Use of RHEL6 server pam

Pam module the Pam module in Linux is a hot-swappable Authentication Module (*. so) 1. configuration file # ls/etc/pam. d/atdothersubpartition-manage

Pam module

The Pam module in Linux is a hot-swappable Authentication Module (*. so)
1. Configuration File
# Ls/etc/pam. d/
Atd other submodules-manager
Authconfig passwd subregion-manager-gui
Authconfig-gtk password-auth sudo
Authconfig-tui password-auth-ac sudo-I
Chfn polkit-1 (su-l)
Chsh poweroff system-auth
Config-util ppp system-auth-ac
Crond reboot system-config-authentication
Cups remote system-config-date
Cvs rhn_register system-config-kdump
Dovecot run_init system-config-keyboard
Eject runuser system-config-language
Fingerprint-auth runuser-l system-config-network
Fingerprint-auth-ac selinux-polgengui system-config-network-cmd
Em setup system-config-selinux
TPD-autologin sfcb system-config-users
TPD-fingerprint smartcard-auth vmware-authd
TPD-password smartcard-auth-ac vsftpd
Gnome-screensaver smtp vsftpd_user
Halt smtp. postfix wireshark
Ksu squid xlock
Liveinst sshd xserver
Login ssh-keycat
Newrole su

The system-auth and password-auth configuration files are the configuration files for the RHEL6 User Name authentication mechanism. Most service configurations will call them.

2. Module. If 32 is the system, the path is/lib/security/. If 64 is the system, it is in the/lib64/security/directory.
# Ls/lib64/security/
Pam_access.so pam_gnome_keyring.so pam_namespace.so pam_succeed_if.so
Pam_cap.so pam_group.so pam_nologin.so pam_tally2.so
Pam_chroot.so pam_issue.so pam_oddjob_mkhomedir.so pam_time.so
Pam_ck_connector.so pam_keyinit.so pam_passwdqc.so pam_timestamp.so
Pam_console.so pam_krb5 pam_permit.so pam_tty_audit.so
Pam_cracklib.so pam_krb5afs.so pam_?sok.so pam_umask.so
Pam_debug.so pam_krb5.so pam_pwhistory.so pam_unix_acct.so
Pam_deny.so pam_lastlog.so pam_rhosts.so pam_unix_auth.so
Pam_echo.so pam_limits.so pam_rootok.so pam_unix_passwd.so
Pam_env.so pam_listfile.so pam_securetty.so pam_unix_session.so
Pam_exec.so pam_localuser.so pam_selinux_permit.so pam_unix.so
Pam_faildelay.so pam_loginuid.so pam_selinux.so pam_userdb.so
Pam_faillock.so pam_mail.so pam_sepermit.so pam_warn.so
Pam_filter pam_mkhomedir.so pam_shells.so pam_wheel.so
Pam_filter.so pam_motd.so pam_smbpass.so pam_winbind.so
Pam_fprintd.so pam_mysql.la pam_sss.so pam_xauth.so
Pam_ftp.so pam_mysql.so pam_stress.so

3. verification phase
There are four verification management phases: different phases are used to manage the entire process from user logon to logon success to logout. Multiple modules can be used to manage the entire process at the same stage, however, these modules are all in ascending order, and the four stages must be performed in the order of auth --> account --> password ---> session. The meaning of each stage is as follows:
(1) verify whether the user exists and the corresponding password is correct in the auth Authentication Authorization phase.
(2) In the account verification stage, verify whether the user is valid, whether the user is forbidden to log on, whether the account is permitted to log on, and whether the account has expired.
(3) In the password stage, the user restricts the password modification policies and any password-related operations.
(4) The session phase is used to restrict all operations performed after a user successfully logs on to the system.

Control Tag:
(1) A required condition for required. This module must pass the verification. If the verification fails, the failure result will not be returned immediately. Instead, the failure result will be returned only after the subsequent modules in the same stage are judged to be complete.

(2) If requisite is necessary, the module must pass the verification. If the verification fails, the failure result will be returned immediately, and subsequent modules in the same stage will not be verified.

(3) sufficient is a sufficient condition. As long as the condition is true and the necessary condition module before the condition is also true, a successful result will be returned immediately, you do not need to continue to verify the subsequent modules of the same stage. If the module verification of this condition fails, it will become an optional condition, without affecting the verification of the entire stage, and the subsequent judgment will continue.

(4) optional is an optional condition that does not affect the judgment result.

(5) include contains the specified configuration file (equivalent to loading all the options in the same stage of the corresponding configuration file to the row)

For more details, refer to the highlights on the next page.: Http://www.linuxidc.com/Linux/2013-10/91710p2.htm

Reading:

How FTP server works and how to implement virtual user login http://www.linuxidc.com/Linux/2013-05/84984.htm through PAM Authentication

Configuration process http://www.linuxidc.com/Linux/2012-12/76812.htm for PAM

Implement secure communication of vsftpd based on ssl/tls and implement virtual user authentication http://www.linuxidc.com/Linux/2013-05/84475.htm of vsftpd through PAM

Linux uses PAM_ldap to pass ad domain authentication http://www.linuxidc.com/Linux/2012-09/71043.htm

Integrated vsftp + PAM + mysql-virtual account http://www.linuxidc.com/Linux/2012-08/68391.htm for centralized ftp Management

Vsftpd2.3.5 + PAM installation configuration note http://www.linuxidc.com/Linux/2012-07/66658.htm