Linux--Strengthening Linux server security-pam authentication

PAM (pluggable authentication Modules) is a pluggable authentication module that is an efficient and flexible user-level authentication method that is commonly used by Linux servers today. Of course, in different versions of the Linux system to deploy PAM certification is different, this article will take the RHEL4 version as an example to resolve.

1. The need to deploy PAM certification

We know that a Linux server will open many different services, many of which do not have the authentication function, but the authentication to the user name and password. If this is the case, then all services are authenticated with the user name and password of the Linux system, which is dangerous for the server. For example, a server open ftp, SMTP, SSH and other services, then create a new user by default to enjoy the operation of the above services, then if a user's account password disclosure will involve multiple services. Therefore, it is necessary to deploy Pam authentication in a class Linux system, whether it is a PC or a server. With the new authentication module,--pam can solve the deficiency of authentication and strengthen the security of Linux system.

The way of 2.PAM authentication

PAM certification generally follows this sequence: service (services) →pam (configuration file) →pam_*.so. The PAM authentication first determines the service, then loads the corresponding PAM configuration file (located under/ETC/PAM.D) and finally calls the authentication file (located under/lib/security) for secure authentication. Typically, after the Linux system installation is complete, some default configuration files are provided to us under the/ETC/PAM.D path. Also, you need to know that the/lib/security directory is the default location for authentication files. The default profile under the/ETC/PAM.D path is the template for our PAM configuration, which we typically use to modify or add the appropriate items for security.

The composition of 3.PAM authentication, Pam module

Objectively speaking, Pam certification is more complex, simply speaking it includes four common types of authentication (module type): Auth Authentication management, account user management, password Password Authentication management, session management. Take/etc/pam.d/login as an example, we can see its configuration file, Region 1 in the Auth, account, password, session, etc. are authentication types. The required, requisite, sufficient, and optional in Zone 2 are certified process controls. The final area 3 is the certified Pam file. (Fig. 2)

650) this.width=650; "src=" http://images.51cto.com/files/uploadimg/20090916/0832010.jpg "alt=" enhance Linux server security with PAM authentication " />

Process of 4.PAM Certification

To facilitate an in-depth understanding of the PAM certification process, we use the pam-login as an example to verify user login. Pam certification process from the beginning of the verification to the end of the line, one-by-one certification. For example, the user login server, a total of 10 auth type certification, assuming the first certification failure, the general situation after nine must also be certified. Why the general situation? In fact, there is a non-general situation. Then this user action success is to see Auth authentication after the area 2 is how to deal with. See in Figure 2 that the processing field has required and optional, where the required represents the authentication must pass, that is, regardless of the number of successful statements, as long as the failure of one, then the authentication fails. The area 3 you see in Figure 2 is the authentication module, and the "pam_securetty.so" in the second line is the file. In Rhel, authentication is mostly a relative path.

5.PAM Certification Test

Pam_securetty.so is an authentication module file, the authentication module is only valid for the root user, when the root login system, will see if there is a security terminal, security terminal is the/etc/securetty file, such as you run "W" command to see what is under the TTY is a secure terminal. If there is a secure terminal to pass authentication, otherwise fail. Some administrators for security, do not let the root user directly log in, he will put the/etc/securetty file Qing Dynasty Empty, this ensures that when the root password, also can not log on locally.

For the following experimental convenience, can see the effect, we put "auth required pam_securetty.so" This certification joins the SSH Service PAM module who file (/ETC/PAM.D/SSHD) The first line, the purpose is to let the SSH service application of this certification. You can then add this authentication statement by executing "VI etc/pam.d/sshd" in the console window. In the same way, if you add this statement to the login file (the default is that the authentication is written off, we cancel the previous # on it), the control is to log in from the local console, the same way if you add this statement to the sshd file, then it will be controlled from the Telnet Server 22 port process.

Below we try to SSH login system to see the effect, in the console to execute the command "ssh-l root localhost", you can see whether our root user's password is correct or not through SSH telnet to the system, the above authentication has taken effect.　In general, in order to secure the server, everyone through the PAM authentication denied root telnet system. (Fig. 4)

650) this.width=650; "src=" http://images.51cto.com/files/uploadimg/20090916/0832011.jpg "alt=" enhance Linux server security with PAM authentication " />

How to handle 6.PAM authentication

Understand the type of authentication work, we should also deeply understand the authentication process, see in Figure 2, its authentication processing mode is required, that the module certification must be successful, but if the failure, the certification process will not immediately terminate, Pam will continue the next type of authentication. The above "pam_securetty.so" certification failed, but the certification did not end, the certification "pointer" is still walking down. As shown in 4, the user is prompted to enter the password if the root user SSH login authentication fails, although authentication cannot succeed.

In addition to the process of required, there are requisite, sufficient and optional, we look at the effect of requisite. Also use the SSH service as an example, the first line of the/etc/pam.d/sshd file "auth required pam_securetty.so" changed to "auth requisite pam_securetty.so". Try to log in again, find and Figure 4 No difference, but also entered 3 times the password was rejected. But if you look at the article while trying to experiment, you will find that when you enter the password, the speed of the reaction with required slower, and in the system log is not recorded, authentication is also a failure. This shows that required and requisite are similar in that the authentication must pass, and the difference is that if it fails, the authentication process will terminate immediately and will not authenticate the following entry. (Fig. 5)

650) this.width=650; "src=" http://images.51cto.com/files/uploadimg/20090916/0832012.jpg "alt=" enhance Linux server security with PAM authentication " />

7. Restrict Root Login console

We modified the/etc/pam.d/login to restrict the root login console, open the login file to delete # in the second line, and cancel the logoff of "Auth required pam_securetty.so". Then we log on to the server locally, through the test we found that when using required, you enter the root and password, you get a reject message, when using requisite, when you enter the root return will also be denied information login failure, this is triggered by the authentication method just now.

