Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about what the LINUX PAM verification mechanism is, many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

I. introduction to PAM

Linux-PAM (linux pluggable Authentication Module) is a set of shared libraries, which allows local system administrators to choose the authentication mode of the program at will.

In other words, you can change the authentication mechanism it uses without (rewriting and recompiling) an application that includes PAM functionality.

In this way, even if the local authentication mechanism is upgraded, there is no need to modify the program.

PAM uses the configuration file / etc/pam.conf (or files under / etc/pam.d/) to manage the authentication of the program. The application invokes the appropriate configuration file to invoke the local authentication module. The module is placed under / lib/security and called in the form of loading dynamic library (dlopen (3)).

For example, when we use the su command, you will be prompted for the password of the root user. This is what the su command does by calling the PAM module.

two。 Introduction to the configuration file of PAM

Format of the 1.PAM configuration file

The PAM configuration file can be written in two ways: one is written in / etc/pam.conf. The format is as follows:

Ftpd auth required pam_unix.so nullok

Ftpd: indicates the service name, that is, the authentication configuration for which service.

Required: module type. Pam has four module types, which represent different task types.

Pam_unix.so: the module path. That is, the location of the module to be called.

Nullok: the parameter of the module, that is, the parameter passed to the module.

Another way to write this is to place the PAM configuration file in the / etc/pam.d/ directory and use the application name as the configuration file name. Such as:

Vsftpd,login et al. The format of the configuration file is similar to pam.conf, except that the leftmost service name column is missing. Such as: / etc/pam.d/cups

#% PAM-1.0

Auth required pam_stack.so service=system-auth

Account required pam_stack.so service=system-auth

Module type of 2.PAM

Linux-PAM has four module types, each representing four different tasks. They are: authentication management, account management, session management and password management. A type may have multiple lines, which are called sequentially by the PAM module.

Auth

It is used to identify the user. For example: prompt the user to enter the password, or judge whether the user is root or not.

Account

Check the attributes of the account. For example, whether login is allowed, whether the maximum number of users is reached, or whether root users are allowed to log in at this terminal.

Session

This module is used to define what to do before the user logs in and what to do after the user logs out. Such as: login connection information, opening and closing of user data, mounting file system and so on.

Password

Use user information to update. Such as: change the user's password.

Control tag of 3.PAM

PAM uses control tags to process and determine the return values of each module.

Required

This flag indicates that the module is required to return a success value. If the return fails, proceed to the next operation of the same type when all modules of this type have been executed. The failure value is returned.

Requisite

Similar to required, but if the module returns a failure, it immediately returns a failure to the application, indicating a failure of this type.

No later operations of the same type are performed.

Sufficient

If this module returns success, it returns success directly to the application, indicating that this type is successful. No later operations of the same type are performed. If it fails, the return value of this type will not be affected.

Optional

Modules that use this tag will not return success or failure. Generally return a PAM_IGNORE (ignore).

4. Module path

Module path. That is, the location of the module to be called. Generally saved under / lib/security/, such as: pam_unix.so the same module, can appear in different types. It performs different operations in different types. This is because each module compiles different execution functions for different module types.

5. Module parameters

Module parameters, that is, the parameters passed to the module. There can be multiple parameters separated by spaces, such as:

Password required pam_unix.so nullok obscure min=4 max=8 md5

three。 Write PAM configuration file

Introduction of 1.PAM module

Pam_unix.so module:

Auth type: prompts the user for a password and compares it with the / etc/shadow file. Match returns 0 (PAM_SUCCESS).

Account type: check the user's account information (including whether it is expired, etc.). When the account number is available, it returns 0.

Password type: change the user's password. Update the shadow file pam_cracklib.so module with the password entered by the user as the user's new password:

Password type: this module can be inserted into a program's password stack to check the strength of the password.

The action of this module is to prompt the user to enter the password and compare it with the dictionary in the system to check its strength.

Pam_loginuid.so module:

Session type: used to set the uid of an authenticated process. To make the program pass the normal audit (audit).

Pam_securetty.so module:

Auth type: if the user wants to log in as root, the login tty must precede the method in / etc/securetty.

Pam_rootok.so module:

Auth type: the pam_rootok module is used to authenticate whether the user's id is 0. Returns "PAM_SUCCESS" for 0.

Pam_console.so module:

Session type: change the permissions of the terminal file when the user logs in to the terminal. After the user logs out, modify them back.

Pam_permit.so module:

Auth,account,password,session type: the pam_permit module returns success at any time.

Pam_env.so module:

Auth type: pam_env allows you to set environment variables. By default, if no file is specified, the environment variable will be set according to / etc/security/pam_env.conf.

Pam_xauth.so module:

Session type: pam_xauth is used to forward xauth-key between users.

