Linux self-study note--nsswitch and Pam

Nsswitch : Name Service Switch

A common framework for public implementations that interact with various types of storage;

implementation:/usr/lib64/libnss*,/lib64/libnss*

frame: Libnss

Drive: libnss_files-

For each application that uses the parse library, it defines its location by configuration:

/etc/nsswitch.conf

Db:store1 Store2 ...

For example:

passwd : Files

hosts : Files DNS

Parse Library:

file, relational data management system (MySQL), NIS, LDAP, DNS

The status of the lookup results in each type of storage:

STATUS = Success | Not Found | Unavail | Tryagain

corresponds to the behavior of each status result (action):

return | Continue

Example:

hosts : Files NIS [notfound=return] DNS

getent command:

Getent DATABASE [key]

Pam : Pluggable Authentication Module

Certification library: Storage

Multiple types of storage: file, relational data management system, LDAP, NIS

Pam : A common framework that provides a common implementation that interacts with various types of storage, as well as the functionality of several helper classes:

/lib64/security/*

configuration file: Provides its dedicated configuration for various applications that call Pam:

Common configuration file:/etc/pam.conf, which provides configuration for each application that calls Pam to complete the authentication function;

Private profile:/etc/pam.d/*, typically dedicated to providing configuration for a particular application;

Typically, each application will use a separate configuration file;

configuration file format:

Common configuration file:

Application Type Control Module-path module-arguments

Private configuration file:

Type Control Module-path module-arguments

type : Check the functional categories

Auth : Authentication and authorization of account;

Account : The function of non-authentication class related to account management;

Password : Password complexity check mechanism when user changes password;

Session : Some additional actions are required before the user gets to the service or after the service is completed;

Control : How to combine multiple checks of the same function;

Two implementation mechanisms:

1) Simple implementation: Use a keyword to define

2) Detailed implementation: Use one or more "status=action"

Simple implementation:

Required : Must pass inspection; otherwise, failure, whether successful or unsuccessful, should continue to be checked by other modules of the same function ;

Requisite : one vote is rejected; the test fails to return the failure directly, and the detection is successful, and the other modules of the same function are checked.

sufficient : One pass, the test succeeds in the direct return to success, detection failure, the subsequent same function of the other modules to check;

Optional : Optional, reference control mechanism;

include ; Invoke the detection mechanism of the same function in other configuration files;

Detailed implementation:

[Status1=action1,status2=action2,...]

Status : Return status

Action : Actions taken, such as Ok,done,die,bad,ignore, ...

Module-path : module file path;

relative path: relative to the/lib64/security/directory;

Absolute Path: can be located in any accessible path;

module-arguments : Special parameters of the module;

Examples of modules:

pam_limits.so : Resource Limits

implement limits on the resources available to it at the user level, such as the number of files that can be opened, the number of processes that can be run, and the available memory space;

To modify the implementation of a restriction:

s) ulimits order;

2) configuration file:/etc/security/limits.conf,/etc/security/limits.d/*.conf

Configuration file: The definition of each line:

<domain> <type> <item> <value>

<domain> : Which objects are applied to

Username

@group

                  * : All Users

<type> : Types of restrictions

Soft : Soft limit, ordinary users can modify their own;

Hard : Hard limit, set by root user, and enforced by kernel;

                  - : Soft and hard use the same limit;

<item> : Restricted resource types

Nofile : The maximum number of files that can be opened at the same time, the default is 1024x768;

Nproc : The maximum number of processes that can run concurrently, and the default is 1024x768;

Ulimit A command to adjust the soft limit:

- N the maximum number of open file descriptors;

- u maximum number of user processes

- S use ' soft ' (soft) resource limits

- H using ' hard ' resource limits

Linux self-study note--nsswitch and Pam