8.PAM Certified Optional Modules

In the PAM certification, sufficient said if the certification is successful, then the type of module certification is sufficient, other similar modules will not be tested, when the certification fails, it will be the next certification, if the following type of certification success, the results are still successful. Optional that this module certification is optional, and does not affect the success or failure of authentication, this is more dangerous. For example, we added "auth required/lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers onerr in the/etc/pam.d/sshd file. =succeed "means that only users appearing in the/etc/sshuser file are allowed to log in remotely. Then we execute the command "ssh-l root localhost", when the Sshusers file does not have the root user, the login fails, it is obvious that he was rejected by the PAM module. Then we change the authentication file, change required to sufficient, try to log in again, the result is successful login.

Summary: Pam authentication is the most important security authentication mode of Linux server system, and mastering Pam authentication is essential to strengthen system security. This article unifies the theory and the practice to the PAM authentication to make the certain analysis, actually about the Pam attestation is a big topic, hoped later has the opportunity and everybody further to share the Linux system based on the PAM authentication security skill and the experience.

Note:

Service
each program that uses PAM defines its own service name. The login program defines its service type as a LOGIN,FTPD program that defines its service type as FTP, and so on. In general, the service type is the name of the program that accesses the service, not the program that provides the service.
configuration file
The directory/ETC/PAM.D is used to configure all Pam applications. (/etc/pam.conf was used in the early versions of Pam, but if/ETC/PAM.D doesn't exist, it will still look for/etc/pam.conf, but remember, this is an obsolete file.) ）。 Each application (specifically, the service) has its own configuration file.
a real file might look like the following:

#%pam-1.0auth Required/lib/security/pam_securetty.soauth required/lib/security/pam_pwdb.so Shadow Nullokauth Required/lib/security/pam_nologin.soaccount Required/lib/security/pam_pwdb.sopassword required/lib/security /pam_cracklib.sopassword required/lib/security/pam_pwdb.so Shadownullok use_authtoksession required/lib/security/p Am_pwdb.so

The first line is a comment. Any line that starts with # is a comment. The following three lines are listed in the three modules for login authentication The first line confirms that the user is logged in as root, allowing the login TTY to be listed in the file/etc/securetty (if the file exists) the second row will cause the user to be prompted for the password and verify the password. The third line indicates whether the file/etc/nologin exists, displays its contents if it exists, and prevents it from logging in if the user is not root. Even if the first module fails, the validation of three modules is done. This is a security concern---this design never let users know why he or they are rejected, or it will make it easier to break the certification. You can change the authentication method by changing "required" to "requisite". That is, if any "requisite" module fails to return, the entire PAM authentication terminates and the other module is called back. The five lines indicate that any necessary accounting information is to be recorded. For example, if the setting uses a shadow password, the pam_db.so module is executed to check if the account is invalid or if the user password is overdue and needs to be modified. The line six (which needs to be wrapped to write) specifies that if the login program changes the user's password, it should be done using pam_pwdb.so. (This is only used when the Auth module detects that the password needs to be changed, such as when a shadow password has expired), the last line indicates that the Pam_pwdb.so module will be used to manage the current session process. At the moment, the module does nothing; it can be replaced with another required module. Note that the order of each row in the configuration file is not arbitrary. Although the required module is not much related in what order, there are some other controls, where optional is rarely used in Red Hat Linux, and sufficient and requisite require that the order of the rows be reversed.
Let's take a look at the rlogin authentication configuration:

Auth Required/lib/security/pam_securetty.soauth Sufficient/lib/security/pam_rhosts_auth.soauth required/lib/s Ecurity/pam_pwdb.so Shadow Nullokauth required/lib/security/pam_nologin.so

This is very similar to login's description, but there are more than one line of login modules described, and the order of the modules is different. First, the Pam_securetty.so module will disable logging in with Root's never secure terminal. This will effectively prevent any root mode from being logged in remotely. If you do not want to prohibit it (in this case, we recommend that your machine is either not connected to the Internet, or stay behind a well-configured firewall), delete this line. Second, the Pam_nologin.so module will check the/etc/nologin, as described above. 3rd, if the Pam_rhosts_auth.so module authentication is passed, Pam immediately returns without any password checks. If the pam_rhosts_auth.so authentication fails, the failure is ignored and the Pam_pwdb.so module continues to be called for normal password authentication. If you do not want the system to continue to ask for a password after Securetty authentication fails, you can change the required of the Pam_securetty.so module to requisite.

Reference: http://os.51cto.com/art/200909/151949.htm

Http://os.51cto.com/art/200512/13544.htm

This article comes from the "Ricky's blog" blog, please be sure to keep this source http://57388.blog.51cto.com/47388/1555033

Linux--Strengthening Linux server security-pam authentication