Advanced linux security PAM usage

Hello everyone, some people may not be able to use PAM, and their configurations may not appear frequently. This is my study notes and I would like to share them with you, in some cases, the logic is very strong. I have comments on them.

PAM Authentication and plug-and-play Authentication Module

[Root @ xu/] # ldd/usr/sbin/sshd -------- view the library files that a program calls when running

[Root @ xu/] # ldd 'which sshd' | grep pam

Libpam. so.0 =>/lib/libpam. so.0 (0x008ae000)

[Root @ xu/] # ls/lib/security/------ all pam function plug-ins

[Root @ xu/] # ls/etc/pam. d/------- what pam module is used by a program is here

[Root @ xu/] # firefox/usr/share/doc/pam-0.99.6.2/html/Linux-PAM_SAG.html ----- pam Configuration Manual

6.11 is the method used

6.25 is the limit description

6.6 set Environment Variables

-----------------------------

How to use pam using login as an Example

The relationship between the first two columns of pam's difficulties

Whether a user can be authenticated to the public or not depends on the first two (auth accounts)

Log Information

Tail-f/var/log/secure

First column

Auth ---- manage username and password

Account-except the username and password, other factors that determine the logon condition, such as breaking a network segment at a certain time)

Password ---- when a user uses the password, he or she should not use the password)

Session ------- used for session. When I open a program, it is equivalent to establishing a connection session)

Column 2

Required ------ the necessary condition for module modulo a condition must be successful. If it fails, it will continue to be executed, but it will eventually fail)

Requisite ----- the necessary conditions for the module must be verified successfully. If the verification fails, stop the verification. If the verification succeeds, proceed)

Sufficient ----- full condition for fast mode. If a module succeeds, success is returned immediately. If the failure is ignored, the final result is not affected ))

Otional ----optional. The final result is not affected for the module no matter whether the module verification fails)

Include ------- contains conditions for different file modules to call the same conditions as a public file) after skipping, read-only of the same type

-------------------------------------------

[Root @ xu ~] # Cat/etc/shadow | grep user1

User1 :! $1 $ hSYfRFbq $ ST2mHoyu38nnvPx/kDMv90: 15781: 0: 99999: 7 :::

Auth manages the first two columns

The account is followed

-----------------------------------------

The third line is faster. The third line does not jump. The module checks in the manual what function is. If it jumps, it checks the function of the corresponding module in the public file to be redirected)

Modules in the login configuration file

Pam_securetty.so secure tty module ------- corresponding configuration file vim/etc/securetty only the terminal here is a secure terminal

Pam_nologin.so blocks non-administrator login modules --- all common accounts in the touch/etc/nologin file cannot log on

Pam_access.so Access Control Module

Pam_time.so Time Control Module

Pam_echo.so print text

Auth jump module in the file

Pam_env.so: Set the environment variable module ------- the corresponding configuration file vim/etc/security/pam_env.conf. Set the environment variable here.

Pam_unix.so: used to verify the user name and password module. The pam core module is used to find the user name and password module in shadow. Here, it verifies the previous two lines.

Pam_succeed_if.so uid> = 500 quiet mode does not record logs) Determine whether the module determines whether the uid is greater than or equal to 500

Pam_deny.so reject module forever

The module in the account jump file

Pam_unix.so authentication username and password module ------ Here he verifies the following

Pam_permit.so permanently allowed modules

-------------------------------------------

Pam Configuration File of login

[Root @ xu/] # vim/etc/pam. d/login

1 # PAM-1.0

Ignore unknown users

2 auth [user_unknown = ignore success = OK ignore = ignore default = bad] pam_securet module) y. so -- prerequisites for the previous syntax

The first line is only for the Administrator module and only for the Administrator module. It does not verify the normal user vim/etc/securetty. Only the terminal here is the secure terminal.

3 auth include system-auth public file) Jump to the configuration corresponding to vim/etc/pam. d/system-auth

4 account required pam_nologin.so this module requires you to find the touch/etc/nologin file.

5 account include system-auth continue to jump to the files corresponding to caaount in vim/etc/pam. d/system-auth

6 password include system-auth

7 # pam_selinux.so close shocould be the first session rule

8 session required pam_selinux.so close

9 session optional pam_keyinit.so force revoke

10 session required pam_loginuid.so

11 session include system-auth

12 session optional pam_lele.so

13 # pam_selinux.so open shoshould only be followed by sessions to be executed in the user context

14 session required pam_selinux.so open

----------------------------

[Root @ xu ~] # Vim/etc/pam. d/system-auth

1 # PAM-1.0

2 # This file is auto-generated.

3 # User changes will be destroyed the next time authconfig is run.

4 auth required pam_env.so -------- environment variable

5 auth sufficient pam_unix.so nullok try_first_pass-pam_nologin.so-the first time after the password is entered, the second time after verification, he will try to enter the first Password

6 auth requisite pam_succeed_if.so uid >= 500 quiet

7 auth required pam_deny.so reject Module

8

9 account required pam_unix.so -------- only the first two columns of shadow

10 account sufficient pam_succeed_if.so uid <500 quiet

11 account required pam_permit.so

12

13 password requisite pam_cracklib.so try_first_pass retry = 3

14 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_a uthtok

15 password required pam_deny.so

16

17 session optional pam_keyinit.so revoke

18 session required pam_limits.so

19 session [success = 1 default = ignore] pam_succeed_if.so service in crond qu iet use_uid

20 session required pam_unix.so

--------------------------

The user does not need a password.

[Root @ xu/] # vim/etc/pam. d/login

Set the user name and password directly through this module.

2 auth sufficient pam_permit.so

7 account sufficient pam_permit.so

---------------------------------

Pam_access.so Access Control Module

This prompt appears at the end of each module.

6.1.4. MODULE SERVICES PROVIDED

All services are supported. --------- the purpose is to auth account passwd session, which supports this module.

Vim/etc/pam. d/login

4 auth requisite pam_access.so

+ Authorized access-denied access

Vim/etc/security/access. conf

-: User1: tty3

-: All: 192.168.1.0

----------------

Pam_time.so Time Control Module

Vim/etc/pam. d/login

9 account required pam_time.so

Format

Services; ttys; users; times

[Root @ xu/] # vim/etc/security/time. conf

Login; tty3; user1; al0100-0200 user1 to two points to log on

Login; tty3; user1; all

Sshd; *; al0100-0200

------------

Pam_echo.so print text

[Root @ xu ~] # Cat> hello.txt <EOF

> Eeeeeeeeeeeee

> EOF

Vim/etc/pam. d/login

4 auth optional pam_echo.so file =/root/hello.txt

-------------------------

Pay attention to the priority of order issues. The first rule takes effect.

Module support?

Relationship between the first two types

This article is from the "history_xcy" blog, please be sure to keep this http://historys.blog.51cto.com/7903899/1295252