Linux PAM & amp; PAM Backdoor

0x00 PAM Introduction

PAM (Pluggable Authentication Modules) is an Authentication mechanism proposed by Sun. It provides dynamic link libraries and a set of unified APIs to separate the services provided by the system from the authentication methods of the service, this allows the system administrator to flexibly configure different authentication methods for different services as needed without changing the service program. It is also convenient to add new authentication methods to the system. PAM was originally integrated in Solaris and has been ported to other systems, such as Linux, SunOS, HP-UX 9.0, etc.

0x01 PAM Workflow

0x02 PAM Configuration File Syntax

module-typecontrol-flagmodule_pathoptional

In/etc/pam. d/. The file corresponding to the service name is the pam Authentication file for the service. For example, if the service is sshd, the file in/etc/pam. d contains the sshd file, which contains the sshd verification rules. There is a special file named other. If some services have no corresponding file, it corresponds to other.

Module-type

Service type, that is, auth, account, session, or password.

The authentication module (auth) is used to authenticate users or set/destroy creden. The account Management Module performs operations related to access, account and credential validity period, password restrictions/rules, and so on. The session management module is used to initialize and terminate a session. The passwd module performs operations related to password change/update.

Control-flag

Used to indicate the role of the module in determining the service integration success or failure value. Valid control flags include, optional, required, requisite, and sufficient.

Required indicates that this module must return a successful response to pass authentication. However, if this module returns a failure, the failure result will not be immediately notified to the user, instead, the failure result is returned to the application after all the modules in the same stack are executed. It can be considered as a necessary condition. Similar to required, requisite and required can pass authentication only after the module returns a successful result. However, once the module returns a failure, no modules in the same stack will be executed, instead, the control is directly returned to the application. Is a necessary condition. Sufficient indicates that the returned result of this module is successful enough to pass the identity authentication requirement. You do not have to execute other modules in the same stack. However, if the returned result of this module fails, ignore it. It can be considered as a sufficient condition. Optional indicates that this module is optional. Its success or failure generally does not play a key role in identity authentication, and its return value is generally ignored.

Module-path

The path of the library object used to implement the service. Generally, only the library name is written. The library path is/lib/security (32-bit) And/lib64/security (64-bit)

Module-options

Optional.

Several common parameters:

Debug this module should use syslog () to write debugging information to the system log file. No_warn indicates that the module should not send the warning information to the application. Use_first_pass indicates that the module does not prompt the user to enter the password. Instead, use the password obtained from the previous module. Try_first_pass indicates that the module should first use the password obtained from the user from the previous module. If the verification fails, the user is prompted to enter a new password. Use_mapped_pass this module does not prompt the user to enter the password, but uses the ing password. Expose_account allows this module to display the user's account name and other information. It can only be used in a secure environment, because the leakage of user names poses a certain level of security threat.

 

0x03 how PAM stack works

Figure 1: PAM stack formation process (solaris, some linux do not include)

Figure 2: How PAM determines the final return value (solaris)
0x04 common PAM modules

Translated from official documents (/usr/share/doc/pam-1.1.1), there may be something wrong with the translation

1. pam_securetty.so

Type: auth
Purpose: only limited to the root user, and limited to the terminal where the root user logs on. The default "security" interrupt is stored in/etc/securetty.

2. pam_access.so

Type: account
Role: Based on the login name, host name, domain name, IP address, or network
Terminal number (similar to/etc/securetty ). The default configuration file is/etc/security/access. conf.

3. pam_tally2.so

Type: auth function: when the number of user-Entered password errors exceeds the specified number of times, the account parameters are locked:

Onerr = [fail | succeed]:

File =/path/to/counter: the location where logs are stored when the number of logon attempts exceeds the limit. The default value is/var/log/tallylog. When it is enabled, every time the login fails, it will be written once and can be read using pam_tally2.

Audit: if the user cannot be found, the user name is logged to the log. silent: No information is output. no_log_info: no log record.

Deny = N.

Pam_tally.so-u username -- reset lock_time = n: When the entered password is incorrect once, you cannot log on to the account again within N seconds.

Unlock_time = n: unlock time. When the account is locked for more than n seconds, the account is locked (clear/var/log/tallylog related information ), use magic_root with the deny parameter: When uid = 0, the number of logs will not be written to/var/log/tallylog, that is, this PAM does not take effect. even_deny_root: effective for the root user (without the magic_root parameter, root is not handled) root_unlock_time = n: For even_deny_root. the root user's unlock time is used every time the user successfully logs on to the root user, the user records in/var/log/tallylog will be cleared.

4. pam_cracklib

Type: password
Purpose: limit the length and complexity of the password.
Parameters:

Dubug: records the password change behavior to the log retry = N: Number of allowed errors when the password is changed. The default value is 1 difok = N: the number of digits of the new password is different from that of the old one. If more than half of them are different, the verification is passed. The difok setting minlen = N: Minimum Password Length dcredit = N: at least N digits ucredit = N: at least N uppercase letters, lcredit = N: at least N lowercase letters, ocredit = N: at least N special characters, minclass = N: Password range (numbers, uppercase/lowercase letters, special Character) maxrepeat = N: The password must be unique at most.

5. pam_limits.so

 

Type: session
Purpose: Restrict resource usage. The default configuration file is/etc/security/limits. conf, which is global and stores each sub-file under/etc/security/limits. d /.

 

6. pam_listfile

Type: auth
Purpose: verify whether the user can log on
Parameters:

Item = [tty | user | rhost | ruser | group | shell]: control object sense = [allow | deny]: Control Method file =/path/filename: file Path, each occupies a row of onerr = [succeed | fail]: Specifies the return value when a certain type of event occurs. Instance: authrequired pam_listfile.so \ onerr = succeed item = user sense = deny file =/etc/ftpusers users stored in/etc/ftpusers are not allowed.

7. pam_nologin.so

Type: auth
Purpose: deny login by different users except root (when/etc/nologin exists or file is reset)
Parameter: auth
File =/path/nologin: if the file exists, when the user is refused to log on, the content saved in the file will be output. The default file is/etc/nologin.

0x05 PAM Backdoor

Test Environment CentOS 6.2 64-bit

0x05a query the local PAM version

rpm –aq | grep pam 

Download the corresponding version
:

http://www.linux-pam.org/library/  https://fedorahosted.org/releases/l/i/linux-pam/ 

0x05b modify source code

Vim/mnt/Linux-PAM-1.1.1/modules/pam_unix/pam_unix_auth.c defines FILE * fp in PAM_EXTERN int pam_sm_authenticate (pam_handle_t * pamh, int flags, int argc, const char ** argv;

PS: the backdoor patch on the Internet is to modify these

0x05c source code compilation

Resolve Dependencies

yum install gcc make flex –y  configure&&make  

The compiled pam_unix.so file is

/mnt/Linux-PAM-1.1.1/modules/pam_unix/.libs

Replace the files in/lib64/security (32-bit system into/lib/security)

0x05d logon Test

 

 

0x05e use touch-r to change the time

PS: But the sizes of the two files are different.

For this modification method, there is a gap between/var/log/secure and normal logon.

0x05f optimized

vim /mnt/Linux-PAM-1.1.1/modules/pam_unix/pam_unix_auth.c

vim /mnt/Linux-PAM-1.1.1/modules/pam_unix/support.c

Log on to the test

Consistent, o (∩ _ ∩) o

0x05g There is also a cumbersome method to directly modify the/etc/pam. d/sshd file and enter anything to log on.

Normal log

PS: why can I log on? Let's take a good look at the basics.