side. This one shows our networking right now it's disconnected because it's turned off. Here's the hardware address, which is the MAC address. Here is the speed, which is a one gig. Go ahead and click on Configure. And on this screen I want you to go to the general tab and click checkmark automatically connect to this node worker when it is available, it means every time your computer, your operating system reboots, it, actually going to connect it to the network automatically so you don't have to enable it or start the network. Again. Click and click Save. And now you're gonna see it has some more information like IP address, default, route DNS. So go ahead and now I want you to click on Done. So host name and no work is done. Security policy, if you accompany, has some security policy or if you are installing CentOS 7 or 8 and you production environment, consult with your security folks, find out if there are any security policy that you need to apply. But I would say nine out of 10 times, this option is not usually selected, so leave that out and click on Begin installation. All right, while it's starting, the configuration are doing the pre-check of the installation. It's going to ask you for uses setting is going to ask you for a password. You need to set the root password and you need to define at least a user. Let's go ahead and click on root password first. I'm going to specify a root password based on my choice. It is weak. I understand. I do not recommend you guys to pick a weak password, pick a strong password. But since for, for me this is a lab, so I'm going to just leave as is. And by default, Linux sees it as a weak password. Then it asks you to press Done a twice to confirm. So if your password is weak, then you have to press this Done button twice 12. And now use a creation and let's pick a user. I'm going to pick myself, Enron, abyssal. Of course you have to pick your own name. And by default, Linux picks the first name, initial and complete last name, leave these settings default and pick the password. Password again in my password is weak and that's fine. I'm going to press the done button twice. All right. So now the, the prerequisites for the installation is done. Now it is downloading packages. Packages, meaning it is going to that ISO image. And it is asking, Hey, ISO image, give me all my required packages. And now it is preparing transactions from the installation source. And what is that installation source again, it's our so image. Now once that is completed, then you're going to see the actual number of packages that will show up that actually are needed for this installation to complete. And once you pull it, it will show you. So most likely it's probably going to be somewhere around twelve hundred, thirteen hundred packages. Because we are going through the GUI installation. When you have GUI selected GUI takes a lot of add on packages as opposed to the command line or without the GUI installation. So anyway, if it comes up like 1300 packages. You need to leave it running. It could take anywhere. I would say the installation would take anywhere from 10 minutes to 30 to 40 or 45 minutes depending on your computer resources, depending on the speed of your computer. So I would say at this time, you could go ahead and take a coffee break or a lunch break, and then you could come back after half an hour. And what I will do is I will go ahead and fast forward from this point on. So this way, I'm not going to waste your time and my time. And then once it's done, I will meet you on the other side. All right. Congratulations guys. We have successfully completed the CentOS installation. As it says right here, complete CentOS Linux is now successfully installed and ready for you to use. Go ahead and reboot to start using it. So of course, go ahead and follow the instructions and click on reboot. All right, when you get to this screen and you can notice that it's starting back again on the CentOS Linux installation screen. The reason it is doing that is because by default, your ISO image is still attached to this virtual VM VirtualBox. So what you need to do is you need to remove that ISO. So when, when your system reboots, it doesn't think that it has to boot off of that ISO image. So for that, I would tell you to go to. So to get out of this window and release your mouse click there, Control key on the right-hand side of your keyboard. Okay, so and click on devices, optical drives, and simply click on Remove disk from virtual drive. Then it will give you a prompt you to force unmount, meaning remove it forcefully, that's fine. Go ahead and click force you unmount. Now it is unmounted. You could verify again by clicking on devices, optical drives, and there isn't anything that attached. Beautiful. Now you need to reset this machine, click on Machine and click on Reset. It will prompt you, do you really want to reset the falling virtual machines? Yes, that's fine. Click Reset. Now it is starting your CentOS version 8 operating system. Okay, when you get to the initial setup page, you need to select the license information. By the way, if you got to this page after two minutes a treatment, that is perfectly fine because this is initial configuration for its time, you'll operating system restore it. It could take some some time. It could take longer than than what it will take you later on. I didn't click on license information and click on I accept the license agreement. Of course I recommend that you read through it and click on Done, and then click on Finish configuration. All right, when you get to this screen, meaning that it's waiting for you to log in now. So I have created my account or you during installation. So I will click on it and asked me to put in my password. So if you go back again, click Cancel and you wanted to log in as root and you have to click on and not listed and provide the username as root. And then you need to provide the password