Shulou(Shulou.com)06/02 Report--

○ article navigation

About PAM

PAM Authentication Profil

PAM configuration file syntax format

PAM module interface

PAM control flag

PAM configuration method

PAM authentication security configuration example

-enforce the use of strong passwords (user password security configuration)

-Lock the account when the number of failed SSH login attempts exceeds the limit (account locking / unlocking and time setting)

-allow ordinary users to use sudo instead of su (restrict ordinary users from logging in to root users)

-prohibit direct use of root users to log in through SSH

Pwgen complex password Random Generation tool

About PAM

Linux-PAM (Pluggable Authentication Modules for Linux) pluggable authentication module. Linux-PAM is a set of authentication shared library system for Linux, which provides dynamic authentication module support for applications or services in the system. In Linux, PAM is dynamically configurable, and local system administrators are free to choose how the application authenticates users. PAM is used in many programs and services, such as PAM authentication (password authentication, restricted login) of login programs (login, su), passwd mandatory passwords, real-time management of user processes, allocation of system resources to users, and so on.

The main feature of PAM is that the nature of authentication is dynamically configurable. The core of PAM is a collection of libraries (libpam) and PAM modules, which are dynamic link library (.so) files located in the folder / lib/security/, and individual PAM module configuration files located in the / etc/pam.d/ directory (or / etc/pam.conf configuration file). The PAM configuration files of various programs and services are defined in the / etc/pam.d/ directory, in which the system-auth file is an important configuration file of the PAM module, which is mainly responsible for the authentication of users logging into the system. Not only that, other applications or services can call it through the include interface (this file is the soft link of system-auth-ac). In addition, the password-auth profile is also an important configuration file related to authentication, such as the user's remote login authentication (SSH login) is called through it. In Ubuntu, SuSE Linux and other distributions, the main configuration files of PAM are common-auth, common-account, common-password, and common-session, through which the main PAM configurations of all applications and services can be invoked.

Use the following command to determine whether the program uses PAM:

Root@HMing ~ # ldd / usr/bin/passwd | grep libpam

Libpam_misc.so.0 = > / lib64/libpam_misc.so.0 (0x00007fb74f748000)

Libpam.so.0 = > / lib64/libpam.so.0 (0x00007fb74eb45000)

If you see a similar output, indicating that the program uses PAM, there is no output, then it is not used.

PAM Authentication Profil

The / etc/pam.d/ directory contains the PAM configuration file for the application. For example, the login program defines its program / service name as login and its corresponding PAM configuration file as / etc/pam.d/login.

PAM configuration file syntax format

Each PAM configuration file contains a set of instructions that define modules and control flags and parameters. Each instruction has a simple syntax that identifies the purpose (interface) and configuration settings of the module. The syntax format is as follows:

Module_interface control_flag module_name module_arguments

As in the / etc/pam.d/password-auth-ac configuration file (CentOS), a line of PAM module interfaces is defined as follows

PAM module interface (module management group)

PAM provides four types of module interfaces available for authentication tasks, each of which provides different authentication services:

√ auth- authentication module interface, such as verifying user identity, checking whether passwords can be passed, and setting user credentials √ account- account module interface, checking whether the specified account meets the current authentication conditions, such as whether the user has access to the requested service, checking whether the account expires, √ password- password module interface, used to change the user password, and forcing the use of strong passwords to configure the √ session- session module interface. Used to manage and configure user sessions. The session takes effect after the user has successfully authenticated

A single PAM library module can be provided for any or all module interfaces. For example, pam_unix.so is provided for use by four module interfaces.

PAM control flag

All PAM modules will return success or failure results when they are called. In each PAM module, multiple corresponding control flags determine whether the result passes or fails. Each control flag corresponds to a processing result, and the PAM library integrates these pass / fail results into an overall pass / fail result, and then returns the result to the application. Modules can be stacked in a specific order. The control flag is the specific implementation details that the user is authenticating to a particular application or service. This control flag is the second field in the PAM configuration file, and the PAM control flag is as follows:

