1. pam Introduction
Linux-PAM (the pluggable authentication module in linux) is a shared library that allows local system administrators to select the authentication method of programs at will. in other words, you can change the authentication mechanism you use without re-Compiling an application that contains the PAM function. in this way, you do not need to modify the program even if you upgrade the local authentication mechanism.
PAM use/etc/pam. d/files to manage the authentication method for the program. the application calls the corresponding configuration file to call the local authentication module. the module is placed under/lib/security and loaded as a dynamic library. For example, when we use the su command, the system will prompt you to enter the password of the root user. the su command is implemented by calling the PAM module.
Ii. PAM Configuration File Introduction
The PAM Configuration file can be written in two ways:
One is written in the/etc/pam. conf file, but in the system after centos6, this file is gone.
Another method is to put the PAM Configuration File in/etc/pam. in the d/directory, the rule content does not contain the service section, that is, it does not contain the service name, and/etc/pam. the file name in the d directory is the service name. For example: vsftpd, login, etc., but the leftmost service column is missing. For example:/etc/pam. d/sshd
Configuration files can be divided into four columns,
The first column indicates the module type.
The second column represents the control tag
The third column indicates the module path.
The fourth column represents the module parameters.
1. PAM module type
Linux-PAM has four types of modules, which represent four different tasks.
They are: authentication management (auth), account management (account), session management (session), and password management. One type may have multiple lines, they are called by the PAM module in sequence.
Management Method description auth is used to identify the user's identity, for example, prompting the user to enter the password, or determining whether the user is a root account.Check the attributes of the account, for example, whether logon is allowed, whether the maximum number of users is reached, or whether the root user is allowed to log on to the terminal.
SessionThis module is used to define the operations performed before and after user logon, such as logon connection information, opening and closing of user data, and mounting a file system.
Use user information to update the password. For example, modify the user password.2. PAM control mark
PAM uses control tags to process and determine the return values of each module. (here, only simple authentication tags are described)
Control flag description requiredIndicates that even if a module fails to verify the user, PAM will return an error message after all modules are executed. This is done to prevent users from knowing which module is rejected. If the user is successfully verified, all modules return the success message.
RequisiteSimilar to required, but if this module returns a failure, it immediately returns a failure to the application, indicating that this type of failure will not be performed.
Sufficient indicates that if a user passes the verification of this module, the PAM structure immediately returns the verification success message (even if the previous module fail is present, the fail result is ignored ), return the control to the application. Even if the requisite or required control flag is used, the subsequent cascade modules will not be executed. If the verification fails, the function of sufficient is the same as that of optional. optional indicates that the user is allowed to accept the services provided by the application even if the verification of the specified module fails. Generally, PAM_IGNORE (ignore) is returned ).3. Module path
Module path, that is, the location of the module to be called. If it is a 64-bit system, it is generally stored in/lib64/security, for example: pam_unix.so
The same module can appear in different types. The operations it performs in different types are different. This is because each module
Different execution functions are compiled for different module types.
4. Module Parameters
Module parameters, that is, the parameters passed to the module. Multiple parameters can be separated by spaces, for example:
Password required pam_unix.so nullok obscure min = 4 max = 8 md5
Iii. Introduction to common PAM modules
Pam_unix.soAuth
Prompt the user to enter the password and return 0 for. Match compared with the/etc/shadow file
The account checks the user's account information (including whether the account has expired or not ). 0 is returned when the account is available. password: Change the user's password. update the shadow file pam_shells.so using the password entered by the user as the new password.Auth
Account
If you want to log on to the system, the shell must be shellpam_deny.so in one of the/etc/shells files.Account
Auth
Password
Session
This module can be used to deny access to pam_permit.soAuth
Account
Password
Session
The module returns success at any time. pam_securetty.soauth if the user wants to log on as root, the login tty must be in/etc/securetty. pam_listfile.soAuth
Account
Password session
Pam_cracklib.sopasswordThis module can be inserted into the password stack of a program to check the password strength.
Pam_limits.sosession defines the upper limit for using system resources. root users are also subject to this limit. You can set this limit through/etc/security/limits. conf or/etc/security/limits. d/*. conf.Iv. Instances
1. pam_securetty.so
Restrict root login from tty1, tty2, and tty5 (no practical significance, just demonstrate pam_securetty usage)
Add the following line to/etc/pam. d/login:
1auth required pam_securetty.so
Comment out tty1, tty2, and tty5 in/etc/pam. d/securetty.
Then use the root user to log on again.
In fact, this operation does not only restrict root users. You can also use this method to limit other users. After the system is installed, use this method to enhance security.
2. pam_listfile.so
Only essun users can log on remotely through ssh
Add one in the/etc/pam. d/sshd File
1auth required pam_listfile.so item=user sense=allow
file
=
/etc/sshdusers
onerr=succeed
Add two users, essun and tom.
Edit the specified file and add the previous user essun
1#echo "essun" >/etc/sshdusers
Use a tom user to log on
You can see the prompt to enter the password. after entering the correct password, the prompt will be displayed.
Just like entering an incorrect password. The essun user does not receive a logon rejection prompt.
Note: If the root user uses ssh for remote connection, the root user is also limited by pam_listfile.so.
In fact, the usage of the pam module is similar.
To learn more about the usage of the PAM module, use man modules.
Tip:
If an error occurs, Linux-PAM may change the system security. It depends on your choice. You can choose insecure (Open System) and absolute security (deny any access ). Generally, Linux-PAM tends to be the latter when an error occurs. Any configuration error may cause the entire or part of the system to be inaccessible.
During Linux-PAM Configuration, the biggest problem may be that the configuration file/etc/PAM. d/* of Linux-pam is deleted. If this happens, your system will be locked.
There is a way to recover, the best way is to use a backup image to restore the system, or log on to
User Mode and then perform the correct configuration.
========================================================= ==============================================
This article from the "and the rain" blog, please be sure to keep this source http://essun.blog.51cto.com/721033/1391133