for the root. And that is the password that we picked up during the installation. Anyway, I want to cancel it. I want to log in as myself. Once again, if you're logging in for the first time and then it will take some time for the operating system to come online. So don't worry, be patient. If your mouse is captured inside of this window and it's not going outside of it. Then please remember you could click the Control key, the right control key on your keyboard to get out of it. So this, the desktop, the only important thing that I see on the desktop is your terminal. So right here you could go ahead and click on the terminal. And it was gave you the platform to actually run all those commands that we can learn through this training. So that terminal is, you could use either console and use that terminal. Or what we could do is we could find out the IP address of this Linux machine. And then we could login as through putting anywhere, logging into the party is something that I will show you later. But anyway, this time, again, as I said, since this story for the first time, It's gonna make you go through some initial stuff like this point it's giving you a welcome screen. If you need to change your language right now, you can just leave it default. Click Next. Typing again, selected for me, click Next. Location Services. I would like to keep it turned off. So I'm going to move this to the left and click Next. Connect your online accounts. I would not like to use those right now. So I'm gonna go and click on Skip. And the last option, the last screen is giving me you are ready to go start using CentOS Linux. So click on start using CentOS Linux. And it should go back to your desktop right out of that, where we have our terminal that we opened up earlier. All right. So again, as I was saying, this is the terminal, that's the one that you need to use to run all the commands. And you could get yourself familiarized with the desktop as well, the GUI desktop. But I would say 80 percent of the environment and the production corporate environment do not use Gui. So, so, so be ready to use command line. Don't get too comfortable with the GUI. Anyway. Congratulations, once again, you have completed the CentOS 8 installation cup of successfully. Now you could go ahead and close this Help window that will also give you some information about genome that will tell you about the going. Anyway, good luck. And let's get moving on to the next lectures. We will learn a lot about the command lines in the commands that you need to learn. 7. 1 What is PAM: Hello, and welcome to the lecture about Pam. What is Pam? Pam stands for pluggable, a plug n authentication module, which provides dynamic authentication support that sits between linux applications or programs and the Linux native authentication system. So means set your expectations here. Pam is not very easy to understand. The more you work with Pam, the more you will understand. What I will try to do here is to provide you as much information, as much foundational information or conceptual information about Pam. So this way you will understand how pain works and why do we actually need PAM in our Linux environment? And of course, Pam is one of the main security tools that deals with authentication. So let's take an example. Let's say we have a server. Let's call it server a, and it has an application running. And let's say its application is Apache web server. Or even let's say NFS or anything that user that's running that application wants to log in to another server and that server, let's call it server B. Now, in regular old days or regular way, it, that authentication when that service comes in and that authentication will go to its local authentication. And as you know, look, locally authentications are usually in ETC, password, ETC, shadow file. Now what happened was ham was introduced because every application behaves differently. And if you want to have that application or that program or that service. Anyway, all three of them are the same terms used interchangeably. If you want to have that application talk to the local authentication, you would have to modify that application every time it needs to talk to its local authentication. So what was done was they introduced this tool called PAM. Pam has different modules inside that actually has built in mechanism to talk to or to allow users or programs to log in to the server. The main purpose of Pam is to allow system administrators to integrate services or programs, but different authentication mechanism without changing the code for the service. Again, what is that service? Service could be anything like NFS. It's VS FTP or FTP or talent or Apache. Or even if you have third party directory services like Active Directory or when bind or L DAP. When you want to use those mechanism or the authentication to login to a Linux server, then you do not have to make any changes to those applications. What you have to do is connect your service to Pam and their remote Linux machine or the local Linux machine and tell that authentication service to go to the PAM module. And PAM module already has built in algorithm behind the scene as to how to log in that service or that user. And then again, just for you to have to deal with changing any codes on it's on that program itself. There are many programs and your local machine system that uses PAM modules too. So not necessarily a remote machine application would have to log in to use PAM. You have programs in your local machine that actually uses PAM modules. And those are like SU, password, SSH, logging in to its own FTP server, logging in as a telnet to its own system. So if you are a regular user and you become SU, it actually talks to PAM module. And PAM module has the instruction as to when someone or regular user wants to switch user to another user or to a root user, for example. Then what are the operations are? What are the set of rules that