> the authentication of the required- module result must be successful. If the test fails here, the next module referenced in the module interface will continue to be tested, and the result will not be notified to the user until all module tests are completed. > the result of the requisite- module must be successful to continue authentication. If the test fails here, the failed result will be notified to the user immediately. > sufficient- module results will be ignored if the test fails. If the sufficient module tests successfully and the previous required module does not fail, PAM returns the passed result to the application and does not call any other modules in the stack. > optional- the pass / failure results returned by this module are ignored. This module is required when no other module is referenced, marked as an optional module and successfully validated. The module is called to perform some operations without affecting the result of the module stack. > include- is different from other control flags. Include has nothing to do with how the results of the module are handled. This flag is used to refer directly to the configuration parameters of other PAM modules

PAM configuration method

All PAM configuration methods are described in the man manual. For example, to find the configuration of a program that supports PAM modules, you can use man plus the module name (remove .so) to find instructions, such as # man pam_unix. (the module name can be found in the directory / lib/security/ or / lib64/security/.)

PAM authentication security configuration example

First, force the use of strong passwords (user password security configuration)

PAM configuration file: / etc/pam.d/system-auth-ac

Module name: pam_cracklib (for password module interfaces only)

Module parameters:

The minlen=12 password character length is no less than 12 characters (default is 9)

Lcredit=-1 contains at least 1 lowercase letter

Ucredit=-1 contains at least 1 uppercase letter

Dcredit=-1 contains at least 1 number

Ocredit=-1 contains at least 1 special character

When retry=3 configures a password, it prompts the user to enter the password incorrectly three times.

When difok=6 configures a password, at least 6 characters in the new password are different from the old password (default is 5)

Other commonly used parameters:

The new reject_username password cannot contain the same fields as the user name

Maxrepeat=N rejects passwords that contain more than N consecutive characters. A default value of 0 indicates that this check is disabled

Maxsequence=N rejects passwords that contain monotonous character sequences greater than N, such as' 1234'or 'fedcb',. By default, most of these passwords will not be passed even without this parameter configuration, unless the sequence is only a small part of the password.

Maxcla***epeat=N rejects passwords that contain more than N consecutive characters of the same category. The default value of 0 means that this check is disabled.

Use_authtok enforces the use of the previous password and does not prompt the user for a new password (does not allow the user to change the password)

Module name: pam_unix (for account,auth, password and session module interfaces)

Module parameters:

Remember=N saves N passwords used by each user. Mandatory passwords cannot be duplicated with historical passwords.

Other common parameters:

Sha512 the next time the user changes the password, the SHA256 algorithm is used for encryption

Md5 when a user changes a password, it is encrypted using the MD5 algorithm.

Before try_first_pass prompts the user for a password, the module first tries the previous password to test whether it meets the requirements of the module.

Use_first_pass this module forces the use of the previous password (does not allow the user to change the password). If the password is empty or the password is incorrect, the user will be denied access

Shadow user protection password

Nullok does not allow empty passwords to access the service by default.

Use_authtok enforces the use of the previous password and does not prompt the user for a new password (does not allow the user to change the password)

For example, modify the configuration / etc/pam.d/system-auth-ac file, and modify or add configuration parameters in the password module interface line as follows:

Password requisite pam_cracklib.so try_first_pass retry=3 type= reject_username minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=6

The modified / etc/pam.d/system-auth-ac configuration file is shown in the following figure

It should be noted that what I am showing here is the configuration under RHEL/CentOS. The PAM configuration file of the passwd program involves the main configuration files / etc/pam.d/passwd and / etc/pam.d/system-auth-ac (which can also be / etc/pam.d/password-auth-ac), where the / etc/pam.d/passwd configuration file contains only the / etc/pam.d/system-auth-ac configuration file by default. Therefore, for the above PAM authentication password module configuration, only modify / configure this file. Or in Ubuntu, the configuration files include: / etc/pam.d/common-password, / etc/pam.d/common-account, / etc/pam.d/common-auth, / etc/pam.d/common-session.

Test the PAM configuration:

Login (su) ordinary users use the passwd program to update their passwords. If the password entered does not meet the requirements, it cannot be modified.

Root@HMing ~ # su-hm # Log in to the hm user hm@HMing ~ $passwd # change the password Changing password for user hm.Changing password for hm. (current) UNIX password: # prompt for the old password New password: # prompt for the new password. If the requirement is not met, it will prompt the relevant error message Password unchangedNew password: BAD PASSWORD: is too simpleNew password: # when the password entered meets the requirement You are prompted to enter Retype new password: passwd: all authentication tokens updated successfully again.

