Introduction to common PAM authentication modules (2)

Article title: Introduction to common PAM authentication modules (2 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
8. pam_group Authentication Module
　　
Type: auth
　　
Function description: This module does not provide user authentication, but only grants the group permissions of the specified user group. The default configuration file is/etc/security/groups. conf.
　　
9. pam_issue Authentication Module
　　
Type: auth
　　
Function description: This module prints the/etc/issue file during user logon.
　　
Possible parameters:
Issue = filename: specify other configuration files, instead of the default/etc/issue.
Noesc: do not explain the transfer characters in the configuration file.
　　
Configuration File description:
You can use transfer characters such as x in the configuration file to implement specific functions. Recognizable transfer characters include:
D: print the current date
S: print the operating system name
L: print the current tty name
M: print CPU type (i686, iSCSI, powerpc, etc)
: Print the host name
O: print domain name
　　
: Print the kernel version number
: Print the current system time
U: number of online users of the printing system
U: same as u, but the user has users
V: print the system installation date
　　
Configuration file instance:
$ More/etc/issue
　　
Welcome
　　
Time: d
User online: U
　　
10. pam_lastlog Authentication Module
　　
Type: auth
　　
Function description: This module prints the information of the last logon system (in/var/log/lastlog) when a user logs on. Other programs are currently working on this function, therefore, you do not need to use this module.
　　
　　
11. pam_limits certification module
　　
Type: session
　　
Function description: This module limits the usage of system resources during user sessions. By default, the configuration file of this module is/etc/security/limits. conf. you can use the conf parameter to specify a custom configuration file.
　　
Possible parameters:
Issue = filename: specify other configuration files, instead of the default/etc/issue.
Noesc: do not explain the transfer characters in the configuration file.
　　
Configuration File description:
Debug: write debugging information into logs
Conf = filename: specify the configuration file
　　
Configuration File description: the syntax for each line (one entry) of the configuration file is as follows:
　　
Here
　　 Yes
User name
User group name, using the @ group Syntax
Wildcard *, indicating any
　　 Yes
Soft-indicates the soft limit, which can be exceeded
Hard-indicates a hard limit, which can be set as root and executed by the kernel. the limit cannot be exceeded.
　　 Yes
Core-core file size (KB)
Data-maximum data size (KB)
Fsize-maximum file size (KB)
Memlock-maximum available memory (KB)
Nofile-maximum number of files that can be opened
Rss-maximum resident space (KB)
Stack-maximum stack space (KB)
Cpu-maximum CPU usage time (MIN)
Nproc-maximum number of processes running
As-address space limit
Maxlogins-maximum number of times a user can log on to the system
Locks-maximum number of locked files
It should be noted that if there is no limit, you can use the "-" number, and the user-specific priority is higher than
High priority.
　　
Configuration file instance:
* Soft core 0
* Hard rss 10000
@ Student hard nproc 20
@ Faculty soft nproc 20
@ Faculty hard nproc 50
　　
12. pam_listfile Authentication Module
　　
Type: auth
　　
Function description: This module provides access control for users based on certain rules. Generally, the access control rule is placed in a file. you can use the file parameter to specify the file. Generally, user access can be controlled based on user name, logon tty name, rhost, ruser, user group, and logon shell.
　　
Possible parameters:
Item = [tty | user | rhost | ruser | group | shell]: defines the rules used;
Onerr = succeed | fail: defines the default return value when an error occurs (for example, the configuration file cannot be opened;
Sense = allow | deny: defines the return value when a qualified project is found in the configuration file. if no qualified project is found, the opposite value is returned;
File = filename: specifies the configuration file.
Apply = user | @ group: objects applied to rules that use non-user and group rules.
　　
Configuration instance:
For example,/etc/pam. d/ftp:
$ More/etc/pam. d/ftp
# % PAM-1.0
Auth required/lib/security/pam_listfile.so item = user sense = deny file =
/Etc/ftpusers onerr = succeed
Auth required/lib/security/pam_pwdb.so shadow nullok
# This is disabled because anonymous logins will fail otherwise,
# Unless you give the 'ftp 'user a valid shell, or/bin/false and add
#/Bin/false to/etc/shells.