we have to follow before we authorize that user to become root. Moving on, the configuration of Linux, Pam can be done in two ways. You can either. Put everything in one single file that is in Etsy file or split the configuration by service in the directory with SC Pam dot d. So better to use the ETC, Pam dot d directory. Because if you have a service or a program, again, again, I'm using these terms interchangeably as you know, program tools or service. They all mean the same thing. So if you are running the program or the application, it is highly recommended that you create the module or the configuration file in CDPAP dot d directory. Keep in mind the Linux Pam will ignore at Sea Panda conf file if the ETC Pam dot d directory exist. So there are two ways you could do. You could put all the set of instruction file or you could create separate files into ETC. Pam dot d directory, which is highly recommended. If a service or a program does not have a config file in the ETC, Pam dot d directory, then it will use at CPM dot d slash other that config file is already there and it always comes preconfigured. Your system. Important thing. That is something you have to remember. If Pam is wrongly configured, then you will not be able to log in to your system. Therefore, I will definitely recommend everyone to please take a snapshot of your machine or take a backup. Or if you're making a change to your system, always log in another terminal or to the console as root. So if you are trying to make changes to your Pam configuration file while you are trying, it does not work and you log off. And the wrong configuration in those files, you will not be able to log into your Linux machine. Linux machines or Linux operating system are a very secure operating system. So it will not let you log in regardless how you logging in to keep the session open. Or take a snapshot or take a backup of your system before you make any changes to your Etsy Pam dot d slash configuration files. Pam sends all its activity information to the two logs. One log is in var log messages, and the second one is in Warlocks secure. The reason it does not output any error messages or any successful message on the screen. So if a hacker logs in, if a hacker sees that message on the screen, that hacker would know what happened, why couldn't login? Therefore, it will go into var log messages or var log secure messages. In the next lectures, we'll cover about how Pam dot D configuration files are configured. Again. To reiterate, Pam is used to log in system uses or system services to your system for authentication. Also, it is used for third party authentication. Again, if you are using L DAP, then bind or any other Active Directory related type of services. You don't have to make changes to that application. All you have to do is to go in and modify the PAM module libraries. And what are those? We'll cover that in the next lecture. 8. 2 The Importance of PAM: Let's talk about the importance of PAM. Once you know why PAM is so important in the environment, then you will actually understand why PAM is needed. Or if you have any doubt in your mind still by the PAM, then this lecture should take care of that doubt. So let's take a quick look. You have used your and your machine. That user tried to authenticate or try to log into a machine, our server, and of course that server is a Linux server. Now this is a regular old days all always been there like that. And what happened? The server when someone tried to log in, That's server, will go into its ETC. Password file and check whether the user who is trying to login exist and that Etsy password file. If it does, then the next step is it goes to ETC, shadow file. And the shadow file has the encrypted password and the password entered by the user who is coming in matches with that encrypted password, then the server will allow the user to log in. Perfect, works beautifully. Now, this method is simple again, but yet bit clumsy. How each application requiring user authentication has to know how to get the proper information. When dealing with a number of different authentication schemes. What it means is if you have application, for example, again, let's talk about in this example, login itself is an application. If this application is coming in through a different authentication scheme, instead of putting in login, username and password, let's say if it is coming in through RSA token, or if it's coming into smart card, or if it's coming in through bio-metric means or anything that all the time The new methods are emerging. What will happen? Then of course, the server would have to know how to handle those requests. So for that purpose, the PAM command. So again, as a new authentication schemes is built, the old ones becomes obsolete. In other words, if a system administrator or you, if you're a system administrator, engineer, if you want to change the authentication scheme, the entire application must be recompiled. And the entire application are what? Like login, FTP as you SSH, all of those are applications you have to, that program has to recompile to be compatible with authentication. Examples, as I have written right here says RA has smart card biometrics. As they change. As we know every day via trying to secure our environment. We are trying to make our environment more secure and people and developers coming up with a more secure authentication schemes. So what will happen as the update and send a new release, add a new authentication scheme, then you have to rewrite that, are recompile that entire application. Again, those applications are like login, FTP, SSH had to be recompiled. So in that whole scenario, to avoid this recompilation of your applications, the PAM was born. So Pam, solve that problem. Again. I'm sorry if I'm repeating myself in this lecture, but I, my whole intention is that you understand what is the purpose of Pam. 9. 