2. Lock your account after the number of failed SSH login attempts exceeds the limit (account locking / unlocking and time setting)

To further improve security, you can specify that the user is locked out after exceeding the number of failed login attempts. User accounts can be unlocked (unlocked by root users on their own initiative) or automatically unlocked after a set time. For example, lock out the user for ten minutes after three failed login attempts. You need to add the following parameters to the / etc/pam.d/password-auth-ac (or / etc/pam.d/sshd) file:

Auth required pam_tally2.so deny=3 unlock_time=600 onerr=succeed file=/var/log/tallylog

In Ubuntu and SuSE Linux, the / etc/pam.d/common-auth configuration file needs to be modified

In addition, using PAM, you can also restrict login to the console console. You need to modify the / etc/pam.d/system-auth configuration file (or / etc/pam.d/login) and add the auth configuration field as above.

Once the number of failed login attempts by the user reaches 3, the account is immediately locked unless the root user unlocks it. Under root user, use the following command to unlock the user:

# pam_tally2-u username-r-- reset

View user login failure information:

# pam_tally2-u username

If you want to permanently lock the user after three failed login attempts, you need to delete the unlock_time field, and unless the root user unlocks the account, it will be permanently locked.

Pam_tally/pam_tally2 module parameters:

Global option

Onerr= [succeeded | fail]

File=/path/to/log failed login log file, default is / var/log/tallylog

Audit if the logged-in user is not found, the user name information is recorded in the system log

Silent does not print relevant information

No_log_info does not record log information through syslog

AUTH option

Access denied after deny=n failed login for more than n times

Time to lock up after lock_time=n failed login (seconds)

The time to unlock unlock_time=n after exceeding the limit on the number of failed logins

No_lock_time is not recorded in the log file / var/log/faillog. Fail_locktime field

When the magic_root root user (uid=0) calls the module, the counter is not incremented

Access denied by even_deny_root root users after failing to log in more than deny=n

Root_unlock_time=n is the option corresponding to even_deny_root. If this option is configured, the root user is locked out for a specified time after the number of login failures exceeds the limit.

Allow ordinary users to use sudo instead of su (restrict ordinary users from logging in to root users)

There is a wheel group by default on the Linux system, which is used to restrict ordinary users from logging in to root users through su, and only user members belonging to the wheel group can use su. However, by default, the system does not enable this feature, we can enable it through PAM, or modify it to use su for specified groups / users, and of course specify which groups can be based on requirements. This configuration is specified through the pam_wheel module.

First enable the whell group so that users who only belong to the wheel group can use the su command

The following configuration needs to be added to the / etc/pam.d/su configuration file:

Auth required pam_wheel.so use_uid

Note that this line of parameters should be added at the beginning of the / etc/pam.d/su file, otherwise the PAM module may skip this check. Once configured, we can add users who need to use su permissions to the wheel group, as follows:

# usermod-a-G wheel username

Second, if you don't want to use wheel groups, you need to use other groups instead, such as specifying that the group named myadmingroup has su permissions:

Auth required pam_wheel.so use_uid group=myadmingroup

Finally, the configuration specifies that the user has sudo permissions. We should know that our goal is to minimize the use of root permissions. Sudo allows users to invoke root permissions only if they need to call them. We can specify specific groups / users to invoke root permissions using sudo (no root password is required). Visudo opens the configuration file:

Hmm ALL= (ALL) NOPASSWD: ALL # allows hmm users to execute any commands through sudo (no password required)

% wheel ALL= (ALL) ALL # allows members of the wheel group to execute any command using sudo (password required)

IV. Direct use of root users to log in through SSH is prohibited

Add the following configuration to the / etc/pam.d/password-auth-ac or / etc/pam.d/sshd configuration file (which forbids password authentication for SSH, but can still log in using the SSH key)

Auth required pam_securetty.so

You can also configure the / etc/securetty file to prevent root users from logging in to the system through all tty terminals

# cp / etc/securetty / etc/securetty.saved# echo "" > / etc/securetty

Fifth, pwgen complex password random generation tool

Pwgen is a tool that randomly generates passwords in Linux and is installed under CnetOS6:

# rpm-ivh https://mirrors.aliyun.com/epel/epel-release-latest-6.noarch.rpm# yum install pwgen

Randomly generate a password with a character length of 12 using the pwgen command

# pwgen-s 12-c-n-y

-n contains at least one number

-c contains at least one uppercase letter

-y contains at least one special character

-s completely randomly generate passwords

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.