Linux user security and Linux PAM authentication mechanism

One. Linux Authentication

1. User and system administrator

> Users are divided into two categories: System administrator and general management user.

> Each user has a unique user name in the system, which is the credentials for the user to use the system.

The > System Manager, also known as Superuser, accounts for "root", or root, and has the highest power to exercise system operations.

> has the highest authority in the system and is mainly responsible for system management work.

> Ordinary user's account can be arbitrarily taken, the general requirement is not to use numbers and underscores as the first character.

> Each user in addition to a personal user identity, multiple users can form a user group.

> users of the same user group have permissions to the group

> The Linux system assigns a unique identifier, whether it is a user or a user group.

> User identification code is userid, user group identification code is GROUPID.

2. Enter and exit the system

> Users enter the operating system via user account and user password.
> Access System There are two ways to telnet into and local direct access.

> Either way when Linux is ready to allow the login user screen to display the system prompt "login:" At this time the user enters the user account after "login".

> "passwd:" When the user enters the user account correctly, the user enters the user password after "passwd:".

> If the user account and user password are correct, the system prompt "$" or "%" will be entered successfully.
> The system Prompt "#" appears if it is a super user

>linux will not give you a candidate to avoid anyone guessing your password.

>linux does not display the password input feedback so that no one else can see the password for how many digits you have entered.

> Security considerations, if you are a remote connection, the incorrect number of logons is too many, and most systems are disconnected.

> User name and password must be case sensitive.

> in Linux system each support a user Telnet will consume the system about 1MB of memory,

> User exit the system can return the consumed memory, but also can avoid the system accounting log continue to record, and user account by others to exploit user files are destroyed and other phenomena.
> How to exit the system:
> " exit "," logout "or" ctrl-d key " .
> "Login:" appears after the user exits the system for the user to enter the system again.
> Note the difference between exit, logout, and ctrl-d three exits is that logout is the user this time use Environment logoff exit and ctrl-d is to quit this particular shell process

/ETC/PASSWD user Data file format detailed:
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7F/73/wKiom1cfAxrCCJ76AAF9cH7-0mQ122.jpg "title=" Passwd.jpg "alt=" Wkiom1cfaxrccj76aaf9ch7-0mq122.jpg "/>

/etc/passwd Shadow file/etc/shadow file format detailed:

1."Login name" is a user account that matches the login name in the/etc/passwd file
2. "Password"The field holds the encrypted user password word length of 13 characters. If null, the corresponding user does not need a password to log in without a password, and the corresponding user cannot log on if it contains characters that are not part of the collection {./0-9a-za-z}.
3."Last Modified Time" represents the number of days from the time the user last modified the password. The beginning of time may not be the same for different systems. In Linux, for example, the starting point for this time is January 1, 1970.
4."Minimum time interval" refers to the minimum number of days required between changing the password two times.
5."Maximum time interval" refers to the maximum number of days the password remains valid.
6. The"Warning Time" field represents the number of days from the beginning of the system warning user to the official expiration of the user's password.
7."Inactivity Time" represents the maximum number of days that a user does not have a login activity but the account remains valid.
8. The"Expiration Time" field gives an absolute number of days if this field is used then the lifetime of the corresponding account is given. After expiry, the account is no longer a legitimate account and can no longer be used to log on.

Linux PAM authentication Mechanism

The authentication mechanism in the UNIX environment has always been to simply associate users with their configuration items in the /etc/passwd file. Many of the authentication function modules have a flaw to implement the authentication function code is usually compiled as part of the application. This directly leads to a problem if you find that there are some flaws in the algorithm used or if you want to use a different authentication method, the user will have to rewrite (modify or replace) and then recompile the source program. In order to improve these problems, people began to think about other methods. Thus the embedded authentication module (pluggable authentication Modules) came into being. The PAM-ie (pluggable authentication-modules) pluggable authentication module was originally invented by sun as a flexible way to authenticate users. Linux-pam is a set of shared libraries using these modules system managers are free to choose the authentication mechanism used by the application. This means that you do not need to recompile your application to switch the authentication mechanism used by your application. Even without touching the application, you can fully upgrade the authentication mechanism used by the system.

Layered architecture for Linux-pam:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7F/71/wKioL1cfBinSqL7BAALKFf0sAbw790.jpg "title=" Tpt.jpg "alt=" Wkiol1cfbinsql7baalkff0sabw790.jpg "/>

