linux-pam Authentication Module
When the user accesses the server, one of the server's service programs sends the user's request to the PAM module for authentication. The PAM modules that correspond to different server applications are also different. If you want to see if a program supports PAM authentication, you can check it with the LDD command:
For example: see if SSHD is supporting PAM module certification:
Since the libpam.so.0 =</lib/libpam.so.0 is linked in the program module, the program can be PAM certified.
When a server requests the PAM module, Pam itself does not provide service validation, it is called other a bunch of modules for server request verification, such files are all in the /lib/security . Specifically which service uses which specific module, which is defined by the specific Pam service file (/etc/pam.d/).
[Email protected] root]#ls/etc/pam.d/
Authconfig Neat redhat-config-network su
CHFN other Redhat-config-network-cmd sudo
Chsh passwd Redhat-config-network-druid System-auth
Halt Poweroff Rhn_register Up2date
Internet-druid PPP Setup Up2date-config
Kbdrate reboot SMTP Up2date-nox
Login Redhat-config-mouse sshd
Pam Service File
1. # More/etc/pam.d/login
Auth Required pam_securetty.so
Auth Required pam_stack.so Service=system-auth
Auth Required pam_nologin.so
Account Required Pam_stack.so Service=system-auth
Password Required pam_stack.so Service=system-auth
Session Required Pam_stack.so Service=system-auth
Session Optional Pam_console.so
The format of the PAM service file (Part Four)
Module-type |
Control-flag |
Module-path |
Arguments |
Module-type:auth, account, session, password
control-flag:required, requisite, sufficient, optional
eg:
Auth |
Required |
Pam_securety.so |
Auth |
Required |
Pam_stack.so Service=system_auth |
Module-type (belonging to the first part of the certification, mainly to assign permissions)AUTH: Authentication, Authorization (check the user's name, password is correct or not); Account: Checks whether the user's accounts expire, is disabled, and so on. Session: Control Sessions Password: Control user Change Password process
Control-flag (Part II of the certification, control of the identification bit)Required: Must pass this authentication, otherwise no longer go down certification, direct exit; requisite: Must pass certification, but there is still a chance, you can go down to certification; sufficient: Once passed, the back is no longer certified (as long as this condition is passed directly) Optional: Optional, can not pass through.
commonly used Pam service files
1),Login----/etc/pam.d/login
2),Ipop3d---/etc/pam.d/pop
3),FTP----/ETC/PAM.D/FTP or VSFTPD--/etc/pam.d/vsftpd
4),SSHD---/etc/pam.d/sshd
5),SU---/etc/pam.d/su
6),IMAP---/ETC/PAM.D/IMCP
Authentication Stack
①, auth required pam_securety.so
②, auth required pam_stack.so Service=system-auth
③, auth required pam_nologin.so
If
①End, then there is an end sign in the back, go to the next certification
②authentication, and so on, the same type of certification will be put together. Where Pam_stack.so invokes a sub-module service, which invokes a third-party module for authentication authorization.
Common PAM Modules1), pam_access.so control the address of the visitor and the name of the account 2), pam_listfile.so control the visitor's account name or login location 3), pam_limits.so control the resource assigned to the user 4), pam_rootok.so To the Administrator (Uid=0) unconditionally through 5), pam_userdb.so set up a separate user account database certification as follows:
[Email protected] root]#cd/etc/pam.d/
[Email protected] pam.d]#More Login
#%pam-1.0
Auth Required pam_securetty.so
Auth Required pam_stack.so Service=system-auth
Auth Required pam_nologin.so
Account Required Pam_stack.so Service=system-auth
Password Required pam_stack.so Service=system-auth
Session Required Pam_stack.so Service=system-auth
Session Optional Pam_console.so
[Email protected] pam.d]#cd/usr/share/doc/pam-0.75/txts/
[Email protected] txts]#ls
Pam_appl.txt readme.pam_ftp Readme.pam_shells
Pam_modules.txt readme.pam_limits Readme.pam_stack
Pam.txt Readme.pam_listfile readme.pam_stress
README Readme.pam_localuser readme.pam_tally
Readme.pam_access Readme.pam_mail Readme.pam_time
Readme.pam_chroot Readme.pam_nologin Readme.pam_timestamp
Readme.pam_console Readme.pam_permit Readme.pam_unix
Readme.pam_cracklib readme.pam_pwdb Readme.pam_userdb
Readme.pam_deny readme.pam_rhosts Readme.pam_warn
Readme.pam_env Readme.pam_rootok Readme.pam_wheel
Readme.pam_filter Readme.pam_securetty Readme.pam_xauth
[Email protected] txts]#More Readme.pam_securetty
Pam_securetty:
Allows root logins only if the user was logging in on a
"Secure" TTY, as defined by the listing In/etc/securetty
Also checks to make sure That/etc/securetty is a plain
File and not world writable.
