Pam on UNIX

Pam was originally integrated in Solaris and has been ported to other systems, such as Linux, SunOS, HP-UX 9.0, etc.

1. Pam Structure

Shows the entire framework structure of PAM:

The system administrator uses the PAM Configuration File to develop an authentication policy, that is, to specify what service should adopt the authentication method;
The application developer calls the authentication method by using the pam api in the service program. The Pam service module (SE)
Rvice module) developers use pam spi (Service Module API) to write Authentication Modules (mainly
Some functions pam_sm_xxxx (called by libpam) are introduced, and different authentication mechanisms (such as traditional Unix
) To the system, and the PAM core library (libpam) reads the configuration file.
And the corresponding authentication method.
2. Four management interfaces supported by PAM:

1. authentication management)
It mainly accepts the user name and password, authenticates the user's password, and is responsible for setting some user secrets.
Information.
2. Account Management)
It mainly checks whether the account is allowed to log on to the system, whether the account has expired, and whether the account has been logged on for a period of time.
Restrictions.
3. Password Management)
It is mainly used to modify the user's password.
4. session management)
It mainly provides session management and accounting ).

Iii. Pam files:

/Usr/lib/libpam. So. * Pam core library
/Etc/PAM. conf or/etc/PAM. d/PAM Configuration File
/Usr/lib/security/PAM _ *. So the PAM service module that can be dynamically loaded
For RedHat, its directory is not/usr/lib, but/lib.

Iv. PAM Configuration:

Pam is configured through a single configuration file/etc/PAM. conf. RedHat also supports another configuration method, that is, by configuring
Set the directory/etc/PAM. d/, and the priority is higher than that of a single configuration file.

1. Use the configuration file/etc/PAM. conf.

This file is composed of the following rows:
Service-name module-type control-flag module-path arguments

Service-name indicates the service name, such as telnet, login, and FTP. The service name "other" indicates that all
Other services explicitly configured in this file.
The module-type module has four types: AUTH, account, session, and password, which correspond to
Four management methods. The same service can call multiple PAM modules for authentication. These modules constitute a stack.
Control-flag is used to tell the PAM library how to handle the success or failure of the PAM module related to the service. It has four
Possible values: required, requisite, sufficient, and optional.
Required indicates that this module must return a successful response to pass authentication. However, if this module returns a failure
The results will not be immediately notified to the user, but will wait until all the modules in the same stack are fully executed before the failure results
Return to the application. It can be considered as a necessary condition.
Similar to required, requisite and required can pass authentication only when the module returns a successful result.
Failed: No modules in the same stack will be executed, but the control is directly returned to the application. Is a must
Condition. Note: Only RedHat and Solaris are supported.
Sufficient indicates that the returned result of this module is successful enough to pass the identity authentication requirement, and the same stack does not have to be executed.
But can be ignored if the returned result of this module fails. It can be considered as a sufficient condition.
Optional indicates that this module is optional. Its success or failure generally does not play a key role in identity authentication.
The value is ignored.
For control-flag, a new syntax is supported from the Linux-PAM-0.63 version, see Linux
Pam document.
Module-path is used to specify the path name of the program file corresponding to this module. absolute paths are generally used.
Absolute path. By default, the file is under the directory/usr/lib/security.
Arguments is a parameter passed to this module. Generally, the parameters of each module are different.
Developers define their own, but they also have the following common parameters:
Debug this module should use syslog To write debugging information to the system log file.
No_warn indicates that the module should not send the warning information to the application.
Use_first_pass indicates that this module does not prompt the user to enter the password, but should use the previous module from the user
The obtained password.
Try_first_pass indicates that the module should first use the password obtained from the user from the previous module.
If the password verification fails, you are prompted to enter a new password.
Use_mapped_pass this module does not prompt the user to enter the password, but uses the ing password.
Expose_account allows this module to display the user's account name and other information. It can only be used in a secure environment.
Because the leaked user name poses a threat to security.