# Auth required/lib/security/pam_shells.so
Account required/lib/security/pam_pwdb.so
Session required/lib/security/pam_pwdb.so
In the first sentence of the configuration file, the access control (item = user) is specified based on the user name ). The configuration file is/etc/ftpaccess (file =/etc/ftpusers). when the username of the login user appears in the matching file, access is deny (sense = deny ), allow access (onerr = succeed) when there are no matching entries in the configuration file ).
　　
13. pam_mail Authentication Module
　　
Type: auth, session
　　
Function description: check the user's email directory to check whether the user has new emails. Other programs are already working on this task, so it is not necessary to use this module.
　　
Possible parameters:
Debug: write debugging information into logs
Dir = pathname: Used to specify the user's email path, usually/var/spool/mail ~ It indicates that the mailbox is located in the user's home directory.
Nopen: do not prompt the user for mail information.
Close: always prompts the user with email information.
Noenv: do not set the MAIL environment variable.
Empty: if the user's email address is blank, a message is also displayed to the user.
Quiet: users are not prompted even if they have new emails.
　　
　　
14. pam_mkhomedir certification module
　　
Type: session
　　
Function description: creates a home directory for the user upon login. This function is particularly useful when ldap or database is used to store user data.
　　
Possible parameters:
Debug: write debugging information into logs
Skel = dir: specifies the directory where the user contains the initialization script;
Umask = octal: like the umask command, set the default permission mask when the user creates a file.
　　
15. pam_motd Authentication Module
　　
Type: session
　　
Function description: After a user successfully logs on to the system, the message of today (today's information) is displayed. by default, the content of the/etc/motd file is displayed. you can use the motd parameter to specify different configuration files.
　　
Possible parameters:
Motd = filename: specifies the custom configuration file.
　　
16. pam_nologin Authentication Module
　　
Type: auth
　　
Function description: provides standard UNIX nologin logon authentication. If the/etc/nologin file exists, only the root user can log on. other users only obtain the content of the/etc/nologin file when logging on. If/etc/nologin does not exist, this module does not work.
　　
Optional parameters: None
　　
17. pam_permit certification module
　　
Type: account; auth; password; session
　　
Function description: This module has a high security risk. the only function of this module is to allow users to log on.
　　
Optional parameters: None
　　
18. pam_pwdb certification module
　　
Type: account; auth; password; session
　　
Function description: This module is an alternative to the standard UNIX authentication module pam_unix.
　　
When used as the auth type, this module can identify the following parameters: debug, audit, use_first_pass, try_first_pass, nullok, and nodelay. The main function is to verify the validity of the user password, by default (without any parameters), the main function of this module is to prohibit users with blank passwords from providing services;
　　
When used as an account type, this module can identify the parameters debug and audit. this module mainly runs the task of creating the user account and password status, and then prompts the user to change the password, services and other tasks are provided only after the user uses the new password;
　　
When used as a password, this module can recognize the following parameters: debug, audit, nullok;, not_set_pass, use_authtok, try_first_pass, use_first_pass, md5, bigcrypt, and shadow, this module completes the task of asking the user to change the password;
　　
When used as a session type, this module does not have identifiable parameters. this module only records user names and service names to log files.
　　
Possible parameters:
Debug: write debugging information into logs
Audit: records more information
Nullok: by default, if the password entered by the user is null, the system will not provide any service to the user. However, if you use parameters, you can obtain the services provided by the system without entering the password. You can also change the user password when the user password is empty.
Nodelay: when the user authentication fails, the system will delay the error message to prevent
The hacker guesses the password. When this parameter is used, the system will cancel this delay. This is usually a 1 second delay.
Try_first_pass: when used as the auth module, this parameter will try to authenticate the user using the password provided by the previous stack auth module before prompting the user to enter the password. when used as the password module, this parameter is used to prevent the user from updating the password to the old one.
Use_first_pass: when used as the auth module, this parameter will directly use the password provided by the previous stack auth module to authenticate the user before prompting the user to enter the password. when used as the password module, this parameter is used to prevent the user from setting the password as provided by the previous stack password module.
No_set_pass: invalidates the password module on the front and back stacks.
Use_authok: force the password provided by the previous stacked password module, such as the new password provided by the pam_cracklib module.
Md5