NSSWITCH&PAM Certification Framework

First, Nsswitch Overview

1.nsswitch:network/name service Switch

Nsswitch Network Name Service parsing is A common framework for interacting with various types of storage Modular implementation;

Implementation:/usr/lib64/libnss*,/lib64/libnss*

Frame Module : Libnss ; Drive Module : Libnss_files -

2. configuration file:/etc/nsswitch.conf

(1) format    

For each application that uses the parse library to define its location by configuration , the format ====== Parse library : Store1 store2 ... =======

the parse library can be a file, relational data management system (MySQL), NIS, LDAP, DNS

Example: Passwd:files Password parsing via file

hosts:files DNS hosts through file parsing, if no more through DNS resolution

(2) Find results and status

Find result status in each kind of storage: Statsu = Success | notfound | unavail | Tryagain

Behavior corresponding to the result of each State (action): return| Continue

Example:

Hosts:files NIS [Notfound=return] DNS

3.getent command:Get Entries, find the specified name from the specified library

Getent DATABASE [key]

Second, PAM Overview

1.pam:pluggableauthenticationmodule, pluggable authentication modules

A common framework that provides a common implementation that interacts with various types of storage, and the functionality of multiple helper classes:/lib64/security/*

There are several types of storage available for the certification library : file, relational data management system, LDAP, NIS ...

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7A/3E/wKiom1al47GA5OL1AABqM6hsEok268.png "title=" 4.png " alt= "Wkiom1al47ga5ol1aabqm6hseok268.png"/>

2. configuration file:

(1) provides a dedicated configuration for various applications that call Pam

Generic:/etc/pam.conf, which provides configuration for each application that calls Pam to complete the authentication function;

Dedicated:/etc/pam.d/*, typically designed to provide configuration for a particular application, usually using a separate profile for each application;

(2) configuration file Format

Common configuration file: Application type control Module-path module-arguments

Private configuration file: Type control Module-path module-arguments

3. Detailed configuration file format

(1) Type: Check the functional category

One or more qualifying certifications may be used

Auth	Authentication and authorization of accounts;
Account	The functions of non-authentication classes related to account management;
Password	The password complexity check mechanism when the user modifies the password;
Session	Some additional actions are required before the user gets to the service or after the service is completed;

(2) control: How multiple checks of the same function are combined;

1) Simple implementation: Use a keyword to define control

Required: Must pass inspection; otherwise, failure, whether successful or unsuccessful, will continue to be checked by other modules that follow the same function;

Requisite: one-vote veto; the failure of the test will return the failure directly; the detection is successful, then it is checked by other modules with the same function.

Sufficient: One pass, the test success is directly returned to success, detection failure, by the subsequent same function of the other modules to check;

Optional: optional, reference control mechanism;

Include: Invoke the detection mechanism of the same function in other configuration files;

2) Detailed implementation: Use one or more "status=action"

[Status1=action1,status2=action2, ...]

Status: Return state

Action: Actions taken, such as Ok,done, die, bad, ignore, ...

(3) Module-path: module file path;

Relative path: Relative to the/lib64/security/directory;

Absolute path: Can be located in any accessible path;

(4) module-arguments: Special parameters of the module;

Third, pam_limits.so: Resource Limitations

1.pam_linits.so

Implement limits on the resources available to it at the user level, such as the number of files that can be opened, the number of processes that can be run, and the available memory space;

2. How to modify the restrictions:

(1) ulimit command : used to adjust the soft limit;

-N Maximum number of open file descriptors

-U maximum number of user processes

-S using ' soft ' (soft) resource limits

-H use ' hard ' resource limit

(2) configuration file:/etc/security/limits.conf,/etc/security/limits.d/*.conf

Configuration file: one definition per line;

format:<domain> <type> <item> <value>

<domain>: Which objects apply to

Username

@group

*: All Users

<type>: Type of restriction

Soft: Soft limit, ordinary users can modify their own;

Hard: Rigid limit, set by the root user, and enforced by kernel;

-: Soft and hard use the same restrictions;

<item>: Restricted resource types

Nofile: The maximum number of files that can be opened at the same time; default is 1024;

Nproc: The maximum number of processes that can run concurrently; default is 1024;

This article is from the "Xu Ding blog" blog, make sure to keep this source http://xuding.blog.51cto.com/4890434/1738352

NSSWITCH&PAM Certification Framework