3 The PAM File Configuration Format: Let's look at the pan file configuration or how the format looks like of every Etsy Pam dot D configuration file. If you open any service file, again, service application or program file, which is located in Etsy Pam dot d. You will see that the file is divided into three columns. Sometimes there are more, but we'll, we'll take a look at that later. The first column is management group. The second column is for control flags in the third column is the module so forth that are used. That's a specific format. So if you, let's say go into the ETC, Pam dot d directory and you open up any file in that directory. You will see that format, something like this. I picked up the login file in Etsy Pam dot d directory. And you'll, you'll see if you opening up yours at the same time, you will see they are pretty much three columns, the three primary columns. The first column is referred as module interface. Also Management Group, also the type, depending which are who is using that term. It could be referred any of these three. This first column is the one always starts with OT, followed by a count, followed by a password, followed by session. What are those we will cover again in the later lectures. I don't want to overwhelm you with all that information, so I wanted to take it take time to explain you how Pam works. So please bear with me. The second column is about control flag, how the behavior of that Pacific module interface should be handled. What are the instructions? And the last column, the third column called module. So files, all those modules are located in Libya security or lip 64 security Directory. Those are the actual modules, meaning those are the actual authentication mechanism that are built by the developers that deal with each module interface that you have in the first column and the last column that you probably going to see or additional columns are the module parameters or arguments. So that's the format that looks like. And if I go into my Linux machine, I will show you really quickly how they look like. So I am logged into my machine, my first Linux machine, my, my directory is slash route, and I am logged in as root. So if I go to at C Pam Dee, you will see all these different files. So remember when I said that each authentication or each program has its own configuration file. So if you have an ADT Cron, sorry, at job, it has its own mechanism to authentic authenticate. Same goes for Cron, auto login, fingerprint, password, smart card. All of these are the actual authentication mechanism that could be used against an application. So if you have an application, let's say XYZ, you could tell that application, hey, when you log into this machine, use, use the authentication configuration for, let's say setup or remote, or when you login user authentication of fingerprint. So these are the configuration file there can be assigned to a program. And the program can come into the PAM and consult. And these configuration files. When you do, let's say one of them, that's a cat login. This when, when Pam consult these configuration file, it goes through the sequence, what it needs to do. Each column has its own meaning, which we'll cover in the later lecture. 10. 4 The PAM File Configuration Module Interface: Get into the first column of a configuration file, which is called or known as module interface or type. What is that? The first column, the module interface or type Linux Pam separates the task of authentication into four independent management groups. Or management type or whatever that you want, determine the ones choose. Now remember, we are talking about the first column. Now. That column has four different categories. Now, what are those categories? First one is the authentication, which is referred in the config file as a UT H. You don't have to put in the entire authentication, you just have to put in a U th, and they always come in sequence. Remember that authentication followed by the account, followed by the session, sorry, followed by the password and session. So what is authentication or what is authentication module interface? It verifies the uses is that identity. For example, by requesting and checking a password or other secret. This example, you see the user and password. This module interface that is interfacing with the program or the user. It is taking the username and password that is provided by that program. It makes sure that our valid or okay, That is the only function of this module interface. The next module interface is a count. It checks that the specified account is valid. This may include condition like account exploration, time of the day and that the user has access to the requests service. In simple words, user account that is given in the earlier module interface, early margin to faces of authentication. The user provided the username and password. Okay, Good. Both are good, valid, confirmed. Now the next step is the PAM has to confirm whether this uses enabled, meaning it's not disabled, it is not locked, it is not expired, and it is allowed to log in at that time, meaning some time the user service is only allowed to login from nine to five AM the office business hours or it's not allowed to login during weekends. So you have to make sure then it has to make sure that it has the write permission for that app to access that service. So if that user ABC is trying to become SU, or if that user is trying to SSH. This account. Module interface is the one that verified if this user can actually come in at that time or not enabled or not disabled. And all these example that we discussed. Third one, password. This is the third module interface, are responsible for updating passwords and work together with authentication step. They may also be used to for strong password. So as an example, password update when user updates its password or an application that attached to an account does an update. Then this module interface comes into