When executing some programs in Linux, these programs must first authenticate the user who initiated it before executing, such as login, su , etc.
The authentication procedure for identity or status in Linux is performed by Pam ,Pam(pluggable Authentication Modules) can dynamically load validation modules, because the validation can be changed dynamically as needed, so the flexibility of verification can be greatly improved.
in Linux distributions, The validation modules used by PAM are typically stored in the /lib/security/ directory and can be used with the ls command to see what authentication control this computer supports, generic PAM module names such as pam_unix.so, modules can be added and removed at any time in this directory, This does not directly affect the operation of the program, the specific impact in the PAM configuration directory.
The PAM configuration file is located under the /etc/pam.d file. the LS command can see all the file configurations
[Email protected]:/etc/pam.d# ls-al
Total dosage 124
Drwxr-xr-x 2 root root 4096 one month 21:31.
Drwxr-xr-x 133 root root 12288 one month 21:31.
-rw-r--r--1 root root 384 month chfn
-rw-r--r--1 root root monthly chpasswd
-rw-r--r--1 root root 581 month chsh
-rw-r--r--1 root root 1208 month 20:23 common-account
-rw-r--r--1 root root 1249 month 20:23 Common-auth
-rw-r--r--1 root root 1480 month 20:23 Common-password
-rw-r--r--1 root root 1470 month 20:23 common-session
-rw-r--r--1 root root 1435 month 20:23 common-session-noninteractive
-rw-r--r--1 root root 606 8 month 07:54 Cron
-rw-r--r--1 root root 9 months 00:53 Cups
-rw-r--r--1 root root 884 9 months lightdm
-rw-r--r--1 root root 551 9 months lightdm-autologin
-rw-r--r--1 root root 727 8 months lightdm-greeter
-rw-r--r--1 root root 4905 month 21:31 login
-rw-r--r--1 root root monthly newusers
-rw-r--r--1 root root 520 4 months
-rw-r--r--1 root root monthly passwd
-rw-r--r--1 root root 5 months polkit-1
-rw-r--r--1 root root 168 1 months PPP
-rw-r--r--1 root root 143 7 month 09:19 runuser
-rw-r--r--1 root root 138 7 month 09:19 runuser-l
-rw-r--r--1 root root 2257 monthly su
-rw-r--r--1 root root 239 6 months 03:51 sudo
-rw-r--r--1 root root 317 3 11:24 systemd-user
-rw-r--r--1 root root 9 months 09:14 ukui-screensaver
-rw-r--r--1 root root 319 5 month 8 vsftpd
Let's see what the format is in the file:
[Email protected]:/etc/pam.d# cat./login
#
# The PAM configuration file for the Shadow ' login ' service
#
# enforce a minimal delay in case of failure (in microseconds).
# (replaces the ' fail_delay ' setting from Login.defs)
# Note that other modules may require another minimal delay. (For example,
# To disable any delay, you should add the Nodelay option to Pam_unix)
Auth Optional pam_faildelay.so delay=3000000
Auth Required pam_securetty.so
The format of the configuration file consists of 4 main columns:
The first column represents the type of module, which is divided into 4 types :
Auth: Used to identify the identity of the user. For example: Prompt the user for a password, or determine if the user is root
Account: Check the properties of the accounts. such as: whether to allow login, whether to reach the maximum number of users, or whether the root user is allowed to login at this terminal, etc.
Session: This module is used to define the user pre-logon, and the user exit after the operation. such as: Login connection information, user data open and close, Mount file system, etc.
PASSWD: Use user information to update. For example: Modify user password.
The second column represents the control tag: There are also 4 types:
Required: Indicates that PAM returns an error message even if the validation of a module fails for the user, and after all modules have finished executing. This is done in order not to let the user know which module was rejected. If the user is authenticated successfully, all modules will return success information
Requisite: Similar to required, but if the module returns a failure, it immediately returns a failure to the application, indicating that the type failed. Do not perform the same type of operation later.
