Shulou(Shulou.com)06/01 Report--

Brief introduction of PAM Module Authentication

Pam pluggable authentication module

The interface file is in the / etc/pam.d/ directory

Under the called module file / lib/security directory

Under the module's configuration file / etc/security/ directory

Log information is stored in / var/log/secrue

Many users in the network need to remotely manage our server, log in to FTP, and so on, and the server needs to authenticate the users.

The module authentication is carried out by calling the interface file corresponding to the service by PAM.

PAM service file

Format:

Tyep control module

Type has these categories.

Auth verifies whether there is this account.

Whether the account account expires

When password changes the password, it verifies whether the password is in the dictionary or not.

Session call back control

Control:

Required must pass the

If it doesn't pass, completely negate it, and it depends on the follow-up module.

If passed, it depends on the follow-up module.

Requisite must pass the

If it doesn't pass, deny it completely, and don't look at the follow-up module.

If passed, it depends on the follow-up module.

If sufficient does not pass, do not deny it, and look at the follow-up module.

As long as one is approved.

Optional

Include (interface file that is called together, containing many modules)

Commonly used PAM modules

Pam_access.so controls visitor address and account name

Pam_lisffile.so controls the account name or login location of the visitor

Resources allocated by pam_limits.so control bit users

Pam_rootok.so allows administrators to pass unconditionally

Pam_userdb.so sets database authentication for independent user accounts

Wait

Here are a few small examples to illustrate

1. Ordinary users are not allowed to log in to the server

The interface file / etc/pam.d/login for opening sshd is as follows. The pam_nologin.so module is called and must be verified.

Check the documentation on the pam_nologin.so module and know that it is OK to create a new nologin file in the / etc/ directory

Touch / etc/nologin

Try logging in via ssh with user1, but you can't log in, as follows:

(because the module is also called in the login file, all users on the local computer cannot log in.)

2. Limit user user1 to pam_access.so from the SSH login module on 192.168.101.3

Vim / etc/pam.d/sshd-- Editing the ssh interface file sshd is as follows

There is a configuration file access.conf corresponding to the pam_access.so module.

Vim / etc/security/access.conf add the following line

+: user1: 192.168.101.3

-: user1: all indicates that ip login from other places is not allowed

Where "+" means authorized "user1" authorized user "192.168.101.3" indicates source

Login from 192.168.101.3, authorization successful

The log is as follows:

Pam_access (sshd:session): access denied for user `user1' from `192.168.101.103'

Log in from another ip and reject

PAM: pam_open_session (): Permission denied

If only user1 can log in from 192.168.101.180

Change "-: user1: all" to "-: all: all"

3. Limit the login times of the local terminal of user1 account to 2 times of module pam_limits.so.

Vim / etc/security/limits.conf add the following sentence

User1-maxlogins 2

"-" means that both hard and soft are the same (as for syntax format, there are instructions in the configuration file)

Vim / etc/pam.d/login-- Edit the login API file and add the following:

Session required pam_limits.so

Log in with user1 three times, and the third time is rejected as follows:

4. Among my users, all users in the test group can ssh, and users who are not groups cannot SSH module pam_listfile.so (based on additional files).

Vim / etc/pam.d/sshd is added as follows:

Session required pam_listfile.so item=group sense=allow file=/etc/grouptest onerr=succeed

-- the extra file is / etc/grouptest. If there is no such file, there is no limit.

Create a new file and add a test group

Echo "test" > / etc/grouptest

User1 can log in in test group, but user2 is not available and cannot log in.

5. Only root is allowed to log in from a secure terminal, that is, pam_securetty.so from the tty1 login module is not allowed.

Vim / etc/securetty

Delete tty1

The module has been called by the default Login interface file

When root logs in from terminal 1, the following

6. Bash shell login module pam_shells.so is not allowed locally.

By default, anything listed in / etc/shells can.

[root@localhost pam.d] # vim / etc/shells

/ bin/sh

/ bin/bash

/ sbin/nologin

/ bin/tcsh

/ bin/csh

/ bin/ksh

Delete the / bin/bash above

Vim / etc/pam.d/login edit the login file to call the module as follows

Session required pam_shells.so

There seems to be a slight problem with this verification!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.