play when you have or System Administrative have implemented strong password policies. This module interface is the one that enforces that policy. So like Congress makes the law and the cops are the one who actually enforces those law. So in this case, the cops is that module interface that is actually forces those laws. And those are like, for example, only when password is changed and force password policy like password length, how many retries and all that. And the last one is Session Manager action performed at the beginning of this session and at the end of the session example, this module interface establishes session, making sure home directory is created if needed, setting up user environment. If there is environment, variables are set up, setting up any aliases, anything that has to do with that particular session. This module interface is responsible for doing that. Now all of these module interface can be modified depending on your security setting or your corporate security. So remember, they all have to be in the first column and they all have to be in sequence, meaning always auth comes first. Then the second account, the password, and the last one is session. Next one, next lecture will cover the second column, which is the control flack. 11. 5 Account Access Through PAM: As an example, let's look at the account access through PAM, what we have just learned in the previous lecture. You'll learn about the module interfaces, the first four of them. So let's take an example and see how they act as an interface is when an account or a user tries to login, login request comes in or SSH or login or password, whatever there needs to be done. And it has to go through PAM. Now pam knows that it is either asking login, password, pseudo, SSH, FTP, Telnet, Samba, smart cars, whatever the service that is being requested, what is going to do is it's going to put up the front cops out there are the people that are actually at the gate to verify that this person or this user or the service that is coming in goes through this entire process. And that entire process is OT account password session. So it has to go through all those checks before any of the services to the right are initiated or started or allowed to be accessed. So now this slide is pretty much related to the earlier slide we talked about. But this is more in an example in a figurative way. So it will be easier for you to picture how this whole module interfaces work. 12. 6 The PAM Configuration File – Control Flags: All right, Let's talk about the control flags, the control file. This is the second column and the configuration file. And if you see in the picture on the right-hand side, you'll see the one that is highlighted in blue are the control flags. It is the second column. And we have four control flags in service configuration files. And as you know, the service configuration files or in where at CPM Daddy, what are those control flax. Control flags. The first one is requisite. The strongest flag it is. And what it means is if a module interface is flagged as requisite, meaning if the first column, which is the module interfaces flagged as requisite and it fails the check Pam will return to the calling application and report the failure. Second one is required. In the case of failure, execution is not stop, but continues to the next module. If after all the modules have been executed, one or more has failed, pan will return failure to the calling application. Third one, we have sufficient, if a sufficient module returns, okay? The processing of the module will be stopped. And the last one is optional. In the case of failure, the stack of modules continues execution and return code is ignored. There is another edition in addition to above modules, sorry, above control flags, there are a couple of other control flags as well, which is sometimes used. And one is an Include, and the second one is Substack, which both mean the same, which means include all lines of a given type of the configuration file specified as an argument to this control. So if it is, if there is a file that is specified in the third column, then you will use the include control flag. Again, but it is a control flag. Control flag is one tells you, okay, this has to be passed before you do that. Or if that does not work, then you go through this. Just like again as my example, if you are going through a gate and that has like four different security checks. The first check is requisite. When you pass that, then you go to the second one, and you go to the second one, you go third one. But they all interchangeably linked together. And they all have to be written in the configuration file with the proper order. And that order is always starting with requisite require sufficient, optional. Similarly, the first column has two works the same way. It has to follow an order. And order is that first is auth, second account, third is password, and the fourth one is session. 13. 7 The PAM Configuration File – Modules (SO): We are on to the third column, which is most of the time is the last column. And the last column is the modules. The modules are in this example. I have highlighted them in green. And those modules are located in lib security, lip 64 slash security. They are dynamically loaded Modules. Pam loadable object files. The modules are usually located in the following directories, which I have already talked about. Of course, it depends on the architecture as well. If you are using a different architecture of Linux that might not have the exact same location, then you have to look it up online to find out where exactly your module libraries are located. A module can provide mechanism to authenticate users from any back-end, like a file, ETC. Password database such as wind bind, AD open L, DAP, etc. So that module or library has a kind of a mechanism built in by the developers. That library or that module knows how to talk to system or