2. Use the configuration directory/etc/PAM. d/(only applicable to RedHat Linux)

The name of each file in the directory corresponds to the service name, for example, the FTP service corresponds to the file/etc/PAM. d/FTP. If the name is X
The configuration file/etc/PAM. d/xxxx corresponding to the xxx service is not stored, the Service uses the default configuration file/ET
C/PAM. d/Other. Each file consists of text lines in the following format:
Module-type control-flag module-path arguments
The meaning of each field is the same as that in/etc/PAM. conf.

3. Configuration example

Example 1: Use/etc/PAM. conf to configure the default authentication method.

The following example rejects all services that are not explicitly configured in/etc/PAM. conf. Other indicates that the configuration is not explicitly configured.
For all other services, the pam_deny Module simply rejects authentication.
Other auth required/usr/lib/security/pam_deny.so
Other Account required/usr/lib/security/pam_deny.so
Other Password required/usr/lib/security/pam_deny.so
Other session required/usr/lib/security/pam_deny.so

Example 2: configure the RSH service authentication method through the/etc/PAM. d/rsh file.

When you use the RSH service to authenticate users, first use the/etc/hosts. equiv and. rhosts file authentication methods, and then follow the/etc
/Nologin file existence or not to determine whether to allow the user to use RSH, and finally use password database to identify
Certificate user.

Auth required/lib/security/pam_rhosts_auth.so
Auth required/lib/security/pam_nologin.so
Account required/lib/security/pam_pwdb.so
Session required/lib/security/pam_pwdb.so

Example 3: configure the ftpd Authentication mode through/etc/PAM. conf.

The following are three steps for the ftpd Service to use the PAM module for user authentication. First, use the pam_ftp module to check whether the current user is
No is an anonymous user. If it is an anonymous user, the sufficient control flag indicates that the subsequent authentication steps are not required,
Directly pass the authentication; otherwise, the pam_unix_auth module is used for standard Unix authentication, that is,/etc/passw.
D and/etc/shadow are authenticated. After the pam_unix_auth module is authenticated, The pam_listfil
E module to check whether the user is in the/etc/ftpusers file. If yes, the user is deny.
Ftpd auth sufficient/usr/lib/security/pam_ftp.so
Ftpd auth required/usr/lib/security/pam_unix_auth.so use_first_pass
Ftpd auth required/usr/lib/security/pam_listfile.so/
Onerr = succeed item = user sense = deny file =/etc/ftpuser
S

5. Password-Mapping)

Password ing allows users to use different passwords under different authentication mechanisms, with a primary password (primary pass
Other passwords are the next password (secondary passwords, there may be multiple ). The primary password is used
Line encryption. After the master password passes authentication, the authentication module uses the master password to encrypt the second password (also known as mapped PA ).
Ssword), and authenticate the password.
Note: If the one-time password mechanism is used, password ing is not used.

All service modules must support the following four ing options (as described in section 4 ):

1. use_first_pass

This option indicates that this module does not prompt the user to enter the password, but uses the existing password, that is, from the first prompt to the user
Enter the password of the module to obtain the password and authenticate the password.

2. try_first_pass

This option indicates that this module first tries to use the existing password, that is, from the first module that prompts the user to enter the password
Obtain the password and authenticate it. If the password verification fails, the user is prompted to enter the password.

3. use_mapped_pass

This option indicates that this module cannot prompt the user for a password. Instead, the ing password should be used, that is
Password decryption and authentication.

4. try_mapped_pass

This option indicates that the module first attempts to use the mapped password, that is, the master password is used to decrypt the encrypted password.
And perform authentication. If the password authentication fails, the user is prompted to enter the password.