Sufficient: Indicates that if a user passes the validation of this module, the PAM structure will return the verification success information immediately (even if the previous module fail, it will ignore the fail result), and return control to the application. The subsequent cascading modules are no longer executed even if the requisite or required control flags are used. If the validation fails, the sufficient function is the same as the optional
Optional: Indicates that even if the module validation fails, it allows the user to accept the service provided by the application and generally returns Pam_ignore (ignored).
The third column represents the module path: The location of the module to invoke. This is typically in the/lib/security file. But each version is different, for example, I use the ubuntun17.10. The module is under the/lib/x86_64-linux-gnu/security folder
[Email protected]:/lib/x86_64-linux-gnu/security$ ls-al
Total dosage 1064
Drwxr-xr-x 2 root root 4096 November 26 20:05.
Drwxr-xr-x 3 root root 12288 November 26 20:08..
-rw-r--r--1 root root 18672 April pam_access.so
-rw-r--r--1 root root 10080 October 16:26 pam_cap.so
-rw-r--r--1 root root 10376 April pam_debug.so
-rw-r--r--1 root root 6000 April pam_deny.so
-rw-r--r--1 root root 10336 April pam_echo.so
-rw-r--r--1 root root 14536 April pam_env.so
-rw-r--r--1 root root 14728 April pam_exec.so
-rw-r--r--1 root root 60368 April pam_extrausers.so
-rw-r--r--1 root root 10368 April pam_faildelay.so
-rw-r--r--1 root root 14576 April pam_filter.so
-rw-r--r--1 root root 10304 April pam_ftp.so
-rw-r--r--1 root root 42984 July 21:21 Pam_gnome_k
The fourth column is the module parameter: parameters can be used in multiple , separated by a space. Example:password required pam_unix.so Nullok obscure min=4 max=8 MD5
Let's look at the contents of the configuration file: For example, the following two kinds. Where the red font comments have been written to the corresponding modules need to do those configuration
# Uncomment and edit/etc/security/access.conf if you need to
# Set access limits.
# (replaces/etc/login.access file)
# account Required Pam_access.so
# sets up user limits according to/etc/security/limits.conf
# (replaces the use of of/etc/limits in old login)
Session Required Pam_limits.so
Below we introduce the common Pam modules, such as the following table:
Pam Module |
Combining management types |
Description |
Pam_unix.so |
Auth |
Prompts the user to enter a password and is compared to the/etc/shadow file . Match return 0 |
Account |
Check the user's account information (including whether it expires or not). Returns 0 when the account is available. |
Password |
Modify the user's password. Update the shadow file with the password that the user entered as the user's new password |
Pam_shells.so |
Auth Account |
If the user wants to log into the system, then its shell must be one of the shells in the/etc/shells file |
Pam_deny.so |
Account Auth Password Session |
This module can be used to deny access to |
Pam_permit.so |
Auth Account Password Session |
The module will return to success at any time. |
Pam_securetty.so |
Auth |
If the user wants to log on as root, the login TTY must be in/etc/securetty. |
Pam_listfile.so |
Auth Account Password session |
Access to the control switch of the application process |
Pam_cracklib.so |
Password |
This module can be inserted into a program's password stack to Check the strength of the password . |
Pam_limits.so |
Session |
The definition uses the upper limit of system resources, the root user is also subject to this limit, can be set by/etc/security/limits.conf or/etc/security/limits.d/*.conf |
We use the Pam_securetty.so module to do a test. The function of this module is that if the user wants to log in as root, the login TTY must be in/etc/securetty. We know we can use Ctrl+alt+f1-ctrl+alt+f6 to log in to each terminal on the keyboard. Now let's limit the root login terminal
The first step: first in the/etc/pam.d/login file is configured as follows, indicating that when the user is root need to use pam_securetty.so to verify
Auth Required pam_securetty.so
Step two: Comment out Tty2 in/etc/securetty
# Virtual Consoles
Tty1
#tty2
The third step: when logging in tty2 with the root user, you will be prompted to login incorrect.
Learn Linux:pam modules together