PAM Authentication Module

Source: Internet
Author: User
Tags imap
Check whether libpam. so is used by the Service Program during compilation through ldd to determine whether the service program supports PAM Authentication. The specific pam file is placed in the libsecurity directory, and the service file is placed in the directory of etcpam. d PluggableAuthenticationModulesforLinux which can be inserted into the authentication module. When the user accesses the server, the service program sends the request

Check whether libpam. so is used by the Service Program during compilation through ldd to determine whether the service program supports PAM Authentication. The specific pam file is placed in the/lib/security directory, and the service file is placed in the/etc/pam. d directory Pluggable Authentication Modules for Linux plug-in Authentication module when the user accesses the server, the service program will request

Use ldd to check whether libpam. so is used by the Service Program during compilation, and determine whether the service program supports PAM.Authentication. The specific pam file is stored in the/lib/security directory, and the service file is stored in the/etc/pam. d directory.

Pluggable Authentication Modules for Linux PluggableAuthenticationModule
When the user accesses the server, the service program sends the request to PAMModule, PAMModuleSelect a service file under the/etc/pam. d directory based on the service name, and select the specific PAM according to the service file content.Module.

Use ldd to check whether libpam. so is used by the Service Program during compilation, and determine whether the service program supports PAM.Authentication.
The specific pam file is stored in the/lib/security directory, and the service file is stored in the/etc/pam. d directory.

PAM service file format
Eg:
Auth required pam_security.so
Auth required pam_stack.so service = system-auth
Service indicates that the sub-service file is called.

Module-type:
Auth checks the user and password and assigns Permissions
Check whether the account has expired and whether the account has the right to log on.
Session control from user logon success to exit
Password Control Process
Control-flag:
The required request must be passed; otherwise, exit
If the requisite fails, continue to the next step.Authentication, Followed by a pass.
Sufficient does not need to be passed downAuthentication
Optional Option

Common PAM service files
Login -------/etc/pam. d/login
Ipop3d -------/etc/pam. d/pop
Vsftpd -------/etc/pam. d/ftp (Compilation and installation) or/etc/pam. d/vsftpd (rpm installation)
Sshd -------/etc/pam. d/sshd
Su -------/etc/pam. d/su
Imap -------/etc/pam. d/imap

In the/lib/security directory, pamModuleFor more information, see the Help file under/usr/share/doc/pam-0.99.3.0.
The same type of Module-type forms a stack.

Commonly used PAMModule
Pam_access.so controls the visitor address and account name
Pam_listfile.so controls the visitor's account name or logon location
Pam_limits.so controls the resources allocated to users
Pam_rootok.so allows the Administrator (uid = 0) to pass
Pam_userdb.so: Set the independent user account databaseAuthentication

Pam_access.soModuleUse -- control the host and user accessing sshd service
1. You need to use thisModuleService file, such as sshd:/etc/pam. d/sshd add
Account required pam_access.so
2. ModifyModuleConfiguration File
/Etc/security/access. conf
-: Redhat: ALL records t 192.168.0. (Format)
3. Test
Ssh redhat@192.168.0.22
Ssh redhat@127.0.0.1
Pam_access.so access is denied or allowed Based on the host, IP address, user.

Pam_listfile.so application (more detailed control than pam_access.so)
1. First, check its help file to see its specific format and Parameters
# Less/usr/share/doc/pam-0.99.3.0/txts/README. pam_listfile
Item user, tty, group describes the content in the list file
Sense allow, deny or allow users in files
File specifies a file. The content is added according to the item.
Onerr succeed, fail whenModuleThe value returned when an error occurs. If the specified file cannot be opened, it is generally set to succeed.
2. SetModuleApply to sshd service
Clear the pam_access.so added above and add it to/etc/pam. d/sshd (the first line)
Auth required pam_listfile.so item = user sense = deny file =/etc/denyuser onerr = succeed
Pay attention to the order of locations to be added. Otherwise, the effect will not be displayed.
3. Create a editing list file
# Echo "redhat">/etc/denyuser
4. Test
# Ssh-l redhat 192.168.0.22 failed
# Ssh-l chinaitlab 192.168.0.22 successful

# W display logged-on users and the last operation

Application of pam_limits.so
1. view the Help file and confirm its configuration file location and parameter mode.
# Less/usr/share/doc/pam-0.99.3.0/txt/README. pam_limits

User name or group name
Soft Limits
Hard limit (not allowed)
Restricted content, fsize file size, nproc maximum number of processes, maxlogins User Logon times
2. Set ModuleApply to sshd service and modify service files
# Add vi/etc/pam. d/sshd:
Session required pam_limits.so
Session controls the number of logins and file sizes of user processes, and limits the resources used by users by controlling their session processes.
3. Compile the configuration file/etc/security/limits. conf of pam_limits.so.
Redhat hard maxlogins 2
Limit the number of times redhat logs on to the sshd service.
4. Test
# Ssh-l redhat 192.168.0.22: 1st
# Ssh-l redhat 192.168.0.22: 2nd
Indicates that at most one redhat user can log on at the same time.

Application of pam_rootok.so
# Chfn changes the user's finger information
When you use this command to modify information, you need to enter a password to use it, while the root user does not.
Analysis:
# More/etc/pam. d/chfn
First behavior auth sufficient pam_rootok.so
Because the first line of the pam service file of chfn applies pam_rootok.so ModuleSo when the root user uses chfn, it does not need to be verified, and does not need to be passed down.

Pam_userdb.soModuleYou need a db database to store user information. For details about how to use it, refer to the previous vsftpd virtual user.

When PAM is usedModuleFor more information, see README. pam.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.