Shulou(Shulou.com)06/01 Report--

This article analyzes "the service module of Linux system pam and how to authenticate". The content is detailed and easy to understand, the "Linux system pam service module and how to authenticate" interested friends can follow the editor's ideas slowly in-depth to read, I hope that after reading can be helpful to everyone. Let's follow the editor to learn more about the service module of Linux system pam and how to authenticate it.

PAM is mainly a set of shared library files (that is, files with the suffix .so) and a set of configuration files for system service authorization.

1. Commonly used pam service modules

The following is a list of PAM modules provided by Linux (just some of them), which contains module files, module functional descriptions, and related configuration files, as follows:

Pam_access provides logdaemon style login control / etc/security/access.conf

Pam_chroot provides functionality similar to the chroot command

Pam_cracklib checks the strength of the password to some extent, library files, libcrack and dictionary files.

/ usr/lib/cracklib_dict

Pam_deny always fails authentication unconditionally.

Pam_env setting cancels the environment variable / etc/security/pam_env.conf

Pam_filter filters input and output streams filters

Pam_ftp.so authenticates anonymous ftp users

Pam_group when a user requests a specified / etc/security/group.conf on a specified terminal

Give the user the corresponding group permissions when serving

Pam_issue displays / etc/issue before prompting the user for a user name

Contents of / etc/issue file

Pam_krb4 Kerberos authentication of user passwords corresponding Kerberos library files

Pam_lastlog displays information about / var/log/lastlog after the user has successfully logged in

The information of the user's last login, and maintain

/ var/log/lastlog file.

Pam_limits limits the system resources / etc/security/limits.conf that a user session can use

Pam_listfile determines whether or not, for example, / etc/ftpusers, based on a specified file

Allow or prohibit the provision of services

Pam_mail checks whether there is any new mail / var/spool/mail/xxxx in the user's mailbox

Pam_mkhomedir establishes a home directory / etc/skel/ for the user

Pam_motd displays the contents of / etc/motd file / etc/motd

Pam_nologin based on the existence of / etc/nologin file / etc/nologin

To determine whether the user authentication is successful

Pam_permit always makes authentication successful unconditionally.

Pam_pwdb serves as an alternative to the pam_unix_xxxx module. / etc/pwdb.conf

Use the Password Database universal interface for authentication.

Pam_radius provides authentication for remote authentication dial-in user service (RADIUS)

Pam_rhosts_auth utilizes files / .rhosts and / etc/hosts.equiv and / .rhosts

/ etc/hosts.equiv authenticates the user.

Pam_rootok checks whether the user is a superuser, and if he is a superuser (uid=0), he or she is authenticated unconditionally.

Pam_securetty provides standard Unix securetty check / etc/securetty

Pam_time provides time-based controls, such as limits / etc/security/time.conf

Users can only log in within a certain period of time

Pam_unix provides standard Unix certification / etc/passwd and / etc/shadow

Pam_userdb uses Berkeley DB database to check user / password

Pam_warn uses syslog () to record an alarm message

Pam_wheel only allows users of the wheel group to have superuser access

II. Application of pam certification 1. Case 1 (pam_access.so)

The existing account user1 only allows 192.168.2.1 ssh to log in.

(1) install pam

[root@huangzhong ~] # mount / dev/cdrom / media/cdrom/

[root@huangzhong ~] # cd / media/cdrom/Packages/

[root@huangzhong Packages] # ll | grep pam / / filter packets related to pam

[root@huangzhong Packages] # yum install pam-1.1.1-13.el6.x86_64.rpm

(2) because ssh login is restricted, the sshd module is used here, so edit / etc/pam.d/

[root@huangzhong ~] # cd / etc/pam.d/

[root@huangzhong pam.d] # vim sshd

(3) Edit the configuration file of the access.so module

[root@huangzhong pam.d] # vim / etc/security/access.conf

(4) Test verification

/ / New user1 user

[root@huangzhong ~] # useradd user1

[root@huangzhong ~] # passwd user1

Changing password for user user1.

New password:

BAD PASSWORD: it is WAY too short

BAD PASSWORD: is too simple

Retype new password:

Passwd: all authentication tokens updated successfully.

/ / the local ssh login test results are as follows:

/ / log in to ssh on 192.168.2.1, and the results are as follows:

You can also view the login results by viewing the log information here. The logs you want to view are:

[root@huangzhong] # tail-f / var/log/secure

2. Case 2 (pam_listfile.so)

When managing the Linux server, only users of the manager group are allowed to manage it, which is managed through ssh.

(1) because ssh login is restricted, the sshd module is used here, so edit / etc/pam.d/

[root@huangzhong ~] # cd / etc/pam.d/

[root@huangzhong pam.d] # vim sshd

(2) create manager groups and edit some users

[root@huangzhong pam.d] # vim / etc/manager

/ / create user user2 and user3, and give password

(3) Login test

Login test using user1

The login test results using user2 and user3 are as follows:

Case 3 (pam_limts.so)

Limit the number of user1,ssh online logins to 2.

(1) because ssh login is restricted, the sshd module is used here, so edit / etc/pam.d/

[root@huangzhong ~] # cd / etc/pam.d/

[root@huangzhong pam.d] # vim sshd

(2) Edit / etc/security/limits.conf file

[root@huangzhong pam.d] # vim / etc/security/limits.conf

(3) Login test

Log in using user1 for 3 times and the test results are as follows:

View the log information as follows:

[root@huangzhong pam.d] # tail-f / var/log/secure

On the Linux system pam service module and how to share here, I hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.