Linux system security and application--pam security certification

I. Introduction of PAM Authentication module

The PAM authentication module is called a pluggable authentication module. An important function is to enhance the use of the SU Command control, with the help of the PAM authentication module, only a very individual user can use the SU command to switch. Pam provides a central mechanism for authenticating all services for login, remote login (telnet,rlogin,fsh,ftp), Su and other applications where the system administrator formulates different authentication policies for different applications through the PAM configuration file.

Pam authentication first to determine which service, then load the corresponding PAM configuration file (located under/ETC/PAM.D), and finally call the authentication file (located under/lib/security) for security authentication. When the user accesses the server, a Server service program sends the user's request to the PAM module for authentication, and the PAM module of the application is different.

Second, Pam authentication usage

If you want to see if a program supports PAM authentication, you can filter, for example:

　　~] #ls/etc/pam.d | grep su(here su is a file, a configuration file, with the same name as the service, modify it is to authenticate the SU configuration)

For example, view Su's pam profile : Cat/etc/pam.d/su Each line is a separate authentication process, each line can be divided into three fields: 1) authentication type 2) control type 3) Pam module and its parameters.

The following is a brief introduction to the four common types of authentication :

(1) Authentication Management (authentication management) accepts the user name and password, and then authenticates the user's password

(2) Account management Check whether the account is allowed to log on to the system, whether the account has expired, the login of the account is limited by the time period, etc.

(3) Password management (password management) is mainly used to modify the user's password

(4) Conversation Management (Session management) is mainly to provide management and bookkeeping of the session (accounting)

Then the control type can also be called Controls Flags, for the PAM authentication type return results, the following four kinds:

(1) required validation fails, but returns fail

(2) Requisite verification failure immediately ends the entire verification process and returns fail

(3) Sufficient verification succeeds immediately returns, no longer continues, otherwise ignores the result and continues

(4) optional is not used for verification, just display information (usually used for session type)

Third, Pam verification process

　　

The following is an explanation of the validation sample table

To Use1 example, the first required control type by calling the Module1 module, after the validation passed, into the sufficient control type, passed, enter the required control type, n/a representative does not need to execute, the result is validation success.

　　

Four, case analysis

Example: Controlling user Switching using the SU command

1), enable the Pam_wheel module in/ETC/PAM.D/SU

Pam_rootok: Check if the user is Superuser, and if the Superuser (uid=0) is authenticated unconditionally

Pam_wheel: Only the users of the wheel group are allowed access to the superuser (only those in the wheel group have the SU command permission)

2) Add the authorized user Bob to the wheel group

3) Test: Bob can switch to root, other users cannot switch

How to do it:

　　~] #vim/etc/pam.d/su

Add a line or release comments

Auth Required pam_wheel.so Use_uid

　　~] #gpasswd-a Bob Wheel

　　

Linux system security and application--pam security authentication