In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Brief introduction of PAM Module Authentication
Pam pluggable authentication module
The interface file is in the / etc/pam.d/ directory
Under the called module file / lib/security directory
Under the module's configuration file / etc/security/ directory
Log information is stored in / var/log/secrue
Many users in the network need to remotely manage our server, log in to FTP, and so on, and the server needs to authenticate the users.
The module authentication is carried out by calling the interface file corresponding to the service by PAM.
PAM service file
Format:
Tyep control module
Type has these categories.
Auth verifies whether there is this account.
Whether the account account expires
When password changes the password, it verifies whether the password is in the dictionary or not.
Session call back control
Control:
Required must pass the
If it doesn't pass, completely negate it, and it depends on the follow-up module.
If passed, it depends on the follow-up module.
Requisite must pass the
If it doesn't pass, deny it completely, and don't look at the follow-up module.
If passed, it depends on the follow-up module.
If sufficient does not pass, do not deny it, and look at the follow-up module.
As long as one is approved.
Optional
Include (interface file that is called together, containing many modules)
Commonly used PAM modules
Pam_access.so controls visitor address and account name
Pam_lisffile.so controls the account name or login location of the visitor
Resources allocated by pam_limits.so control bit users
Pam_rootok.so allows administrators to pass unconditionally
Pam_userdb.so sets database authentication for independent user accounts
Wait
Here are a few small examples to illustrate
1. Ordinary users are not allowed to log in to the server
The interface file / etc/pam.d/login for opening sshd is as follows. The pam_nologin.so module is called and must be verified.
Check the documentation on the pam_nologin.so module and know that it is OK to create a new nologin file in the / etc/ directory
Touch / etc/nologin
Try logging in via ssh with user1, but you can't log in, as follows:
(because the module is also called in the login file, all users on the local computer cannot log in.)
2. Limit user user1 to pam_access.so from the SSH login module on 192.168.101.3
Vim / etc/pam.d/sshd-- Editing the ssh interface file sshd is as follows
There is a configuration file access.conf corresponding to the pam_access.so module.
Vim / etc/security/access.conf add the following line
+: user1: 192.168.101.3
-: user1: all indicates that ip login from other places is not allowed
Where "+" means authorized "user1" authorized user "192.168.101.3" indicates source
Login from 192.168.101.3, authorization successful
The log is as follows:
Pam_access (sshd:session): access denied for user `user1' from `192.168.101.103'
Log in from another ip and reject
PAM: pam_open_session (): Permission denied
If only user1 can log in from 192.168.101.180
Change "-: user1: all" to "-: all: all"
3. Limit the login times of the local terminal of user1 account to 2 times of module pam_limits.so.
Vim / etc/security/limits.conf add the following sentence
User1-maxlogins 2
"-" means that both hard and soft are the same (as for syntax format, there are instructions in the configuration file)
Vim / etc/pam.d/login-- Edit the login API file and add the following:
Session required pam_limits.so
Log in with user1 three times, and the third time is rejected as follows:
4. Among my users, all users in the test group can ssh, and users who are not groups cannot SSH module pam_listfile.so (based on additional files).
Vim / etc/pam.d/sshd is added as follows:
Session required pam_listfile.so item=group sense=allow file=/etc/grouptest onerr=succeed
-- the extra file is / etc/grouptest. If there is no such file, there is no limit.
Create a new file and add a test group
Echo "test" > / etc/grouptest
User1 can log in in test group, but user2 is not available and cannot log in.
5. Only root is allowed to log in from a secure terminal, that is, pam_securetty.so from the tty1 login module is not allowed.
Vim / etc/securetty
Delete tty1
The module has been called by the default Login interface file
When root logs in from terminal 1, the following
6. Bash shell login module pam_shells.so is not allowed locally.
By default, anything listed in / etc/shells can.
[root@localhost pam.d] # vim / etc/shells
/ bin/sh
/ bin/bash
/ sbin/nologin
/ bin/tcsh
/ bin/csh
/ bin/ksh
Delete the / bin/bash above
Vim / etc/pam.d/login edit the login file to call the module as follows
Session required pam_shells.so
There seems to be a slight problem with this verification!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.