operating system to get access. And if you wanted to see the list of every module that is available, you could go into lib 60 for a lib security and you will see all those different modules. Most of these modules are pre-built and comes pre-installed with Linux OS distributions. The programmers or developers or administrators sometimes can also write new modules based on their application requirement. So if they have come up with a new application XYZ, and that module has to go through certain checks, then that module can be built new. So this way, every time there is an authentication, the same schema authentication is used. That module can be used with that program. Then the main module in any distribution is Pam underscore Unix dot ISO, which is the one that allows you to law, which is responsible to verify your authentication. That's the main one. Each module details can be pulled from man pages. For example, you could do man, space, Pam, underscore Unix. You don't have to specify dot. So it will give you all the detail information of that particular module, what exactly it does. The fourth column end the format pile. And the file format of configuration file is about additional comments to choose, like close, open for anything that you wanted to add extra excess security parameters to that configuration file. Let me open up my Linux machine and we could try a few things to see how aware those modules are located. So as I said, the PAM loadable object files modules are usually located in the fall in directories and those directories are lib security. So in this example, I think we don't have security. So we will go to lib 64 slash security. Yep. Here when you do ls, you will see all those modules ending with dot S are the actual module that is used for each program. Same way. So you have a configuration file. Please don't confuse the module with the configuration file. You have a configuration file for an application, let's say SSH. That application, that configuration file has a set of rules that tells that application whenever you usually need access to the application, it has to go to that set of rules. And those set of rules is like the author, the session the account has to match, and the control flags is it has to be requisite, required, or not are sufficient. And the last part is about the module itself, which has the mechanism built in that actually tells the kernel or the operating system how to go through those certain procedure. That's like a mechanism or an authentication mechanism behind the scene. You cannot view these module. So if you do pam, let's see Pam underscore shell. So you'll see it's coming up all garbage. So you cannot view these modules. These modules are encrypted. These modules are written by the developers depending on the programs that is being used. So let's say in this example MK home directory. So if I user is trying to log into the system and as one of the session or authorized, sorry. When the authentication come to the point at account, remember the first one is odd, the second one is account. So when it comes to the account, we could actually put that module right in front of it to say required that they log in. We could put Pam and MK home directory, meaning if the directory does not exist, create and home directory for that person or for that account. Same way, there are different modules. Again, I phi go through every modules is going to take a really long time. If you wanted to learn about every module, you have to type man, Pam, underscore MK home, DIR. Don't type dot S, So you hit Enter. You're going to find the information about the module. It says PAM module to create user's home directory. And it has all the information. So please do spend some time going through some of these module I'm sorry, some of this manual documentation. Let's try another one, man. Pam, underscore deny this module, setting the locking out PAM module. Meaning if a user, let's say, tries to log into the system and the user has tried four times or five times. Upon the fifth try, lock that user or lock that account. So that module could be added to the configuration file. And the configuration file is right there. And you could put them module right here, meaning the session, the authorizations coming good. The account is not disabled. And sometimes the session is the one when you have a session and you try to get a session the fifth time, it will lock it out. We could try one more, Let's say ham, sorry man, Pam, underscore route. Okay. This is the one to gain only root access. So if you are trying to become root or trying to get access to the root user, then it has to go to the certain module. And the module has a way to put the user to the right direction. Also, as it says here, right here. The main module or any distribution is Pam and discord Unix, which is responsible for logins. So if you do, man, Pam, underscore Unix, you'll see module for traditional password authentication. Meaning when you log in this module, we'll go into the ETC. Password files usually right here says usually this is obtained from the ETC. Password and account shadow file as well. If this shadow is enabled and it has a lot of information, you could go through it, how each one of them is written, and how they could work. Also, I think if you do, man, just Pam, it will tell you what exactly Pam is. If my way of explaining things, how Pam works was not comprehensible, then I will say that you could go through this man and read through what Pam is. And this will tell you some of the more detailed information by the PAM that probably I have not covered, but please do spend time going through it. So to read read freight know to go through it again, to rephrase what I just said or I would say to just summarize it about all those columns. The first column is module, second column is control flags. The third module is the rules, are modules, the mechanism behind it. So this is in regular example, the first column is like a people or the cops are standing there. What they need to check. The second one, Sorry, the first column is the actual cops. This cop is a session, COPD is COP is auth cop. The second column is the one that what they need to check. So if they have to check your tickets, they had to check your ID. And if you have ID, if you don't have an ID, but you have a passport. Okay. That is sufficient. So these are the type of rules that applies to that. And the third one, if all of these are met, then what needs to be done and those mechanism is behind the scene to accurate, authenticate, and allow access to the service. 