Introduction to common PAM authentication modules (1)

Article title: Introduction to common PAM authentication modules (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Overview: This article describes common PAM authentication modules, including the type, function description, and identifiable parameters of each module. if you have a configuration file, we provide a simple description of the configuration file, we also provide configuration instances for some modules. We hope that through our introduction, readers will have some knowledge about the commonly used PAM authentication modules. This article is based on RedHat7.x. The level is limited. readers may criticize and correct the shortcomings.
　　
1. pam_access Authentication Module
　　
Type: account
　　
Function description: This module provides access control based on the logon user name, client ip/host name, network number, and logon terminal number. By default, the configuration file of this module is/etc/security/access. conf. you can use the accessfile parameter to specify a custom configuration file.
　　
Optional parameters: accessfile =/path/to/file. conf
　　
Configuration File description:
Each line of the file consists of the following three fields, separated by a colon:
Permission: User: source
The permission field can be "+" (that is, access allowed), "-" (access prohibited );
User fields can be user names, group names, and usernames in the format of user @ host. ALL indicates anyone,
When multiple values exist, separate them with spaces.
The source field can be tty name (during local logon), host name, domain name (starting with "."), host IP address, and network number (ending ). ALL indicates any host, and LOCAL indicates LOCAL login.
The distinct T operator can be used to represent... .
　　
Configuration instance:
Only bye2000 can log on to the host from the local machine.
Edit/etc/pam. d/login as follows:
# % PAM-1.0
Auth required/lib/security/pam_securetty.so
Auth required/lib/security/pam_stack.so service = system-auth
Auth required/lib/security/pam_nologin.so
Account required/lib/security/pam_stack.so service = system-auth
Account required/lib/security/pam_access.so
Password required/lib/security/pam_stack.so service = system-auth
Session required/lib/security/pam_stack.so service = system-auth
Session optional/lib/security/pam_console.so
That is, add
Account required/lib/security/pam_access.so
Then add the following in/etc/security/access. conf:
-: ALL bytes T bye2000: LOCAL
If anyone other than root is prohibited from logging on from any place, add the following in/etc/security/access. conf:
-: ALL privileges t root: ALL
　　
2. pam_chroot Authentication Module
　　
Type: account, session, auth
　　
Function description: This module provides a virtual root environment for general users. the configuration file of this module is/etc/security/chroot. conf.
　　
Possible parameters:
Debug: write debugging information into logs
Onerr: defines the action when the configuration file cannot be opened, the chroot () function fails, and the configuration file does not contain user information. the default value is "succeed ".
　　
Additional instructions: This module is not fully documented and does not provide any configuration instructions for chroot. conf.
　　
3. pam_cracklib Authentication Module
　　
Type: password
　　
Function description: This module provides a strong detection of user passwords. In other words, you can define all aspects of your password, such as the password length and complexity.
　　
Possible parameters:
Debug: write debugging information into logs
Type = xxx: When you add or modify a password, the system's default prompt is "New UNIX password:" and "Retype UNIX password:". you can use this parameter to customize UNIX in the prompt, for example, specify type = your.
Retry = N: defines the number of retries that can be made when a password fails to be added or modified.
Difok = N: the new password must contain several characters different from the old one. However, if the new password contains more than 1/2 characters different from the old one, the new password will be accepted.
Minlen = N: defines the minimum password length.
Dcredit = N: defines the maximum number of numbers that a password can contain.
Ucredit = N: defines the maximum number of uppercase letters that a password can contain.
Lcredit = N: defines the maximum number of lowercase letters that a password can contain.
Ocredit = N: defines the maximum number of characters (except numbers and letters) that a password can contain.
　　
Configuration instance:
See the/etc/pam. d/system-auth file.
　　
4. pam_deny Authentication Module
　　
Type: account, session, auth, password
　　
Function description: This module returns only one error. Used to deny user access. This module is usually used as the default verification rule.
　　
Optional parameters: None
　　
Configuration instance:
See the/etc/pam. d/system-auth file.
　　
5. pam_env Authentication Module
Type: auth
　　
Function description: This module can be used to set any environment variables. by default, the configuration file of this module is/etc/security/pam_env.conf. you can use the conffile parameter to specify a custom configuration file.
　　
Configuration File description: the syntax for each line (one entry) of the configuration file is as follows:
Variable name [DEFAULT = [value] [OVERRIDE = [value]
The DEFAULT option indicates that this is a DEFAULT value; OVERRIDE indicates that the DEFAULT value can be overwritten. In this configuration file, you can use $ {variable name} to apply variables. In addition, the module can also read environment variables such as "variable name = value" from the/etc/environment File. of course, the file can also be specified by the readenv parameter. Note that the read value of this file will overwrite the default value in the conffile file.
　　
Possible parameters:
Debug: write debugging information into logs
Conffile = filename: specifies the custom configuration file;
Readenv = filename: specifies the custom environment variable configuration file containing the "variable name = value" format;
Readenv = 1/0: set whether to read environment variables from readenv. the default value is 1, that is, read.
　　
Configuration instance:
See the/etc/pam. d/system-auth file.
　　
6. pam_filter Authentication Module
　　
Type: account, session, auth, password
　　
Function description: This module provides access control for user and application interaction content. Currently, it only supports case-insensitive conversion. This module remains to be improved.
　　
7. pam_ftp Authentication Module
　　
Type: auth
　　
Function description: This module provides anonymous ftp user authentication.
　　
Possible parameters:
Debug: write debugging information into logs
Users = xxx, yyy: specifies the user name that uses this module for authentication. the default value is ftp and anonymous, which can be separated by commas;
　　
Ignore: the password (email address) entered by the user is not verified.