Without pam_xauth, when the user calls su to become another user, the user will no longer be able to access the original user's X display, because the new user does not access the displayed key.pam_xauth, which solves the problem of forwarding the key from the original user to the target user and destroying the key when the user exits when the session is established.

Experiment:

Log out of the "session optional / lib/security/$ISA/pam_xauth.so" line in / etc/pam.d/su when the desktop terminal executes su to switch to another user, the execution of xterm will report an error, indicating that DISPLAY cannot be accessed.

Delete comments, and then use su to switch to another user, execute xterm, will normally open a xterm terminal window.

Pam_stack.so module:

Auth,account,password,session: pam_stack can call another service. That is, multiple services can be included in one setting. When it needs to be modified, only one file can be modified.

Pam_warn.so module:

Auth,account,password,session: pam_warn is used to record information about services, terminals, users, remote users and remote hosts to system logs. The module always returns PAM_IGNORE, meaning that you do not want to affect the authentication process.

two。 Write PAM configuration file

Execute as root: # vi / etc/pam.d/pamtest

# prompt the user for a password

Auth required pam_unix.so

# verify whether the user account is available

Account required pam_unix.so

# output a message to the system log

Account required pam_warn.so

four。 Application based on PAM mechanism

1. Write C source code

# include

# include

# include

# include

/ * File pamtest.c

This program takes a user name as a parameter from the command line and validates the user name with auth and account.

* /

/ / define a pam_conv structure for communicating with pam

Static struct pam_conv conv = {

Misc_conv

NULL

}

/ / main function

Int main (int argc, char * argv [])

{

Pam_handle_t * pamh=NULL

Int retval

Const char * user= "nobody"

Const char * s1=NULL

If (argc = = 2)

User = argv [1]

Else

Exit (1)

If (argc > 2) {

Fprintf (stderr, "Usage: pamtest0 [username]\ n")

Exit (1)

}

Printf ("user:% s\ n", user)

Retval = 0

/ / call pamtest configuration file

Retval = pam_start ("pamtest", user, & conv, & pamh)

If (retval = = PAM_SUCCESS)

/ / perform auth type authentication

Retval = pam_authenticate (pamh, 0); / * is user really user? * /

Else {

/ / if there is an authentication error, pam_strerror will output an error message.

Printf ("pam_authenticate ():% d\ n", retval)

S1=pam_strerror (pamh, retval)

Printf ("% s\ n", S1)

}

If (retval = = PAM_SUCCESS)

/ / perform account type authentication

Retval = pam_acct_mgmt (pamh, 0); / * permitted access? * /

Else {

Printf ("pam_acct_mgmt ():% d\ n", retval)

S1=pam_strerror (pamh, retval)

Printf ("% s\ n", S1)

}

/ * This is where we have been authorized or not. , /

If (retval = = PAM_SUCCESS) {

Fprintf (stdout, "Authenticated\ n")

} else {

Fprintf (stdout, "Not Authenticated\ n")

}

If (pam_end (pamh,retval)! = PAM_SUCCESS) {/ * close Linux-PAM * /

Pamh = NULL

Fprintf (stderr, "pamtest0: failed to release authenticator\ n")

Exit (1)

}

Return (retval = = PAM_SUCCESS? 0:1); / * indicate success * /

}

/ / END

two。 Compile

$cc-o pamtest pamtest.c-lpam-lpam_misc-ldl

3. Write PAM configuration file

Execute as root: vi / etc/pam.d/pamtest

Auth required / lib/security/pam_unix.so

Account required / lib/security/pam_unix.so

4. Modify executable program permissions

Since pam_unix.so needs to access / etc/shadow and / etc/passwd files, attach SUID permissions to pamtest files.

# chown root.root pamtest

# chmod 111 pamtest

# ls pamtest

# ls pamtest-hl

-s--x--x 1 root root 12K 2007-07-16 01:52 pamtest

5. Execution

The pamtest program verifies the user's password and then the user's account information through pam_unix.so.

Execute as an ordinary user and enter the wrong maj password.

Maj@m2-u:01:52:09/var/tmp$. / pamtest maj

User: maj

Password:

Pam_acct_mgmt (): 7

Authentication failure

Not Authenticated

When entering the correct password

Maj@m2-u:01:54:44/var/tmp$. / pamtest maj

User: maj

Password:

Authenticated

When entering the wrong root password

Maj@m2-u:01:58:37/var/tmp$. / pamtest root

User: root

Password:

Pam_acct_mgmt (): 7

Authentication failure

Not Authenticated

Maj@m2-u:01:59:15/var/tmp$

When entering the correct root password

Maj@m2-u:01:54:50/var/tmp$. / pamtest root

User: root

Password:

Authenticated

Maj@m2-u:01:58:37/var/tmp$

After reading the above, do you have any further understanding of what the LINUX PAM authentication mechanism is? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.