Pam module in Linux

I. INTRODUCTION of PAM

Linux-pam (Linux pluggable authentication module) is a set of shared libraries that allow local system administrators to choose the authentication method of the program at will. In other words, without (rewriting) recompiling an application that contains PAM functionality, you can change the authentication mechanism it uses. This way, even if you upgrade the local authentication mechanism, you do not have to modify the program.
Pam uses the files under configuration/etc/pam.d/to manage the authentication method for the program. The application invokes the appropriate configuration file, thereby invoking the local authentication module. The module is placed under/lib/security to load the dynamic library form, as we use the SU command, You will be prompted to enter the root user's password. This is what the SU command does by calling the PAM module.

Introduction to the configuration file of Pam

The PAM configuration file is written in two ways:

One is written in the/etc/pam.conf file, but in the system after CENTOS6, the file is gone.
Another way to do this is to put the PAM configuration file in the/etc/pam.d/directory, where the rule content is not included in the service section, that is, does not include the services name, and the name of the file under the/ETC/PAM.D directory is the service name. such as: Vsftpd,login, etc., but the left-most service is missing. such as:/etc/pam.d/sshd

The configuration file can be divided into four columns,

The first column represents the module type

The second column represents the control tag

The third column represents the module path

The fourth column represents the module parameters

Module types for 1.PAM

Linux-pam has four module types, representing four different tasks

They are: Authentication Management (AUTH), account Management (accounts), session management (sessions) and password (password) management, one type may have multiple lines, and they are called sequentially by the Pam module.

Management method	Description
Auth	Used to identify the user's identity. For example, prompt the user to enter a password, or to determine whether the user is root, etc.
Account	Check the properties of your account. such as whether to allow login, whether to reach the maximum number of users, or whether the root user is allowed to log on at this terminal.
Session	This module is used to define what to do before the user logs in and after the user exits. such as: Login connection information, user data open and close, Mount file system and so on.
Password	Use user information to update. For example: Modify user password.

Control marks for 2.PAM

Pam uses control flags to process and judge the return values of each module. (Only simple authentication marks are described here)

Control marks	Description
Required	Indicates that PAM returns an error message even if the validation of a module fails for the user, and after all modules have finished executing. This is done in order not to let the user know which module was rejected. If the user is authenticated successfully, all modules will return success information.
Requisite	Similar to required, but if the module returns a failure, it immediately returns a failure to the application, indicating that the type failed. No further operations are performed in the same type.
Sufficient	Indicates that if a user passes the validation of this module, the PAM structure returns the verification success information immediately (even if the previous module fail, the fail result is ignored), and the control is handed back to the application. The subsequent cascading modules are no longer executed even if the requisite or required control flags are used. If the validation fails, the sufficient function is the same as the optional
Optional	Indicates that even if the specified module fails validation, the user is also allowed to accept the service provided by the application, generally returning pam_ignore (ignore).

3. Module path

The module path. That is, the location of the module to invoke. If it is a 64-bit system, it is generally saved in/lib64/security, such as: pam_unix.so

The same module can appear in different types. It does not perform the same actions in different types. This is because each module

Different execution functions are developed for different module types.

4. Module parameters

module parameters, which are parameters passed to the module. Arguments can have multiple, separated by spaces, such as:

Password required pam_unix.so Nullok obscure min=4 max=8 MD5

Three, the common Pam module introduction

Pam Module	Combining management types	Description
Pam_unix.so	Auth	Prompts the user for a password and is compared to the/etc/shadow file. Match returns 0
	Account	Check the user's account information (including whether it expires or not). Returns 0 when the account is available.
	Password	Modify the user's password. Update the shadow file with the password that the user entered as the user's new password
Pam_shells.so	Auth Account	If the user wants to log into the system, then its shell must be one of the shells in the/etc/shells file
Pam_deny.so	Account Auth Password Session	This module can be used to deny access to
Pam_permit.so	Auth Account Password Session	The module will return to success at any time.
Pam_securetty.so	Auth	If the user wants to log on as root, the login TTY must be in/etc/securetty.
Pam_listfile.so	Auth Account Password session	Access to the control switch of the application process
Pam_cracklib.so	Password	This module can be inserted into a program's password stack to check the strength of the password.
Pam_limits.so	Session	The definition uses the upper limit of system resources, the root user is also subject to this limit, can be set by/etc/security/limits.conf or/etc/security/limits.d/*.conf

Iv. examples

1, pam_securetty.so

Restrict root login from tty1,tty2,tty5 (no practical Meaning, just demo pam_securetty usage)

Add the following line in the/etc/pam.d/login

1	auth  required         pam_securetty.so

Tty1,tty2,tty5 Annotations in/etc/pam.d/securetty

After you log in again using the root user, you will receive

This does not only restrict the root user, but also other users can use this method to limit, when the system installation is complete, use this method to enhance security.

2, pam_listfile.so

Only Essun users can log on remotely via SSH

Add a message to the/etc/pam.d/sshd file

1	auth       required     pam_listfile.so item=user sense=allow file=/etc/sshdusersonerr=succeed

Add two users Essun and Tom

Edit file specified files, add previous user Essun

1	#echo "essun" >/etc/sshdusers

Log in with Tom User

You can see the prompt to enter a password, when you enter the correct password will prompt

It's like typing in the wrong password. When you log in using Essun, you will not be prompted to deny login

Note: If Root is also connected remotely using SSH, it will also be subject to pam_listfile.so restrictions.

Actually, the PAM module uses the same routines.

To learn more about the use of PAM modules, please man modules

Warm tips:

If an error occurs, Linux-pam may change the security of the system. Depending on your choice, you can choose not to be secure (open system) and absolutely secure (deny any access). In general, linux-pam tend to the latter in the event of an error. Any configuration errors can cause the system to be inaccessible throughout or partially.

When configuring Linux-pam, the most likely problem you may encounter is that the Linux-pam profile/etc/pam.d/* is deleted. If such a thing happens, your system will be locked.

There are ways to recover, the best way is to use a backup image to restore the system, or log into the single

The user mode is then configured correctly.

===================================== Finish ========================================

This article is from the "gentle" blog, make sure to keep this source http://essun.blog.51cto.com/721033/1391133

Pam module in Linux