Example of password ing:

The following describes the login service configuration in/etc/PAM. conf. Login has three authentication mechanisms: Kerberos and UN.
IX and RSA Authentication. The two required control marks indicate that the user must pass Kerberos Authentication and Unix authentication before using
Login service. The optional option indicates that RSA Authentication is optional. First, the user enters the master password for Kerberos authentication.
The use_mapped_pass option indicates that the Unix authentication module uses the primary password to decrypt the password used for Unix authentication and
This password is used for authentication. The try_first_pass option indicates that the RSA Authentication Module uses the first module (that is, Kerberos
Module) as the password for authentication, when the password authentication fails, the user is prompted to enter
Password.
Login auth required pam_kerb_auth.so debug
Login auth required pam_unix_auth.so use_mapped_pass
Login auth optional pam_rsa_auth.so try_first_pass

Vi. Pam API

1. Framework API:

Any service program that supports Pam must be initialized with pam_start (and finally with Pam
_ End (end for cleanup.

2. authentication management API:

Pam_authenticate (authenticate the user name and password.
Pam_setcred (used to modify the user's secret information.

3. Account management API:

Pam_acct_mgmt (check whether the account has the permission to log on to the system, whether the account has expired, and whether the account has the logon time)
Restrictions.

4. Password Management API:

Pam_chauthtok (change the user password.

5. session management API:

A session starts with pam_open_session (and ends with pam_close_session.

6. Others:

Pam_get_item (, pam_set_item (used to read and write the status information of PAM transaction (transaction.
Pam_get_data (, pam_set_data (used to obtain and set information about the PAM module and session.
Pam_putenv (, pam_getenv (, pam_getenvlist (used to read and write environment variables.
Pam_strerror (returned error information.
Example Program (from Sun's white paper ):

The following example uses the pam api to write a simple login service program (Note: This is not a complete program
The call to pam_close_session is omitted ).

# Include <Security/pam_appl.h>

/* Callback function */
Static int login_conv (INT num_msg, struct pam_message ** MSG, struct pam_response
** Response, void * appdata_ptr );
Struct pam_conv = {login_conv, null };
Pam_handle_t * pamh;/* The Pam handle for authentication */

Void main (INT argc, char * argv [], char ** renvp)
{
/* Initialize and provide a callback function */
If (pam_start ("login", user_name, & pam_conv, & pamh ))! = Pam_success)
Login_exit (1 );

/* Set some parameters */
Pam_set_item (pamh, pam_tty, ttyn );
Pam_set_item (pamh, pam_rhost, remote_host );

While (! Authenticated & retry <max_retries)
{
Status = pam_authenticate (pamh, 0);/* password authentication management, check user input
Is the password correct */
Authenticated = (status = pam_success );
}

If (status! = Pam_success)
{
Fprintf (stderr, "error: % s/n", pam_strerror (pamh, status);/* displays the original error
Because */
Login_exit (1 );
}

/* After passing the password authentication, call the account management API to check whether the user account has expired */
If (status = pam_acct_mgmt (pamh, 0 ))! = Pam_success)
{
If (status = pam_authtok_expired)
{
Status = pam_chauthtok (pamh, 0);/* requires the user to change the password when it expires */
If (status! = Pam_success)
Login_exit (1 );
}
}

/* Open the session after the account management check */
If (status = pam_open_session (pamh, 0 )! = Pam_success)
Login_exit (Status );

/* Set User Groups */
Setgid (PWD-> pw_gid );

/*
* Initialize the supplementary group access list before
* Pam_setcred because PAM modules might add groups
* During the pam_setcred call
*/
Initgroups (user_name, PWD-> pw_gid );

Status = pam_setcred (pamh, pam_establish_cred );
If (status! = Pam_success)
Login_exit (Status );

/* Set the real User ID (or valid user ID )*/
Setuid (PWD-> pw_uid );

Pam_end (pamh, pam_success);/* end of PAM transaction */

/*
Other login-related content can be implemented here.
*/
}

/* Clear the site and exit if an error occurs */
Static void login_exit (INT exit_code)
{
If (pamh)
Pam_end (pamh, pam_abort );
Exit (exit_code );
}

