Pam Verification Mechanism

This article is transferred from network management: Pam Verification Mechanism

 

1. Pam Introduction

Linux-PAM (the pluggable authentication module in Linux) is a shared library that allows local system administrators to select the authentication method of programs at will.
In other words, you can change the authentication mechanism you use without re-Compiling an application that contains the PAM function.
In this way, you do not need to modify the program even if you upgrade the local authentication mechanism.
Pam uses the configuration file/etc/PAM. conf (or the file under/etc/PAM. d/) to manage the authentication method for the program. Application
Call the corresponding configuration file to call the local authentication module. The module is placed under/lib/security and loaded as a dynamic library.
Line call (dlopen (3 )).
When we use the su command, the system will prompt you to enter the password of the root user. This is what the su command achieves by calling the PAM module.

Ii. PAM Configuration File Introduction 1. PAM Configuration File Format

The PAM Configuration file can be written in/etc/PAM. conf in the following format:
Ftpd auth required pam_unix.so nullok
Ftpd: indicates the service name, which is the authentication configuration for the service.
Required: module type. Pam has four middle module types, representing different task types.
Pam_unix.so: the module path, that is, the location of the module to be called.
Nullok: the module parameter, that is, the parameter passed to the module.
Another method is to put the PAM Configuration file in the/etc/PAM. d/directory and use the application name as the configuration file name. For example:
The format of the configuration file, such as vsftpd and login, is similar to Pam. conf, but the leftmost service name is missing. For example:/etc/PAM. d/cups

#%PAM-1.0auth    required        pam_stack.so service=system-authaccount required        pam_stack.so service=system-auth

2. PAM module type

Linux-Pam has four types of modules, which represent four different tasks: authentication management, account management, session management, and password.

Management. A type may have multiple rows, which are called by the PAM module in sequence.

Auth is used to identify a user. for example, you are prompted to enter the password or determine whether the user is root. the account checks the attributes of the account. for example, whether logon is allowed, whether the maximum number of users is reached, or whether the root user is allowed to log on to this terminal. the session module is used to define the operations to be performed before a user logs on and after the user exits. such as logon connection information, user data opening and disabling, and file system mounting. password is updated using user information. for example, change the user password.

3. Pam control mark

Pam uses control labels to process and determine the return values of each module.

Required indicates that a successful value is returned by the module. if a failure is returned, the next operation of the same type is continued. After all modules of this type are executed. returns the value of failure. requisite is similar to required, but if this module returns a failure, it immediately returns a failure to the application, indicating this type of failure. do not perform operations after the same type. sufficient if this module returns a successful result, it returns a successful result directly to the application, indicating that this type is successful. do not perform operations after the same type. if it fails, the returned value of this type is not affected. optional uses this flag module and will not return success or failure. generally, a pam_ignore (ignore) is returned ).

4. Module path

Module path. The location of the module to be called. It is generally stored in/lib/security/, for example, pam_unix.so.

The same module can appear in different types. The operations it performs in different types are different. This is because each module

Different execution functions are compiled for different module types.

5. Module Parameters

Module parameters, that is, the parameters passed to the module. Multiple parameters can be separated by spaces, for example:

password   required   pam_unix.so nullok obscure min=4 max=8 md5

3. Compile the PAM Configuration File 1. Introduction to the PAM module

Pam_unix.so module:

Auth type: the user is prompted to enter the password, and returns 0 (pam_success) for. Matching in comparison to the/etc/shadow file ).

Account type: Check the user's account information (including whether the account has expired or not). When the account is available, 0 is returned.

Password type: change the password of the user. Update the shadow file as the new password of the user.

Pam_cracklib.so module:

Password type: This module can be inserted into the password stack of a program to check the password strength.

This module prompts the user to enter the password and compare it with the dictionary in the system to check its strength.

Pam_loginuid.so module:

Session type: used to set the UID of the authenticated process so that the program passes the normal audit (Audit ).

Pam_securetty.so module:

Auth type: If you want to log on as root, the TTY must be before/etc/securetty.

Pam_rootok.so module:

Auth type: The pam_rootok module is used to authenticate whether the user ID is 0. If it is 0, "pam_success" is returned ".

Pam_lele.so module:

Session type: when a user logs on to the terminal, the permission of the terminal file is changed. After the user logs out, the permission is changed back.

Pam_permit.so module:

Auth, account, password, session type: The pam_permit module returns success at any time.

Pam_env.so module:

Auth type: pam_env allows you to set environment variables. By default, if no file is specified

/Etc/security/pam_env.conf to set environment variables.

