Linux Pam&&pam Backdoor

Linux Pam&&pam back door I'm chaps.2014/03/24 11:08

0x00 Pam Introduction

PAM (pluggable authentication Modules) is a certification mechanism presented by Sun. It separates the services provided by the system and the authentication of the service by providing some dynamic link libraries and a unified set of APIs, allowing system administrators the flexibility to configure different authentication methods for different services as needed without changing the service program, while also facilitating the addition of new authentication methods to the system. Pam was originally integrated in Solaris and has now been ported to other systems such as Linux, SunOS, HP-UX 9.0, and so on.

0x01 Pam Workflows

0x02 PAM configuration file syntax

Module-typecontrol-flagmodule_pathoptional  

In the file below, the file that corresponds to the /etc/pam.d/ service name, the PAM authentication file for the service, for example the service is sshd, /etc/pam.d there is an sshd in the file that contains the sshd validation rule. There is a special file for other, if there is no service with the corresponding file, then the other.

Module-type

Service type, i.e. Auth, account, session, or password.

The authentication Module (AUTH) is used to authenticate users or set/Destroy credentials. The  account Management module will perform actions related to access, account and voucher validity periods, password restrictions/rules, and so on.  

Control-flag

Used to indicate the role of the module in determining the integration success or failure value of a service. The effective control flags are include include, optional, required, requisite, and sufficient.

Required indicates that this module must return success to pass authentication, but if the module fails to return, the failed result will not notify the user immediately, but will wait until all modules in the same stack have finished executing and return the failed result to the application. Can be considered as a necessary condition.  requisite similar to required, the module must return to success to pass authentication, but once the module returns to failure, any module within the same stack is no longer executed, and control is returned directly to the application. is a necessary condition.  sufficient indicates that this module returns successfully enough to pass the authentication requirement and no longer executes other modules within the same stack, but can be ignored if the module returns a failure. Can be considered as a sufficient condition.  

Module-path

The path to the library object used to implement the service, generally write only the library name, the path of the library is generally/lib/security (32-bit),/lib64/security (64-bit)

Module-options

Options that are passed to the service module, optional.

A few common parameters:

Debug the module should use Syslog () to write debug information to the system log file.  No_warn indicates that the module should not send warning messages to the application.  Use_first_pass indicates that the module cannot prompt the user for a password, but should use the password obtained from the user from the previous module.  Try_first_pass indicates that the module should first use the password obtained from the user from the previous module, and then prompt the user to enter a new password if the password is not validated.  Use_mapped_pass The module cannot prompt the user for a password, but instead uses a mapped password.  

[[email protected] PAM.D]# cat sshd#%Pam-1.0auth include system-Authaccount required pam_nologin.soaccount include system-Authpassword include system-authsession Optional pam_keyinit.so forceRevokesession include system-authsession Required Pam_loginuid.so

How the 0x03 PAM stack works

Figure 1:pam the process of forming a stack (Solaris, some Linux does not contain)

Figure 2:pam How to determine the final return value (Solaris)
0x04 Common Pam Module

Translated from official documents ( /usr/share/doc/pam-1.1.1 ), translation may be wrong in the place

1, pam_securetty.so

Type: Auth
Function: Only the root limit, limit the root login terminal, the system default "security" Interrupt saved in/etc/securetty.

2, pam_access.so

Type: Account
Role: Based on the login name, host name or domain, IP address or network
Terminal number (similar to/etc/securetty). The default configuration file is/etc/security/access.conf

3, pam_tally2.so

Type: Auth effect: When the user enters a password more than a specified number of times, the account parameters are locked:

Onerr=[fail|succeed]:

File=/path/to/counter: Where the log is saved when the login exceeds the allowable number of times. The default is/var/log/tallylog. When turned on, every time the login fails, it will be written once, using Pam_tally2 can read

Audit: If the user cannot find it, record this user name in the log silent: do not output any information no_log_info: no logging

Deny=n: When the user is successively wrong N times, the user is locked in the first n+1, and no unlocking time is set, then the lock will need to be unlocked manually.

Pam_tally.so  

Unlock_time=n: Unlock time, when the account is locked, over n seconds, the account is contacted to lock (empty the relevant information in the/var/log/tallylog), with the Deny parameter use Magic_root: When Uid=0, will not go to/var/log/ The write count in Tallylog, that is, this PAM does not take effect even_deny_root: for the root user (no magic_root parameters, not for root) Root_unlock_time=n: is for Even_deny_ Root, the root user's unlock time once the user has successfully logged in, the record of the user in/var/log/tallylog will be emptied

4, Pam_cracklib

Type: Password
function: Limit change password length, complexity and so on.
Parameters:

Dubug: Record changes to the password in the log  retry=n: When you change the password, the number of times the error is allowed, the default is 1  difok=n: The new password is different from the old password number of digits. If more than half of the differences are verified, the setting of the Difok is ignored  minlen=n: The minimum length of the password  dcredit=n: At least N of the number  ucredit=n: At least N of the uppercase code  lcredit=n: At least n lowercase letters  ocredit=n: At least N special characters  Minclass=n: a range of passwords (numbers, uppercase and lowercase letters, special characters)  

5, pam_limits.so

Type: Session
Role: Limit the use of resources, the default configuration file for/etc/security/limits.conf is global,/etc/security/limits.d/under the various sub-files

6, Pam_listfile

Type: Auth
Role: Verify that the user is able to log in
Parameters:

Item=[tty|user|rhost|ruser|group|shell]: Controlled object  Sense=[allow|deny]: Control method  File=/path/filename: The path of the file, each row  Onerr=[succeed|fail]: Specifies the return value when a class of event occurs.  Example:  authrequired pam_listfile.soonerr=succeed item=user sense=deny file=/etc/ftpusers  saved in/etc/ The user in the ftpusers is not allowed.  

7, pam_nologin.so

Type: Auth
Function: Used to deny login for different users except root (when/etc/nologin exists, or if file is re-established)
Parameter: Auth
File=/path/nologin: If the file exists, the content saved in the file is also output when the user is denied login. The default file is/etc/nologin.

0x05 Pam back Door

Test environment CentOS 6.2 64-bit

0x05a querying the PAM version of this machine

Rpm–aq | grep Pam

Download the corresponding version
：

http://www.linux-pam.org/library/  https://fedorahosted.org/releases/l/i/linux-pam/

0x05b Modifying source code

12	vim /mnt/Linux-PAM-1.1.1/modules/pam_unix/pam_unix_auth.c在PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,int argc, const char **argv)中定义FILE *fp;

PS: The kind of backdoor patch on the web that modifies these

0X05C compiling source code

Resolve Dependencies

12	yum installgcc make flex –y  configure&&make

The compiled pam_unix.so is

/mnt/linux-pam-1.1.1/modules/pam_unix/.libs  

Replace the files in the/lib64/security (32-bit system into/lib/security)

0X05D Login Test

0x05e using Touch–r to change time

PS: But the size of the two files is different

For this method of modification, there is a gap in/var/log/secure and normal login

0x05f optimize the next

1	vim /mnt/Linux-PAM-1.1.1/modules/pam_unix/pam_unix_auth.c

1	vim /mnt/Linux-PAM-1.1.1/modules/pam_unix/support.c

Log in after a test

Consistent, O (∩_∩) o

0X05G also has a wretched way, directly modify the/etc/pam.d/sshd file, enter what can be logged in

Normal log

PS: Why log in, take a good look at the front of the basic part to know

Linux Pam&&pam Backdoor