Shulou(Shulou.com)06/02 Report--

PAM (Pluggable Authentication Modules) is an authentication mechanism proposed by Sun. By providing some dynamic link libraries and a set of unified API, it separates the service provided by the system from the authentication mode of the service, so that the system administrator can flexibly configure different authentication methods for different services according to their needs without changing the service program. at the same time, it is also convenient to add new authentication means to the system. PAM was originally integrated into Solaris, but now it has been transplanted to other systems, such as Linux, SunOS, HP-UX 9.0, etc. / the configuration of pam modules of various commands stored in files under etc/pam.d, such as querying which pam module is used by a program.

For example:

/ etc/pam.d/login

/ etc/pam.d/sshd

/ etc/pam.d/vsftpd

The file under / etc/security is configured specifically for each pam module, for example: the configuration file of parm_limits.so is / etc/security/limits.

Other pam modules: account_pam_unix.so used by auth_pam_unix.so to authenticate users and passwords whether the user has expired pam_rootok.so determines whether the current user denies login to non-root users for root pam_nologin.so pam_access.so restricts user access to terminal pam_time.so denies access to a service for a certain period of time

Mode of use:

1) restrict user access to terminal Vim / etc/pam.d/login

Add: auth required pam_access.so

Vin / etc/security/addess.conf

Add: -: wjx: tty3

2) reject someone's sshd Vim / etc/pam.d/sshd to you

Add: auth required pam_access.so

Vim / etc/security/access.conf

Add: -: All: 192.168.119.120 #-for rejection

+ means allow

3) refuse to access a service Vim / etc/pam.d/login for a certain period of time

Add: account required pam_time.so to account

Vim / etc/security/time.cong

Add: Login; tty5; wjx; Mo1000-2300

4) echo module vim/etc/pam.d/login

Add: auth required pam_echo.so file=/usr/hell0.txt

Touch / usr/hello.txt

Vim hello.txt

Hello world!

(5) if a user logs in for more than 3 times, the user will be denied login within 20 seconds.

Vim / etc/pam.d/login

Add: auth required pam_tally.so deny=3 unlock_time=20

(6) how to require that the password set by the user must contain 5 digits and 3 special symbols? Modify / etc/pam.d/system-auth, append at the end of the password using pam_cracklib.so settings

Dcredit=5,ocredit=3

Password requisite pam_cracklib.so try_first_pass retry=3 dcredit=5

Ocredit=3

(7) how to restrict the login of up to 4 student at the same time? This requires the pam_limits.so module. Because in / etc/pam.d/system-auth, it will be passed by default

Pam_limits.so limits how many system resources users can use, so

Just add the following to / etc/security/limits.conf (RHEL5 will have it at the end, but

Commented out)

Student hard maxlogins 4 (8). Is it prohibited if a user fails to log in for more than 3 times in a row? Modify / etc/pam.d/system-auth

Auth required pam_deny.so

Account required pam_tally.so deny=3 # is prohibited from logging in after three failures

Account required pam_unix.so

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.