Home > Developer > Linux

Linux-pam Authentication Module

Source: Internet
Author: User
Tags auth
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

linux-pam Authentication Module

When the user accesses the server, one of the server's service programs sends the user's request to the PAM module for authentication. The PAM modules that correspond to different server applications are also different. If you want to see if a program supports PAM authentication, you can check it with the LDD command:

For example: see if SSHD is supporting PAM module certification:

Since the libpam.so.0 =</lib/libpam.so.0 is linked in the program module, the program can be PAM certified.

When a server requests the PAM module, Pam itself does not provide service validation, it is called other a bunch of modules for server request verification, such files are all in the /lib/security . Specifically which service uses which specific module, which is defined by the specific Pam service file (/etc/pam.d/).

[Email protected] root]#ls/etc/pam.d/
Authconfig Neat redhat-config-network su
CHFN other Redhat-config-network-cmd sudo
Chsh passwd Redhat-config-network-druid System-auth
Halt Poweroff Rhn_register Up2date
Internet-druid PPP Setup Up2date-config
Kbdrate reboot SMTP Up2date-nox
Login Redhat-config-mouse sshd

Pam Service File

1. # More/etc/pam.d/login
Auth Required pam_securetty.so
Auth Required pam_stack.so Service=system-auth
Auth Required pam_nologin.so
Account Required Pam_stack.so Service=system-auth
Password Required pam_stack.so Service=system-auth
Session Required Pam_stack.so Service=system-auth
Session Optional Pam_console.so

The format of the PAM service file (Part Four)

Module-type Control-flag Module-path Arguments
Module-type:auth, account, session, password control-flag:required, requisite, sufficient, optional eg:
Auth Required Pam_securety.so
Auth Required Pam_stack.so Service=system_auth
Module-type (belonging to the first part of the certification, mainly to assign permissions)AUTH: Authentication, Authorization (check the user's name, password is correct or not); Account: Checks whether the user's accounts expire, is disabled, and so on. Session: Control Sessions Password: Control user Change Password process Control-flag (Part II of the certification, control of the identification bit)Required: Must pass this authentication, otherwise no longer go down certification, direct exit; requisite: Must pass certification, but there is still a chance, you can go down to certification; sufficient: Once passed, the back is no longer certified (as long as this condition is passed directly) Optional: Optional, can not pass through. commonly used Pam service files 1),Login----/etc/pam.d/login 2),Ipop3d---/etc/pam.d/pop 3),FTP----/ETC/PAM.D/FTP or VSFTPD--/etc/pam.d/vsftpd 4),SSHD---/etc/pam.d/sshd 5),SU---/etc/pam.d/su 6),IMAP---/ETC/PAM.D/IMCP Authentication Stack

①, auth required pam_securety.so
②, auth required pam_stack.so Service=system-auth
③, auth required pam_nologin.so

If End, then there is an end sign in the back, go to the next certification authentication, and so on, the same type of certification will be put together. Where Pam_stack.so invokes a sub-module service, which invokes a third-party module for authentication authorization. Common PAM Modules1), pam_access.so control the address of the visitor and the name of the account 2), pam_listfile.so control the visitor's account name or login location 3), pam_limits.so control the resource assigned to the user 4), pam_rootok.so To the Administrator (Uid=0) unconditionally through 5), pam_userdb.so set up a separate user account database certification as follows:

[Email protected] root]#cd/etc/pam.d/
[Email protected] pam.d]#More Login
#%pam-1.0
Auth Required pam_securetty.so
Auth Required pam_stack.so Service=system-auth
Auth Required pam_nologin.so
Account Required Pam_stack.so Service=system-auth
Password Required pam_stack.so Service=system-auth
Session Required Pam_stack.so Service=system-auth
Session Optional Pam_console.so
[Email protected] pam.d]#cd/usr/share/doc/pam-0.75/txts/
[Email protected] txts]#ls
Pam_appl.txt readme.pam_ftp Readme.pam_shells
Pam_modules.txt readme.pam_limits Readme.pam_stack
Pam.txt Readme.pam_listfile readme.pam_stress
README Readme.pam_localuser readme.pam_tally
Readme.pam_access Readme.pam_mail Readme.pam_time
Readme.pam_chroot Readme.pam_nologin Readme.pam_timestamp
Readme.pam_console Readme.pam_permit Readme.pam_unix
Readme.pam_cracklib readme.pam_pwdb Readme.pam_userdb
Readme.pam_deny readme.pam_rhosts Readme.pam_warn
Readme.pam_env Readme.pam_rootok Readme.pam_wheel
Readme.pam_filter Readme.pam_securetty Readme.pam_xauth
[Email protected] txts]#More Readme.pam_securetty
Pam_securetty:
Allows root logins only if the user was logging in on a
"Secure" TTY, as defined by the listing In/etc/securetty

Also checks to make sure That/etc/securetty is a plain
File and not world writable.

-Elliot Lee, Red Hat software.
July 25, 1996.
[Email protected] txts]#More/etc/securetty
Console
Vc/1
Vc/2
Vc/3
Vc/4
Vc/5
Vc/6
Vc/7
Vc/8
Vc/9
Vc/10
Vc/11
Tty1
Tty2
Tty3
Tty4
Tty5
Tty6
Tty7
Tty8
Tty9
Tty10
Tty11
[Email protected] txts]#More/etc/pam.d/system-auth
#%pam-1.0
# This file is auto-generated.
# User changes'll be destroyed the next time Authconfig is run.
Auth required/lib/security/$ISA/pam_env.so
Auth sufficient/lib/security/$ISA/pam_unix.so likeauth Nullok
Auth required/lib/security/$ISA/pam_deny.so

Account required/lib/security/$ISA/pam_unix.so

Password required/lib/security/$ISA/pam_cracklib.so retry=3 type=
Password sufficient/lib/security/$ISA/pam_unix.so Nullok use_authtok MD5 Shadow
Password required/lib/security/$ISA/pam_deny.so

Session required/lib/security/$ISA/pam_limits.so
Session required/lib/security/$ISA/pam_unix.so
[Email protected] txts]# pwd
/usr/share/doc/pam-0.75/txts
[Email protected] txts]# more Readme.pam_nologin
# $Id: Readme,v 1.1.1.1 2000/06/20 22:11:46 Agmorgan EXP $
#

This module always lets root in; It lets other users on only if the file
/etc/nologin doesn ' t exist. In any case, if /etc/nologin exists, it ' s
Contents is displayed to the user.

Module Services Provided:

Auth _authentication and _setcred (blank)

Michael K. Johnson
[Email protected] txts]#Touch/etc/nologin
[Email protected] txts]#Useradd Leekwen
[Email protected] txts]#passwd Leekwen
Changing password for user Leekwen.
New Password:
Retype new Password:
Passwd:all authentication tokens updated successfully.
[Email protected] txts]#ssh [email protected]
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied (publickey,password,keyboard-interactive).
[Email protected] txts]#Rm/etc/nologin
Rm:remove regular empty file '/etc/nologin '?y
[Email protected] txts]#ssh [email protected]
[email protected] ' s password:
[Email protected] leekwen]$pwd
/home/leekwen
[Email protected] leekwen]$Exit
Logout
Connection to 192.168.0.188 closed.
[Email protected] txts]#cd/etc/pam.d/
[Email protected] pam.d]#More Login
#%pam-1.0
Auth Required pam_securetty.so
Auth Required pam_stack.so Service=system-auth
Auth Required pam_nologin.so
Account Required Pam_stack.so Service=system-auth
Password Required pam_stack.so Service=system-auth
Session Required Pam_stack.so Service=system-auth
Session Optional Pam_console.so
[[email protected] pam.d]# TTY
/dev/pts/2
[Email protected] pam.d]# ls/dev/tty1
 /dev/tty1

Linux-pam Authentication Module

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php pam authentication pluggable authentication module user not known to underlying authentication module linux ldap authentication linux two factor authentication setup kerberos authentication linux ssh two factor authentication linux
Related Article
Linux DNS detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More