A detailed explanation of Pam's configuration process

PAM: Pluggable Authentication Module

Module/lib/security

Interface file/etc/pam.d/

Type

Auth Verify that the account number is available

Account password is expired

Password user to modify password

Sessions Session Process

Control

Required must pass,

If it's not passed, the bottom is negative, and the following modules are also to be seen

If you pass, and you have to look at the following modules

Requisite must pass,

If not passed, the bottom negative, and does not look at subsequent modules

If you pass, and you have to look at the following modules

Sufficient if not passed, not denied, and look at the following module

As long as there is a passing through

View Module

[Root@localhost security]# pwd

/lib/security

[Root@localhost security]# ls

1. The application of simple module

such as pam_nologin.so module

[Root@localhost ~]# Vim/etc/nologin #不进行任何设置

Ordinary users will not be able to log in

Reason is

[Root@localhost pam.d]# pwd

/etc/pam.d

[Root@localhost pam.d]# vim sshd

3 Account Required Pam_nologin.so

View the log as follows:

Calhost ~]# tail-f/var/log/secure

1:28:44 localhost sshd[5647]: fatal:access denied for user U1 by PAM account configuration

Dec 21:28:44 localhost sshd[5646]: Failed password for U1 from 192.168.10.1 Port 3486 ssh2

Delete Rm/etc/nologin to log on normally

2. Module pam_access.so

Example 1 Limited user1 only from 192.168.10.1 ssh

[Root@localhost security]# pwd

/etc/security

[Root@localhost security]# vim access.conf

+: user1:192.168.10.1

Num-: User1:all

Limited user1 can ssh from anywhere other people (except administrators) can not SSH

View the log as follows:

Dec 23:17:06 localhost sshd[7256]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain

Dec 23:17:09 localhost sshd[7256]: Failed password for user1 from 127.0.0.1 Port 44903 ssh2

3. Module pam_limits.so

4. Limit the number of user connections

[Root@localhost security]# Vim limits.conf

2 User1-maxlogins

Verify

User1 can only connect 2, when more than can not log on up

View the log as follows

Dec 00:03:14 localhost sshd[7958]: pam_limits (sshd:session): Too Many logins (max 2) for User1

Verify that User1 can log on to other IP by setting up IP

Note: Do not forget to empty the rules every time you have done so, so as not to affect subsequent tests.

Limit Test User1 group users can ssh, User2 does not belong to the test group, can not use SSH

1. Take vsftpd as an example test that users of some groups cannot log on

2. Install VSFTPD

[Root@localhost pam.d]# pwd

/etc/pam.d

[Root@localhost pam.d]# Vim vsftpd

Auth Required pam_listfile.so Item=user sense=deny file=/etc/vsftpd/ftpusers

#在/etc/vsftpd/ftpusers users are not allowed to log in FTPD

Add User1 to ftpuser test validation.

Test discovery cannot log in, newly added user2 can log in

View the log as follows:

Dec 00:38:52 localhost vsftpd:pam_listfile (vsftpd:auth): Refused user user1 for service vsftpd

Let's do a set of SSH users to specify that only this group can log in via SSH

[Root@localhost security]# gpasswd-a user1 test

[Root@localhost security]# Groups User1

User1:user1 Test

[Root@localhost security]# useradd User2

[Root@localhost pam.d]# pwd

/etc/pam.d

[Root@localhost pam.d]# vim sshd

Session Required pam_listfile.so Item=group Sense=allow file=/etc/allowgroup onerr=succeed

Add user group test to/etc/groupallow

Vim/etc/allowgroup

Test

The verification is as follows:

User1 can be logged in via SSH user2 cannot be logged in via SSH

View the log as follows:

Dec 01:07:28 localhost sshd[9091]: accepted password for user1 from 192.168.10.20 Port 1066 SSH2

Dec 01:08:46 localhost sshd[9130]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.20

Dec 01:08:48 localhost sshd[9130]: Failed password for user2 from 192.168.10.20 Port 1067 Ssh2

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/OS/Linux/