Pam_xauth.so module:

Session type: pam_xauth is used to forward Xauth-key between users.

If pam_xauth is not performed, when the user calls Su to become another user, this user will no longer be able to access the X Display of the original user,

Because the new user does not access the key. pam_xauth displayed, the key and the user are forwarded from the original user to the target user when the session is established.

The key is destroyed when exiting.

Experiment: log out of/etc/PAM. the "session Optional/lib/security/$ ISA/pam_xauth.so" line in D/su reports an error when executing the su command on the desktop terminal to switch to another user, prompting that the user cannot access display. after deleting the comment, When you switch to another user using Su, execute xterm to open an xterm terminal window normally.

Pam_stack.so module:

Auth, account, password, Session: pam_stack can call another service. That is, multiple services can contain one

Setting. Only one file needs to be modified.

Pam_warn.so module:

Auth, account, password, Session: pam_warn is used to record information about services, terminals, users, remote users, and remote hosts.

To the system log. The module always returns pam_ignore, meaning that the authentication process is not expected to be affected.

2. Compile the PAM Configuration File

Run the following command as root: # vi/etc/PAM. d/pamtest

# Prompt the user to enter the password auth required pam_unix.so # verify whether the user account is available account required pam_unix.so # output an account required pam_warn.so to the System Log

4. Pam-based applications 1. Write c source code

# Include
 
  
# Include
  
   
# Include
   
    
# Include
    
     
/* File pamtest. c This program receives a user name as a parameter from the command line, and then performs auth and Account Verification on this user name. * /// defines a pam_conv structure for communicating with Pam static struct pam_conv Conv = {misc_conv, null}; // main function int main (INT argc, char * argv []) {pam_handle_t * pamh = NULL; int retval; const char * user = "nobody"; const char * S1 = NULL; If (argc = 2) user = argv [1]; else exit (1); If (argc> 2) {fprintf (stderr, "Usage: pamtest0 [username]/n"); exit (1);} printf ("User: % s/n ", User); retval = 0; // call the pamtest configuration file retval = pam_start (" pamtest ", user, & Conv, & pamh); If (retval = pam_success) // perform auth type authentication retval = pam_authenticate (pamh, 0);/* is user really user? */Else {// If an authentication error occurs, pam_strerror will output an error message. printf ("pam_authenticate (): % d/N", retval); S1 = pam_strerror (pamh, retval); printf ("% s/n", S1 );} if (retval = pam_success) // Account type authentication retval = pam_acct_mgmt (pamh, 0);/* permitted access? */Else {printf ("pam_acct_mgmt (): % d/N", retval); S1 = pam_strerror (pamh, retval); printf ("% s/n ", s1);}/* this is where we have been authorized or not. */If (retval = pam_success) {fprintf (stdout, "authenticated/N");} else {fprintf (stdout, "Not Authenticated/N ");} if (pam_end (pamh, retval )! = Pam_success) {/* close Linux-Pam */pamh = NULL; fprintf (stderr, "pamtest0: failed to release authenticator/N"); exit (1 );} return (retval = pam_success? 0: 1);/* indicate success */} // end
    
   
  
 

2. Compile

$ cc -o pamtest pamtest.c -lpam -lpam_misc -ldl

3. Compile the PAM Configuration File

Run: VI/etc/PAM. d/pamtest as root.

auth  required  /lib/security/pam_unix.soaccount required /lib/security/pam_unix.so

4. Modify executable program Permissions

Because pam_unix.so needs to access the/etc/shadow and/etc/passwd files, SUID permission must be attached to the pamtest file.

# chown root.root pamtest# chmod 111 pamtest# ls pamtest# ls pamtest -hl---s--x--x 1 root root 12K 2007-07-16 01:52 pamtest

5. Execute

The pamtest program verifies the user's password through pam_unix.so, and then verifies the user's account information.

Run as a normal user. When the wrong maj password is entered.

maj@m2-u:01:52:09/var/tmp$ ./pamtest majuser: majPassword: pam_acct_mgmt() : 7Authentication failureNot Authenticated

When you enter the correct password

maj@m2-u:01:54:44/var/tmp$ ./pamtest majuser: majPassword: Authenticated

When an incorrect root password is entered

maj@m2-u:01:58:37/var/tmp$ ./pamtest rootuser: rootPassword: pam_acct_mgmt() : 7Authentication failureNot Authenticatedmaj@m2-u:01:59:15/var/tmp$ 

When you enter the correct Root Password

maj@m2-u:01:54:50/var/tmp$ ./pamtest rootuser: rootPassword: Authenticatedmaj@m2-u:01:58:37/var/tmp$