1.PMA Introduction
The PMA (pluggable authentication module) is a pluggable authentication module that, in Linux systems, requires authentication capabilities for a wide variety of applications, and in order to achieve uniform provisioning, all functions that require authentication are made into a single module ( The authentication mechanism is particularly complex except, for example: HTTPS), when the specific program needs to complete the authentication function, it calls the PMA authentication module, these modules are located in the system/lib64/security (/lib/security:32 bit operating system) directory, However, not all modules are used for certification, and some modules exist to implement some of the advanced features of Pam, where the PMA Certification library is provided by GLIBC and which PMA module the application uses, depending on the definition in the/etc/pma.d/* directory.
PMA complete the process of certification: Use passwd this application example below!
A) First the user executes/usr/bin/passwd this program, and enter the password
II) passwd This program will call the PMA module for verification.
III) PMA will go down to/etc/pam.d/*. Look for a configuration file with the same name as passwd
(iv) When the configuration file is found, the PMA will call the PMA module for authentication according to the configuration within the/ETC/PAM.D/PASSWD
(v) After the certification is completed, the results of the verification will be returned to the passwd program
VI) Finally, the passwd will determine the next execution action (re-entering the password or verifying the pass) based on the results of the PAM's return
In the above steps, the most important is the fourth step, we will analyze the next step of analysis of the fourth, Pam is how to complete the authentication function, the same, take/etc/pam.d/passwd for example, first to/ETC/PAM.D/PASSSWD configuration information.
| 1234567 | [[email protected] ~] # cat/etc /PAM.D/PASSWD #%pam-1.0 <==pam version number auth include system-auth <== each row is a validation process account include system-auth password substack System-auth -password optional PAM_ gnome_keyring.so Verify categories Verify control Flags The parameters of the PAM module and the module |
• First field: Validation category (Type)
The validation category is divided into the following four types, and sequentially down-to-down verification
Auth
Auth is used to authenticate the user's identity information, if the AUTH certification needs to use a number of modules, and then check each module, this module usually ultimately requires a password to verify, so the next module after this module is used to verify the user identity. If the account is not a problem, authorize
Account
The account is mostly used to check permissions, such as checking the expiration of accounts and passwords, and not allowing validation if you use an expired account or password. If you have more than one module, check each module in turn.
Password
Change the password need to use, if the user does not change the password, almost no use of this module.
session
Restrict the session limit, for example: VSFTPD 6 o'clock in the afternoon is not allowed to access, then 6 points after the user to access the words will be limited, or insufficient memory to allow access, etc., the session is limited to this type of
• Second field: validation control flag
The actions to be taken to control the success or failure of authentication, which are divided into two control types, one simple control and one complex contorl
• Simple control
Required
This validation, if successful, has a flag with success, if it fails with the flag of failure, this validation fails, it will return the failed flag, but will not return immediately, but wait until all the module validation is complete, so it will continue to verify the other process back, regardless of validation success or failure .
Requisite
If the validation fails, the failure flag is returned immediately, and the subsequent validation process is terminated, and if the validation has a success flag, the subsequent process continues.
Sufficient
In contrast to requisite, this verification succeeds with the success flag and immediately terminates the subsequent process, and if the flag with failure is validated, the subsequent process continues.
Optional
Optional reference opinion, this is just soy sauce ....
• The above process as shown
include
Contains rules in a stack of the same name in the specified other configuration file and is instrumented.
Substack
It's a bit of a hassle. You don't need to.
· Pam Module Path
/etc/pam.d/*: Individual PAM configuration file for each program;
/lib/security/*:P The actual placement directory of the AM module files;
/etc/security/*: Configuration files for other PAM environments;
/usr/share/doc/pam-*/: detailed Pam documentation;
· Pam Module Classification
pam_unix.so
In the traditional sense of the account and password authentication mechanism, this mechanism realizes the standard C library based on the user to enter the account password and complete the detection of the authentication process
pam_permit.so
Direct through, allow access, define default policy
pam_deny.so
Deny access, define default policy
pam_cracklib.so
Used to verify the strength of the password, including whether the password is in the dictionary, the password can be changed to the same as the last time, the password contains at least how many characters, how many times the wrong password can be entered, are defined by this module
pam_shells.so
Check whether the shell that the user is logged into is a secure shell, which is the shell written in/etc/shells
pam_securetty.so
Limited administrators can only login via secure TTY,/etc/securetty,tty is a traditional terminal
Pam_listfile, this thing is awesome ....
| 1 | item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=/path/filename onerr=[succeed|fail] [apply=[user|@group]] [quiet] |
pam_rootok.so
Administrator Su to other users without entering a password is defined by this
pam_succeed_if.so
No password required for normal user Su
pam_limits.so
Resource limit Open file number, use process number, etc., for anyone,/etc/security/limits or/etc/security/limits.d/*
pam_nologin.so
Can limit the average user to be able to log in the host, when/etc/nologin this file exists, then all general users can no longer log on the system
Practice:
• Limit the root user to log in from Tty2 only, not remotely using sshd
| 123456 | [[email protected] etc]# vim /etc/pam.d/sshd #编辑这个文件auth required pam_securetty.so #添加这一行[[email protected] ~]# cat /etc/securetty #编辑这个文件consoletty1tty2 |
• Only users in the Sshusers group can log on remotely using SSH
| 12345 | |
• The administrator needs a password when SU
| 123456 | [[email protected] etc]# vim /etc/pam.d/su #编辑这个文件#auth sufficient pam_rootok.so #注释这一项[[email protected] etc]# whoamiroot[[email protected] etc]# su ldfPassword: |
• No password for normal user ldf,su
| 123456 | |
• Limit groups (users) to use the maximum number of resources
| 123456 | |
This article is from the "Smoke Free Hand" blog, please be sure to keep this source http://lidefu.blog.51cto.com/3429777/1388751
PMA module details, restrictions on user login to Linux, password modification restrictions, etc.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
