Hello everyone, some people may not be able to use PAM, and their configurations may not appear frequently. This is my study notes and I would like to share them with you, in some cases, the logic is very strong. I have comments on them.
PAM Authentication and plug-and-play Authentication Module
[Root @ xu/] # ldd/usr/sbin/sshd -------- view the library files that a program calls when running
[Root @ xu/] # ldd 'which sshd' | grep pam
Libpam. so.0 =>/lib/libpam. so.0 (0x008ae000)
[Root @ xu/] # ls/lib/security/------ all pam function plug-ins
[Root @ xu/] # ls/etc/pam. d/------- what pam module is used by a program is here
[Root @ xu/] # firefox/usr/share/doc/pam-0.99.6.2/html/Linux-PAM_SAG.html ----- pam Configuration Manual
6.11 is the method used
6.25 is the limit description
6.6 set Environment Variables
-----------------------------
How to use pam using login as an Example
The relationship between the first two columns of pam's difficulties
Whether a user can be authenticated to the public or not depends on the first two (auth accounts)
Log Information
Tail-f/var/log/secure
First column
Auth ---- manage username and password
Account-except the username and password, other factors that determine the logon condition, such as breaking a network segment at a certain time)
Password ---- when a user uses the password, he or she should not use the password)
Session ------- used for session. When I open a program, it is equivalent to establishing a connection session)
Column 2
Required ------ the necessary condition for module modulo a condition must be successful. If it fails, it will continue to be executed, but it will eventually fail)
Requisite ----- the necessary conditions for the module must be verified successfully. If the verification fails, stop the verification. If the verification succeeds, proceed)
Sufficient ----- full condition for fast mode. If a module succeeds, success is returned immediately. If the failure is ignored, the final result is not affected ))
Otional ----optional. The final result is not affected for the module no matter whether the module verification fails)
Include ------- contains conditions for different file modules to call the same conditions as a public file) after skipping, read-only of the same type
-------------------------------------------
[Root @ xu ~] # Cat/etc/shadow | grep user1
User1 :! $1 $ hSYfRFbq $ ST2mHoyu38nnvPx/kDMv90: 15781: 0: 99999: 7 :::
Auth manages the first two columns
The account is followed
-----------------------------------------
The third line is faster. The third line does not jump. The module checks in the manual what function is. If it jumps, it checks the function of the corresponding module in the public file to be redirected)
Modules in the login configuration file
Pam_securetty.so secure tty module ------- corresponding configuration file vim/etc/securetty only the terminal here is a secure terminal
Pam_nologin.so blocks non-administrator login modules --- all common accounts in the touch/etc/nologin file cannot log on
Pam_access.so Access Control Module
Pam_time.so Time Control Module
Pam_echo.so print text
Auth jump module in the file
Pam_env.so: Set the environment variable module ------- the corresponding configuration file vim/etc/security/pam_env.conf. Set the environment variable here.
Pam_unix.so: used to verify the user name and password module. The pam core module is used to find the user name and password module in shadow. Here, it verifies the previous two lines.
Pam_succeed_if.so uid> = 500 quiet mode does not record logs) Determine whether the module determines whether the uid is greater than or equal to 500
Pam_deny.so reject module forever
The module in the account jump file
Pam_unix.so authentication username and password module ------ Here he verifies the following
Pam_permit.so permanently allowed modules
-------------------------------------------
Pam Configuration File of login
[Root @ xu/] # vim/etc/pam. d/login
1 # PAM-1.0
Ignore unknown users
2 auth [user_unknown = ignore success = OK ignore = ignore default = bad] pam_securet module) y. so -- prerequisites for the previous syntax
The first line is only for the Administrator module and only for the Administrator module. It does not verify the normal user vim/etc/securetty. Only the terminal here is the secure terminal.
3 auth include system-auth public file) Jump to the configuration corresponding to vim/etc/pam. d/system-auth
4 account required pam_nologin.so this module requires you to find the touch/etc/nologin file.
5 account include system-auth continue to jump to the files corresponding to caaount in vim/etc/pam. d/system-auth
6 password include system-auth
7 # pam_selinux.so close shocould be the first session rule
8 session required pam_selinux.so close
9 session optional pam_keyinit.so force revoke
10 session required pam_loginuid.so
11 session include system-auth
12 session optional pam_lele.so
13 # pam_selinux.so open shoshould only be followed by sessions to be executed in the user context
14 session required pam_selinux.so open
----------------------------
[Root @ xu ~] # Vim/etc/pam. d/system-auth
1 # PAM-1.0
2 # This file is auto-generated.
3 # User changes will be destroyed the next time authconfig is run.
4 auth required pam_env.so -------- environment variable
5 auth sufficient pam_unix.so nullok try_first_pass-pam_nologin.so-the first time after the password is entered, the second time after verification, he will try to enter the first Password
6 auth requisite pam_succeed_if.so uid >= 500 quiet
7 auth required pam_deny.so reject Module
8
9 account required pam_unix.so -------- only the first two columns of shadow
10 account sufficient pam_succeed_if.so uid <500 quiet
11 account required pam_permit.so
12
13 password requisite pam_cracklib.so try_first_pass retry = 3
14 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_a uthtok
15 password required pam_deny.so
16
17 session optional pam_keyinit.so revoke
18 session required pam_limits.so
19 session [success = 1 default = ignore] pam_succeed_if.so service in crond qu iet use_uid
20 session required pam_unix.so
--------------------------
The user does not need a password.
[Root @ xu/] # vim/etc/pam. d/login
Set the user name and password directly through this module.
2 auth sufficient pam_permit.so
7 account sufficient pam_permit.so
---------------------------------
Pam_access.so Access Control Module
This prompt appears at the end of each module.
6.1.4. MODULE SERVICES PROVIDED
All services are supported. --------- the purpose is to auth account passwd session, which supports this module.
Vim/etc/pam. d/login
4 auth requisite pam_access.so
+ Authorized access-denied access
Vim/etc/security/access. conf
-: User1: tty3
-: All: 192.168.1.0
----------------
Pam_time.so Time Control Module
Vim/etc/pam. d/login
9 account required pam_time.so
Format
Services; ttys; users; times
[Root @ xu/] # vim/etc/security/time. conf
Login; tty3; user1; al0100-0200 user1 to two points to log on
Login; tty3; user1; all
Sshd; *; al0100-0200
------------
Pam_echo.so print text
[Root @ xu ~] # Cat> hello.txt <EOF
> Eeeeeeeeeeeee
> EOF
Vim/etc/pam. d/login
4 auth optional pam_echo.so file =/root/hello.txt
-------------------------
Pay attention to the priority of order issues. The first rule takes effect.
Module support?
Relationship between the first two types
This article is from the "history_xcy" blog, please be sure to keep this http://historys.blog.51cto.com/7903899/1295252