Enhance Linux server security with PAM Authentication

Article Title: use PAM Authentication To enhance Linux server security. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

PAM (Pluggable Authentication Modules) Plug-in Authentication module, which is an efficient and flexible and convenient user-level Authentication method. It is also a common Authentication method for Linux servers. Of course, deploying PAM Authentication in Linux systems of different versions is different. This article will take RHEL4 version as an example for parsing.

1. Necessity of deploying PAM Authentication

We know that a Linux server will provide many different services. Many of these services do not have the authentication function, but only give the authentication to the user name and password. In this case, all services are authenticated using the Linux user name and password, which is very dangerous for the server. For example, if a server is running FTP, SMTP, SSH, and other services, you will be entitled to Operation permissions for the above services by default when you create a new user, if a user's account or password is disclosed, multiple services are involved. Therefore, it is necessary to deploy PAM Authentication on a PC or server in a Linux-like system. Using the new authentication module PAM can solve Authentication deficiencies and enhance Linux system security.

2. PAM Authentication Method

PAM Authentication generally follows the following sequence: Service (Service) → PAM (configuration file) → pam _ *. so. PAM Authentication first needs to determine the service, and then load the corresponding PAM Configuration File (located in/etc/pam. d), and finally call the authentication file (located under/lib/security) for security authentication. Generally, some default configuration files are provided in the/etc/pam. d path after the Linux system is installed. In addition, the/lib/security directory is the default storage location for authentication files. The default configuration file in the/etc/pam. d path is our PAM Configuration template. Generally, we can modify or add corresponding items according to security requirements. ()

3. Composition of PAM Authentication

Objectively speaking, PAM Authentication is complicated. Simply put, it includes four common authentication types ): that is, auth authentication management, account user management, password authentication management, and session management. Take/etc/pam. d/login as an example. We can see its configuration file. auth, account, password, and session in area 1 are all authentication types. In area 2, required, requisite, sufficient, and optional are authentication process control. The last area 3 is the authenticated PAM file. ()

4. PAM Authentication process

To help you gain an in-depth understanding of the PAM Authentication process, we will take the PAM-login verification user logon as an example. The PAM Authentication process is from the first line to the end of the line, one by one authentication. For example, if a user logs on to the server and there are 10 auth types in total, if the first authentication fails, the next nine authentication entries must also be authenticated. Why is it normal? In fact, there are some unusual situations. The success or failure of this user action depends on how Region 2 is processed after auth authentication. In, we can see that the processing fields are required and optional. required indicates that the authentication must pass. That is to say, no matter how many statements are successful, if one fails, authentication will fail. Area 3 shown in is the authentication module, and "pam_securetty.so" in the second line is the file. In RHEL, relative paths are mostly used for authentication.

5. PAM Authentication Test

Pam_securetty.so is an authentication module file. This authentication module is only valid for root users. When the root user logs on to the system, the system will check whether there are any security terminals. The security terminal is the content in the/etc/securetty file, for example, if you run the "W" command, you can see that the things below TTY are security terminals. If a security terminal exists, it passes authentication. Otherwise, it fails. For security purposes, some administrators will leave the/etc/securetty file empty during the Qing Dynasty without allowing the root user to log on directly. This ensures that the root password cannot be used to log on locally.

For the convenience of the following experiments, we can see the effect. We will add the "auth required pam_securetty.so" authentication to the PAM module of the SSH service (/etc/pam. d/sshd. You can run "vi etc/pam. d/sshd" in the console window and add this authentication statement. In the same way, if you add this statement to the login file (this authentication is canceled by default, we can cancel the previous #), and you can log on from the local console, similarly, if you add this statement to the sshd file, it controls the process of remotely logging on to port 22 of the server.

Next, we will try to log on to the system via SSH to see the effect. On the console, execute the command "ssh-l root localhost ", we can see that no matter whether the password of our root user is correct or not, we cannot remotely log on to the system through SSH. It can be seen that the above authentication has taken effect. In general, for the sake of server security, we refuse to log on to the system remotely by using the PAM Authentication. ()

6. How to Handle PAM Authentication

After learning about how Authentication works, we should also have a deep understanding of the authentication processing method. In the middle, we can see that its authentication processing method is required, this indicates that the authentication of this module must be successful, but if the authentication fails, the authentication process will not be terminated immediately, and PAM will continue the next authentication of the same type. The above "pam_securetty.so" authentication failed, but the authentication has not been completed, and the "Pointer" of the authentication is still going down. 4. If the root user fails to log on to the SSH client, the system also prompts the user to enter the password, although the authentication is not successful.

In addition to required, requisite, sufficient, and optional, let's take a look at the effect of requisite. The SSH service is also used as an example to change "auth required pam_securetty.so" in the first line of the/etc/pam. d/sshd file to "auth requisite pam_securetty.so ". The attempt to log on again showed that the password was rejected three times. However, if you try to experiment while reading the article, you will find that when you enter the password, the response speed using required will be slower, and there is no record in the System Log, authentication also fails. This indicates that required and requisite are similar in that the authentication must pass, but the difference is that if the authentication fails, the authentication process will be terminated immediately and the following entries will not be authenticated. ()

7. Restrict root login to the console

We use/etc/pam. d/login to restrict the root user from logging on to the console. Open the login file and delete the # in the second line. Cancel the logout of "auth required pam_securetty.so. Then we log on to the server locally. Through testing, we find that when you use required, you get a denial message after entering the root and password. When you use requisite, when you enter the root key, you will also get the rejected information. This is triggered by the authentication method just now.

8. PAM Authentication Module

In PAM Authentication, sufficient indicates that if the authentication is successful, the authentication for this type of module is sufficient, and other similar modules will not be verified. When the authentication fails, it performs the next authentication. If the same type of authentication is successful, the result is still successful. Optional indicates that this module authentication is optional and does not affect the authentication success or failure. This is more dangerous. For example, in/etc/pam. add "auth required/lib/security/pam_listfile.so item = user sense = allow file =/etc/sshusers onerr = succeed" to the d/sshd file to indicate that the file can only appear in/etc. /The user in the sshuser file is remotely logged on. Then we run the command "ssh-l root localhost". When the sshusers file does not have a root user, the logon fails, and it is obvious that it is rejected by the PAM module. Change the authentication file, change required to sufficient, and try to log on again.

Summary:PAM Authentication is the most important Security Authentication Mode for Linux server systems. Mastering PAM Authentication is very important to enhance system security. This article analyzes PAM Authentication in combination with theory and practice. In fact, PAM Authentication is a big topic, we hope that you will have the opportunity to further share with you the PAM-based Linux system security skills and experience.