/* This callback function is called by the PAM Authentication Module to Display error messages or obtain user input.
Service programs on the GUI should use the GUI to obtain user input or display prompt information */
Int login_conv (INT num_msg, struct pam_message ** MSG, struct pam_response ** Resp
Onse, void * appdata_ptr)
{
While (num_msg --)
{
Switch (m-> msg_style)
{
Case pam_prompt_echo_off:
R-> resp = strdup (getpass (m-> MSG ));
Break;
Case pam_prompt_echo_on:
(Void) fputs (m-> MSG, stdout );
R-> resp = malloc (pam_max_resp_size );
Fgets (R-> resp, pam_max_resp_size, stdin );
/* Add code here to remove/n from fputs */
Break;
Case pam_error_msg:
(Void) fputs (m-> MSG, stderr );
Break;
Case pam_text_info:
(Void) fputs (m-> MSG, stdout );
Break;
Default:
Log_error ();
Break;
}
}
Return (pam_success );
}

VII. Pam SPI

When a Service Program (ftpd, telnetd, etc.) calls the pam api function pam_xxx (, the PAM framework (libpam) Root
The SPI function pam_sm_xxx (
). As follows:

The API function name is pam_xxx (and the corresponding SPI function name is pam_sm_xxx (, which is required by each service module ).
Extracts the corresponding functions for libpam to call. In order to facilitate the photo, list it again.

SPI corresponding to the API

Account Management pam_acct_mgmt (pam_sm_acct_mgmt (

Authentication management pam_authenticate (PAM _ sm_authenticate (

Password Management pam_chauthtok (PAM _ sm_chauthtok (

Session management pam_open_session (PAM _ sm_open_session (

Session management pam_close_session (PAM _ sm_close_session (

Authentication management pam_setcred (PAM _ sm_setcred (

8. Common Pam service modules

The following is a list of PAM modules provided by Linux (only part of them ):

Module file module function description related configuration files

Pam_access provides logdaemon-style logon control/etc/security/access. conf

Pam_chroot provides functions similar to the chroot command

Pam_cracklib checks the password strength. The library file libcrack and dictionary file
/Usr/lib/cracklib_dict

Pam_deny always causes authentication failure unconditionally

Pam_env: set or cancel the environment variable/etc/security/pam_env.conf

Pam_filter filters input and output streams. Filters

Pam_ftp.so authenticates anonymous ftp users

Pam_group when the user requests the specified/etc/security/group. conf on the specified Terminal
Grant corresponding group permissions to the user during service

Pam_issue is displayed before prompting the user to enter the user name/etc/issue
/Etc/issue file content

Pam_krb4 perform Kerberos authentication on the user password corresponding to the Kerberos Library File

Pam_lastlog displays/var/log/lastlog after the user logs on successfully.
Information about the user's last logon and Maintenance
/Var/log/lastlog file.

Pam_limits limits the system resources that a user session can use/etc/security/limits. conf

Pam_listfile determines whether/etc/ftpusers
Allow or prohibit the provision of services

Pam_mail check whether there are new emails/var/spool/mail/xxxx in the user's mailbox

Pam_mkhomedir creates a home directory for the user/etc/skel/

Pam_motd display/etc/motd File Content/etc/motd

Pam_nologin indicates whether the/etc/nologin file exists or not./etc/nologin
To determine whether user authentication is successful

Pam_permit always succeeds unconditionally

Pam_pwdb is an alternative to the pam_unix_xxxx module. /Etc/pwdb. conf
Use Password Database universal interface
For authentication.

Pam_radius provides the Remote Authentication Dial-In User Service
(RADIUS) Authentication

Pam_rhosts_auth uses files ~ /. Rhosts and/etc/hosts. equiv and ~ /. Rhosts
/Etc/hosts. equiv authenticates the user.

Pam_rootok checks whether the user is a superuser. If
Super Users pass the authentication unconditionally.

Pam_securetty provides standard UNIX securetty check/etc/securetty

Pam_time provides time-based control, such as limiting/etc/security/time. conf
Users can log on only within a certain period of time.

Pam_unix provides standard Unix authentication/etc/passwd and/etc/shadow

Pam_userdb uses the Berkeley DB database to check the Berkeley DB
User/Password

Pam_warn uses syslog to record an alarm.

Pam_wheel only allows super users in the wheel group
Access Permissions