Difference between revisions of "Pam"

From Bashlinux
Jump to: navigation, search
Line 1: Line 1:
 
__NOTOC__
  
__NOTOC__
 
=== How to launch an application from the Desktop with password protection ===
= PAM =
  
 
Assuming the application in question is <tt>Firefox</tt>, this works using <tt>bin</tt> and <tt>sbin</tt> pair assisted by <code>consolehelper</code> that will verify the PAM restrictions. Note that every file created should match the name of the binary to be protected.
== How to launch an application from the Desktop with password protection ==
  
  +
Assuming the application in question is ''Firefox'', this works using `bin` and `sbin` pair assisted by `consolehelper` that will verify the PAM restrictions. Note that every file created should match the name of the binary to be protected.
  
# Move binary file
 +
* Move binary file
 
<pre><nowiki>
  
 
mv /usr/bin/firefox /usr/sbin/firefox
  
mv /usr/bin/firefox /usr/sbin/firefox
 
ln -s /usr/bin/consolehelper /usr/bin/firefox
  
ln -s /usr/bin/consolehelper /usr/bin/firefox
 
* Create a security file <tt>/etc/security/console.apps/firefox</tt> and add the following lines:
</nowiki></pre>
  
 
# Create a security file `/etc/security/console.apps/firefox` and add the following lines:
  
 
<pre><nowiki>
  
 
USER=<user>
  
USER=<user>
 
PROGRAM=/usr/sbin/firefox
  
PROGRAM=/usr/sbin/firefox
 
SESSION=True
  
SESSION=True
</nowiki></pre>
  
   
'''User'''
 +
'''User'''<br>
The line user should literally write as `<user>`, it will ask a password for the current user. If you need to run the application as specific user, for example `foo` then change the literal string `<user>` by `foo`, or in some cases if need to restrict to only root, user `root` instead `<user>`.
 +
The line user should literally write as <tt><user></tt>, it will ask a password for the current user. If you need to run the application as specific user, for example <tt>foo</tt> then change the literal string <tt><user></tt> by <tt>foo</tt>, or in some cases if need to restrict to only root, user <tt>root</tt> instead <tt><user></tt>.
   
# Create a PAM file `/etc/pam.d/firefox`
 +
* Create a PAM file <tt>/etc/pam.d/firefox</tt>
 
<pre><nowiki>
  
 
#%PAM-1.0
  
#%PAM-1.0
 
auth sufficient pam_rootok.so
  
auth sufficient pam_rootok.so
Line 32: Line 23:
 
session optional pam_xauth.so
  
session optional pam_xauth.so
 
session optional pam_timestamp.so
  
session optional pam_timestamp.so
 
* Create the Desktop launcher <tt>~/Desktop/firefox.desktop</tt>
</nowiki></pre>
  
 
# Create the Desktop launcher `~/Desktop/firefox.desktop`
  
 
<pre><nowiki>
  
 
[Desktop Entry]
  
[Desktop Entry]
 
Encoding=UTF-8
  
Encoding=UTF-8
Line 49: Line 36:
 
Comment=Launch Firerox
  
Comment=Launch Firerox
 
Icon=/usr/share/pixmaps/firefox.xpm
  
Icon=/usr/share/pixmaps/firefox.xpm
</nowiki></pre>
  
   
 
The <tt>png</tt> icon under <tt>/usr/share/pixmaps</tt> is too big, so you might want to link the small one from firefox installation to the icon folder.
 
The `png` icon under `/usr/share/pixmaps` is too big, so you might want to link the small one from firefox installation to the icon folder.
  
 
<pre><nowiki>
  
 
ln -s /usr/lib/${FIREFOX}/icons/default.xpm /usr/share/pixmaps/firefox.xpm
  
ln -s /usr/lib/${FIREFOX}/icons/default.xpm /usr/share/pixmaps/firefox.xpm
</nowiki></pre>
  
 
   
== How to setup ssh authentication and an ldap client ==
 +
=== How to setup ssh authentication and an ldap client ===
 
On CentOS run the following command
  
On CentOS run the following command
 
<pre><nowiki>
  
 
authconfig --enableldap --enableldapauth --disablenis --enablecache \
  
authconfig --enableldap --enableldapauth --disablenis --enablecache \
 
--ldapserver=ldap.bashlinux.com --ldapbasedn=dc=bashlinux,dc=com \
  
--ldapserver=ldap.bashlinux.com --ldapbasedn=dc=bashlinux,dc=com \
 
--updateall
  
--updateall
</nowiki></pre>
  

Revision as of 17:24, 9 June 2015

How to launch an application from the Desktop with password protection

Assuming the application in question is Firefox, this works using bin and sbin pair assisted by consolehelper that will verify the PAM restrictions. Note that every file created should match the name of the binary to be protected.

  • Move binary file
mv /usr/bin/firefox /usr/sbin/firefox
ln -s /usr/bin/consolehelper /usr/bin/firefox
  • Create a security file /etc/security/console.apps/firefox and add the following lines:
USER=<user>
PROGRAM=/usr/sbin/firefox
SESSION=True

User
The line user should literally write as <user>, it will ask a password for the current user. If you need to run the application as specific user, for example foo then change the literal string <user> by foo, or in some cases if need to restrict to only root, user root instead <user>.

  • Create a PAM file /etc/pam.d/firefox
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so
  • Create the Desktop launcher ~/Desktop/firefox.desktop
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Terminal=false
Name[en_US]=Firefox
Exec=/usr/bin/firefox
Comment[en_US]=Launch Firefox
Icon[en_US]=/usr/share/pixmaps/firefox.xpm
Name=Firefox
Comment=Launch Firerox
Icon=/usr/share/pixmaps/firefox.xpm

The png icon under /usr/share/pixmaps is too big, so you might want to link the small one from firefox installation to the icon folder. 

ln -s /usr/lib/${FIREFOX}/icons/default.xpm /usr/share/pixmaps/firefox.xpm

How to setup ssh authentication and an ldap client

On CentOS run the following command 

authconfig --enableldap --enableldapauth --disablenis --enablecache \
--ldapserver=ldap.bashlinux.com --ldapbasedn=dc=bashlinux,dc=com \
--updateall
Retrieved from "http://wiki.bashlinux.com/index.php?title=Pam&oldid=942"