Pam Detailed Introduction2014-04-02 09:26:41Tags: Pam original works, allow reprint, please be sure to use hyperlinks in the form of the original source of the article, author information and this statement. Otherwise, the legal liability will be investigated. http://lidefu.blog.51cto.com/3429777/1388751
1.PMA Introduction
The PMA (pluggable authentication module) is a pluggable authentication module that, in Linux systems, requires authentication capabilities for a wide variety of applications, and in order to achieve uniform provisioning, all functions that require authentication are made into a single module ( The authentication mechanism is particularly complex except, for example: HTTPS), when the specific program needs to complete the authentication function, it calls the PMA authentication module, these modules are located in the system/lib64/security (/lib/security:32 bit operating system) directory, However, not all modules are used for certification, and some modules exist to implement some of the advanced features of Pam, where the PMA Certification library is provided by GLIBC and which PMA module the application uses, depending on the definition in the/etc/pma.d/* directory.
PMA complete the process of certification: Use passwd this application example below!
A) First the user executes/usr/bin/passwd this program, and enter the password
II) passwd This program will call the PMA module for verification.
III) PMA will go down to/etc/pam.d/*. Look for a configuration file with the same name as passwd
(iv) When the configuration file is found, the PMA will call the PMA module for authentication according to the configuration within the/ETC/PAM.D/PASSWD
(v) After the certification is completed, the results of the verification will be returned to the passwd program
VI) Finally, the passwd will determine the next execution action (re-entering the password or verifying the pass) based on the results of the PAM's return
In the above steps, the most important is the fourth step, we will analyze the next step of analysis of the fourth, Pam is how to complete the authentication function, the same, take/etc/pam.d/passwd for example, first to/ETC/PAM.D/PASSSWD configuration information.
1234567 |
[[email protected] ~] # cat/etc /PAM.D/PASSWD #%pam-1.0 <==pam version number auth include system-auth <== each row is a validation process account include system-auth password substack System-auth -password optional PAM_ gnome_keyring.so Verify categories Verify control Flags The parameters of the PAM module and the module |
• First field: Validation category (Type)
The validation category is divided into the following four types, and sequentially down-to-down verification
Auth
Auth is used to authenticate the user's identity information, if the AUTH certification needs to use a number of modules, and then check each module, this module usually ultimately requires a password to verify, so the next module after this module is used to verify the user identity. If the account is not a problem, authorize
Account
The account is mostly used to check permissions, such as checking the expiration of accounts and passwords, and not allowing validation if you use an expired account or password. If you have more than one module, check each module in turn.
Password
Change the password need to use, if the user does not change the password, almost no use of this module.
session
Restrict the session limit, for example: VSFTPD 6 o'clock in the afternoon is not allowed to access, then 6 points after the user to access the words will be limited, or insufficient memory to allow access, etc., the session is limited to this type of
• Second field: validation control flag
The actions to be taken to control the success or failure of authentication, which are divided into two control types, one simple control and one complex contorl
• Simple control
Required
This validation, if successful, has a flag with success, if it fails with the flag of failure, this validation fails, it will return the failed flag, but will not return immediately, but wait until all the module validation is complete, so it will continue to verify the other process back, regardless of validation success or failure .
Requisite
If the validation fails, the failure flag is returned immediately, and the subsequent validation process is terminated, and if the validation has a success flag, the subsequent process continues.
Sufficient
In contrast to requisite, this verification succeeds with the success flag and immediately terminates the subsequent process, and if the flag with failure is validated, the subsequent process continues.
Optional
Optional reference opinion, this is just soy sauce ....
• The above process as shown
include
Contains rules in a stack of the same name in the specified other configuration file and is instrumented.
Substack
It's a bit of a hassle. You don't need to.
· Pam Module Path
/etc/pam.d/*: Individual PAM configuration file for each program;
/lib/security/*:P The actual placement directory of the AM module files;
/etc/security/*: Configuration files for other PAM environments;
/usr/share/doc/pam-*/: detailed Pam documentation;
· Pam Module Classification
pam_unix.so
In the traditional sense of the account and password authentication mechanism, this mechanism realizes the standard C library based on the user to enter the account password and complete the detection of the authentication process
pam_permit.so
Direct through, allow access, define default policy
pam_deny.so
Deny access, define default policy
pam_cracklib.so
Used to verify the strength of the password, including whether the password is in the dictionary, the password can be changed to the same as the last time, the password contains at least how many characters, how many times the wrong password can be entered, are defined by this module
pam_shells.so
Check whether the shell that the user is logged into is a secure shell, which is the shell written in/etc/shells
pam_securetty.so
Limited administrators can only login via secure TTY,/etc/securetty,tty is a traditional terminal
Pam_listfile, this thing is awesome ....
1 |
item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=/path/filename onerr=[succeed|fail] [apply=[user|@group]] [quiet] |
pam_rootok.so
Administrator Su to other users without entering a password is defined by this
pam_succeed_if.so
No password required for normal user Su
pam_limits.so
Resource limit Open file number, use process number, etc., for anyone,/etc/security/limits or/etc/security/limits.d/*
pam_nologin.so
Can limit the average user to be able to log in the host, when/etc/nologin this file exists, then all general users can no longer log on the system
Practice:
• Limit the root user to log in from Tty2 only, not remotely using sshd
123456 |
[[email protected] etc]# vim /etc/pam.d/sshd #编辑这个文件 auth required pam_securetty.so #添加这一行 [[email protected] ~]# cat /etc/securetty #编辑这个文件 console tty1 tty2 |
• Only users in the Sshusers group can log on remotely using SSH
12345 |
[[email protected] etc]# groupadd sshusers #添加一个组
[[email protected] etc]# vim /etc/pam.d/sshd #编辑远程登录的pam
auth required pam_listfile.so item=group sense=allow file=/etc/security/allow-groups #添加这一句
[[email protected] etc]# vim /etc/security/allow-groups #编辑组文件,就是上面那个
sshusers #添加组
|
• The administrator needs a password when SU
123456 |
[[email protected] etc]# vim /etc/pam.d/su #编辑这个文件 #auth sufficient pam_rootok.so #注释这一项 [[email protected] etc]# whoami root [[email protected] etc]# su ldf Password: |
• No password for normal user ldf,su
123456 |
[[email protected] etc]# vim /etc/pam.d/su #编辑这个文件
3 auth sufficient pam_succeed_if.so uid =
500 use_uid quiet #添加这一句
[[email protected] etc]# id ldf
uid=
500
(ldf) gid=
500
(ldf) groups=
500
(ldf)
[[email protected] ~]$ su root #尝试
[[email protected] ldf]#
|
• Limit groups (users) to use the maximum number of resources
123456 |
[[email protected] etc]# vim /etc/security/limits.conf #这里看限制的东西很多
@sshusers soft nofile
10000
#软限制,打开文件数
10000
个
@sshusers hard nofile
10000
#硬限制,
@sshusers - data
10000
#软硬都限制,使用数据大小
sshusers - nproc
10000
#软硬都限制,进程数
上面带@的是组,不带的是用户,使用命令limits可以临时调整
|
This article is from the "Smoke Free Hand" blog, please be sure to keep this source http://lidefu.blog.51cto.com/3429777/1388751
PMA module details, restrictions on user login to Linux, password modification restrictions, etc.