First Layer module layer
The module layer is at the bottom of the entire structure and it is provided up to the interface layer
Identification module Auth Responsible for certification and authorization
Account Management AccountAuthentication-independent account detection mechanism
Session Management Session Some detection mechanisms are needed before or after the establishment.
Password managementPasswordDetection to be done when the user modifies the password
second tier application interface layer
The application interface layer is located in the middle part of the PAM structure and it is up to the application to shield the specific details of the user identification process down to the specific services provided by the specific modules in the module layer.
a class of interfaces that are used to invoke an interface to a specific module below corresponds to the underlying module
The authentication class interface Pam_authenticate is used to authenticate user pam_setcred to modify the user's secret information.
The account class interface Pam_acct_mgmt checks to see if the authenticated user's account has permission to log on to the system and whether the account has expired.
The session class interface includes pam_open_session and Pam_close_session functions for session management and accounting.
The password class interface includes pam_chauthtok to modify the user's password
the second type of interface does not correspond to the underlying module one by one, which provides support for the underlying module and communication between the application and the module.
An administrative interface such as a transaction ends with the Pam_end () function starting with Pam_start ().
Communication interface between the application and the module: for example: Pam_putenv ()
Communication between the user and the module: Pam_start ().
Inter-module communication interface Although the modules are independent, they are still able to pass the Pam_get_item ()
Interface for reading and writing module state information: Interface Pam_get_data ().

Pam configuration file:

The >pam library consists of a local system configuration file:

Some configuration files under the >/etc/pam.d/directory to set

The most detailed local information for the >pam documentation:

>/usr/share/doc/pam-1.1.1/txts/Detailed Module description

>#/usr/share/doc/pam-1.1.1/html/pam Related Instructions

The application uses Pam
For programs that need to use Pam, you need to set the configuration file for it in the/ETC/PAM.D directory. For example, the System FTP service VSFTPD, its PAM configuration file is:

/etc/pam.d/vsftpd

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7F/71/wKioL1cfDGGAvgpbAAPUWCIZG0E208.jpg "title=" Vsftp.jpg "alt=" Wkiol1cfdggavgpbaapuwcizg0e208.jpg "/>

Syntax for configuration files
Service-name module-type control-flag module-path arguments
Service-name the service name assigned to the portal. is often the session name for a given application. such as VSFTPD.
Modle-type four types of modules auth account session password
Control-flag

Required requisite sufficient optional
1, required

When this control flag is used, the validation process continues under it when validation fails, and it returns an error message, but because it does not stop the validation process due to validation failure, the user will not know which Rule item validation failed.
2, requisite

This control flag is similar to Required's authentication method, but as long as a rule item validation fails, the entire validation process is terminated immediately and an error message is returned using this keyword to prevent some attacks by brute force guessing passwords but because it returns information to the user it is also possible to disclose the user structure information of the system to the attacker's configuration
3, sufficient

As long as a rule item with this control flag is validated successfully then the PAM schema will immediately terminate all subsequent validations and the item regardless of its preceding required flag is not successfully verified it will still be ignored and then verified through.
4, optional

Indicates that the success or failure of the validation is optional and all will be ignored. Complex control flags (typically used for session types) allow an administrator to specify that an event occurs during the validation process to
To perform the action. These control flags are enclosed in square brackets and are separated by a space between each value formed by a series of value=action.
The fourth column is module-arguments.

Used to specify special options for the referenced module multiple options can be separated by a space or use "" in an option to enter a nested command or string to concatenate the next line with the "\" symbol when the selected item is more than one line.

Common PAM Modules

Pam_securetty the module is used to control that the root user can only log in to the system from the terminal contained in the/etc/securetty file.

Pam_shell Authentication Module If the user's shell is listed in the/etc/shells, the user is allowed to verify that/bin/sh is used by default if no shell is specified in/etc/passwd.

Comprehensive Case Application:

1./etc/pam.d/sshd restrict user Hadoop to use 172.16.0.1 login

Configuration process: # Vim/etc/pam.d/login account required pam_access.so accessfile=/etc/system_login.conf# Vim/etc/system_login . conf-:hadoop:172.16.0.1

2./etc/pam.d/sulinux system prohibits non-wheel users from using the SU command

Configuration procedure: Method 1:wheel Group can also be specified as other groups, edit/etc/pam.d/su Add the following two lines # Vim/etc/pam.d/suauth sufficient/lib/security/pam_rootok.so Debugauth required/lib/security/pam_wheel.so Group=wheel Method 2: Edit/etc/pam.d/su Remove the following line # symbol # Vim/etc/pam.d/suauth Required pam_wheel.so use_uid #去掉注释启用 # echo "Su_wheel_only yes" >>/etc/login.defs #追加至最后一行

3./etc/pam.d/sshd Disable all User login system

Configuration process: # Vim/etc/pam.d/sshdauth required pam_access.so accessfile=/etc/sshd_login.conf# Vim/etc/sshd_login.con F-:all:all

4. Integrated Application Case Realization:

(1) Only allow root to log on locally
(2) and only allow Samlee users to telnet from 172.16.100.8
(3) Other users are not allowed to log on to the system

Configuration process: # Vim/etc/pam.d/sshdauth required pam_access.so accessfile=/etc/sshd_login.conf# Vim/etc/sshd_login.con F +:root:local+:samlee:172.16.100.8-:all:all

The above is the Linux user security and Linux PAM authentication mechanism all content

This article is from the "Opensamlee" blog, make sure to keep this source http://gzsamlee.blog.51cto.com/9976612/1767883

Linux user security and Linux PAM authentication mechanism