Enhance Linux server security with PAM Authentication (1)

Source: Internet
Author: User

PAM (Pluggable Authentication Modules) Plug-in Authentication module, which is an efficient and flexible and convenient user-level Authentication method. It is also a common Authentication method for Linux servers. Of course, deploying PAM Authentication in Linux systems of different versions is different. This article will take RHEL4 version as an example for parsing.

1. Necessity of deploying PAM Authentication

We know that a Linux server will provide many different services. Many of these services do not have the authentication function, but only give the authentication to the user name and password. In this case, all services are authenticated using the Linux user name and password, which is very dangerous for the server. For example, if a server is running FTP, SMTP, SSH, and other services, you will be entitled to Operation permissions for the above services by default when you create a new user, if a user's account or password is disclosed, multiple services are involved. Therefore, it is necessary to deploy PAM Authentication on a PC or server in a Linux-like system. Using the new authentication module PAM can solve Authentication deficiencies and enhance Linux system security.

2. PAM Authentication Method

PAM Authentication generally follows the following sequence: Service (Service) → PAM (configuration file) → PAM _ *. so. PAM Authentication first needs to determine the service, and then load the corresponding PAM Configuration File (located in/etc/PAM. d), and finally call the authentication file (located under/lib/security) for security authentication. Generally, some default configuration files are provided in the/etc/PAM. d path after the Linux system is installed. In addition, the/lib/security directory is the default storage location for authentication files. The default configuration file in the/etc/PAM. d path is our PAM Configuration template. Generally, we can modify or add corresponding items according to security requirements. (Figure 1)

3. Composition of PAM Authentication

Objectively speaking, PAM Authentication is complicated. Simply put, it includes four common authentication types ): that is, auth authentication management, account user management, password authentication management, and session management. Take/etc/PAM. d/login as an example. We can see its configuration file. auth, account, password, and session in area 1 are all authentication types. In area 2, required, requisite, sufficient, and optional are authentication process control. The last area 3 is the authenticated PAM file. (Figure 2)

3. Composition of PAM Authentication

Objectively speaking, PAM Authentication is complicated. Simply put, it includes four common authentication types ): that is, auth authentication management, account user management, password authentication management, and session management. Take/etc/PAM. d/login as an example. We can see its configuration file. auth, account, password, and session in area 1 are all authentication types. In area 2, required, requisite, sufficient, and optional are authentication process control. The last area 3 is the authenticated PAM file. (Figure 2)

4. PAM Authentication process

To help you gain an in-depth understanding of the PAM Authentication process, we will take the PAM-login verification user logon as an example. The PAM Authentication process is from the first line to the end of the line, one by one authentication. For example, if a user logs on to the server and there are 10 auth types in total, if the first authentication fails, the next nine authentication entries must also be authenticated. Why is it normal? In fact, there are some unusual situations. The success or failure of this user action depends on how Region 2 is processed after auth authentication. As shown in figure 2, the processing fields are required and optional. required indicates that the authentication must pass. That is to say, no matter how many statements are successful, the authentication fails if one fails. As shown in figure 2, Area 3 is the authentication module, and "PAM_securetty.so" in the second line is the file. In RHEL, relative paths are mostly used for authentication.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.