Most Linux systems use PAM. If you want to use NetAuth to provide accounts to your Linux fleet, there are some additional packages that are highly recommended.
While NetAuth strives to be as reliable as possible, it is still possible that your NetAuth servers might be down when you’re trying to log in. To resolve this case it is highly recommended that you have a password cache on your machines. This allows the system to keep working if you’ve logged in recently.
libpam-policycache can be obtained in source form from its repository. Binary packages are available for a number of popular Linux distributions.
If your distribution provides a packaged binary form of pam_netauth, you are strongly encouraged to use this, though if your distribution happens to be Debian derived, make sure you’re getting a version that’s somewhat recent.
If your distribution does not provide pam_netauth, you’ll need to
build it from source. It is assumed that you have a Go installation
of version 1.10 or later and the
dep Go dependency manager. You
must also obtain the PAM headers which will usually be in a package
with a name similar to
Now you can build pam_netauth:
$ git clone -b <version> https://github.com/NetAuth/pam_netauth $ cd pam_netauth $ dep ensure $ go build -buildmode=c-shared -o pam_netauth.so
pam_netauth locate where your system stores security
$ sudo cp pam_netauth.so /usr/lib/security/ $ sudo chown root:root /usr/lib/security/pam_netauth.so $ sudo chmod 0755 /usr/lib/security/pam_netauth.so
Configuring a service to use
pam_netauth takes the same form as
configuring any other PAM service. An example
system-auth file is
shown below that includes the recommended approach with
pam_netauth implements the
auth service only.
Note that for
pam_netauth to work, you will need an existing NetAuth
configuration file installed at
#%PAM-1.0 auth [success=4 default=ignore] pam_unix.so try_first_pass nullok auth [success=3 default=ignore] pam_policycache.so try_first_pass action=check auth [success=ok default=die] pam_netauth.so try_first_pass auth [success=1 default=ignore] pam_policycache.so try_first_pass action=update auth required pam_deny.so auth required pam_env.so auth required pam_permit.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so session required pam_mkhomedir.so session optional pam_umask.so usergroups session required pam_limits.so session required pam_unix.so session optional pam_permit.so
Note that in the above file
pam_mkhomedir.so is used to provide
home directories instead of networked storage. If your environment
has networked storage substitute an appropriate module such as