Enhance Linux server security with PAM Authentication (1)

PAM (Pluggable Authentication Modules) Plug-in Authentication module, which is an efficient and flexible and convenient user-level Authentication method. It is also a common Authentication method for Linux servers. Of course, deploying PAM Authentication in Linux systems of different versions is different. This article will take RHEL4 version as an example for parsing.

1. Necessity of deploying PAM Authentication

We know that a Linux server will provide many different services. Many of these services do not have the authentication function, but only give the authentication to the user name and password. In this case, all services are authenticated using the Linux user name and password, which is very dangerous for the server. For example, if a server is running FTP, SMTP, SSH, and other services, you will be entitled to Operation permissions for the above services by default when you create a new user, if a user's account or password is disclosed, multiple services are involved. Therefore, it is necessary to deploy PAM Authentication on a PC or server in a Linux-like system. Using the new authentication module PAM can solve Authentication deficiencies and enhance Linux system security.

2. PAM Authentication Method

PAM Authentication generally follows the following sequence: Service (Service) → PAM (configuration file) → PAM _ *. so. PAM Authentication first needs to determine the service, and then load the corresponding PAM Configuration File (located in/etc/PAM. d), and finally call the authentication file (located under/lib/security) for security authentication. Generally, some default configuration files are provided in the/etc/PAM. d path after the Linux system is installed. In addition, the/lib/security directory is the default storage location for authentication files. The default configuration file in the/etc/PAM. d path is our PAM Configuration template. Generally, we can modify or add corresponding items according to security requirements. (Figure 1)

3. Composition of PAM Authentication

Objectively speaking, PAM Authentication is complicated. Simply put, it includes four common authentication types ): that is, auth authentication management, account user management, password authentication management, and session management. Take/etc/PAM. d/login as an example. We can see its configuration file. auth, account, password, and session in area 1 are all authentication types. In area 2, required, requisite, sufficient, and optional are authentication process control. The last area 3 is the authenticated PAM file. (Figure 2)

3. Composition of PAM Authentication

Objectively speaking, PAM Authentication is complicated. Simply put, it includes four common authentication types ): that is, auth authentication management, account user management, password authentication management, and session management. Take/etc/PAM. d/login as an example. We can see its configuration file. auth, account, password, and session in area 1 are all authentication types. In area 2, required, requisite, sufficient, and optional are authentication process control. The last area 3 is the authenticated PAM file. (Figure 2)

4. PAM Authentication process

To help you gain an in-depth understanding of the PAM Authentication process, we will take the PAM-login verification user logon as an example. The PAM Authentication process is from the first line to the end of the line, one by one authentication. For example, if a user logs on to the server and there are 10 auth types in total, if the first authentication fails, the next nine authentication entries must also be authenticated. Why is it normal? In fact, there are some unusual situations. The success or failure of this user action depends on how Region 2 is processed after auth authentication. As shown in figure 2, the processing fields are required and optional. required indicates that the authentication must pass. That is to say, no matter how many statements are successful, the authentication fails if one fails. As shown in figure 2, Area 3 is the authentication module, and "PAM_securetty.so" in the second line is the file. In RHEL, relative paths are mostly used for authentication.