-Elliot Lee, Red Hat software.
July 25, 1996.
[Email protected] txts]#More/etc/securetty
Console
Vc/1
Vc/2
Vc/3
Vc/4
Vc/5
Vc/6
Vc/7
Vc/8
Vc/9
Vc/10
Vc/11
Tty1
Tty2
Tty3
Tty4
Tty5
Tty6
Tty7
Tty8
Tty9
Tty10
Tty11
[Email protected] txts]#More/etc/pam.d/system-auth
#%pam-1.0
# This file is auto-generated.
# User changes'll be destroyed the next time Authconfig is run.
Auth required/lib/security/$ISA/pam_env.so
Auth sufficient/lib/security/$ISA/pam_unix.so likeauth Nullok
Auth required/lib/security/$ISA/pam_deny.so
Account required/lib/security/$ISA/pam_unix.so
Password required/lib/security/$ISA/pam_cracklib.so retry=3 type=
Password sufficient/lib/security/$ISA/pam_unix.so Nullok use_authtok MD5 Shadow
Password required/lib/security/$ISA/pam_deny.so
Session required/lib/security/$ISA/pam_limits.so
Session required/lib/security/$ISA/pam_unix.so
[Email protected] txts]# pwd
/usr/share/doc/pam-0.75/txts
[Email protected] txts]# more Readme.pam_nologin
# $Id: Readme,v 1.1.1.1 2000/06/20 22:11:46 Agmorgan EXP $
#
This module always lets root in; It lets other users on only if the file
/etc/nologin doesn ' t exist. In any case, if /etc/nologin exists, it ' s
Contents is displayed to the user.
Module Services Provided:
Auth _authentication and _setcred (blank)
Michael K. Johnson
[Email protected] txts]#Touch/etc/nologin
[Email protected] txts]#Useradd Leekwen
[Email protected] txts]#passwd Leekwen
Changing password for user Leekwen.
New Password:
Retype new Password:
Passwd:all authentication tokens updated successfully.
[Email protected] txts]#ssh [email protected]
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied (publickey,password,keyboard-interactive).
[Email protected] txts]#Rm/etc/nologin
Rm:remove regular empty file '/etc/nologin '?y
[Email protected] txts]#ssh [email protected]
[email protected] ' s password:
[Email protected] leekwen]$pwd
/home/leekwen
[Email protected] leekwen]$Exit
Logout
Connection to 192.168.0.188 closed.
[Email protected] txts]#cd/etc/pam.d/
[Email protected] pam.d]#More Login
#%pam-1.0
Auth Required pam_securetty.so
Auth Required pam_stack.so Service=system-auth
Auth Required pam_nologin.so
Account Required Pam_stack.so Service=system-auth
Password Required pam_stack.so Service=system-auth
Session Required Pam_stack.so Service=system-auth
Session Optional Pam_console.so
[[email protected] pam.d]# TTY
/dev/pts/2
[Email protected] pam.d]# ls/dev/tty1
/dev/tty1
Linux-pam Authentication Module