14. 8 PAM Aware Services and Stacks: Let's go over the pen away or services in stacks. How a service hour, how can we verify for service over program is Pam wire or linked with the PAM? And we could also check how the stacks, meaning the order of those module interfaces. Who are those module interfaces are the, those are the main cops as standing in front of the gate. So which cup first comes first? Is this actually the stack that matters? You cannot have a required an optional CAPX before the required cop. So that can mess up your configuration anyway. So let's go over that. How to check a program. If it is Pam away or meaning it fit is linked to a PAM or not. All you have to do is run a command L, D, D, then the name of the program. And then you could simply grip for ham. If you wanted to check LTD on SU program, then correct for Pam, this will tell you if that program is Pam aware. So let me quickly log into our Linux machine. I'll make that a little smaller. So if I run the command ltd, by the way, LD is print shared library dependencies. This one tells you which are the libraries associated with it. So we could do l, dD space, a user sbin, SSH, t. Now of course users sbin is the, is the directory or bin directory where these programs are, commands are located and you hit Enter, you're going to see a whole bunch of information. But what we are concerned about is the PAM. So you hit up arrow key, grip it for just Pam. And you'll see there's a PAM library associated with it. So that's how you know that this SSH program is Pam aware. Meaning every time an SSH is executed, it will go to Pam. And Pam, we'll handle that authentication session. Let's do the same thing. Let's verify for SU. So if anyone wants to become route is it Pam aware? Yes, it is. So you see the PAM libraries is associated with it. Pam module is there, that is associate is active. That's how you know, a service or an application or a program. Is Pam aware? Then the modules order, remember, but it's which one was the module order? The Linux PAM modules are in stack or tiered one-by-one. Again, the example I gave you about the cops, the order matters because the effect of one module is required for the next module to work correctly. So a configuration file like the following for login will work properly. You have OT required and the PAM and a score of unix is the modules. The first one is the module interface. Of course, the first one is a cop. The second one is what needs to be done with what is the responsibility of their cup. And once that responsibility or once once those documentations had been verified, what needs to be done, which line that they have to go to, which is a procedure they have to follow. And that procedure will be the third column, which is Pam underscores Unix. Anyway, we talked about the module order. So you first, when you have auth required, second one is optional, Pam deny. So if you have the module or the configuration file, sorry, is set up this way, it will work perfectly. But if you reverse it, so if you make auth optional Pam deny first, followed by author, require PAM Unix, then it will actually deny all the requests coming in before It's actually get to the PAM Unix. So then no one can log in. So the order matters, make sure the order matters. And as I said it in my beginnings to slides of this session, make sure you take a snapshot of your Linux machine before you make any changes. Pam is a powerful high level API that allows programs that rely on authentication to indicate users to applications Linux system, it's a powerful but very challenging to understand and use. So I really hope that this section serve this purpose and you try and and I have tried my best to explain Pam. I would tell you one thing until you actually work on the PAM and change and modify the modules. You might have a hard time understanding it, but I really wanted to make you aware how Pam plays a critical role in security since this entire trainings about security. So you have to know how each Pam configuration file works and how each program works hand in hand with ham. So really quickly I want to go back into my Linux machine and I will go to my seat slash Pam Dee, I will check all those configuration files. Remember, these are configuration files. These do not, these are not the modules. When you do CAD or any of them. Let's say Sue inside of the configuration file is the first column is module interfaces. These are the different types of cops. Second is the requirement, the documentation that you need, whether you have that document, the other document. If you don't have one, you have the other that will suffice are not required and sufficient. The third one is once these are met, then what needs to be done? What is the mechanism behind it? So that's about the configuration file. And then the last one is about the module itself. Each module, you cannot view the module, but you could read about the module if you type, man, let's say post log in. And then you'll see common configuration file for palmy fide services. All right, So this is enough. I think about PAM modules are plugged in Authentication Modules. You could try it a different way. You could run it with a different Auth or session. And if you have a question, let me now we'll move on to the next session now.