Shulou(Shulou.com)06/01 Report--

This article is to share with you about the Linux system PAM authentication mechanism is what, the editor thinks it is very practical, so share it with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

PAM is an authentication mechanism proposed by sun. Through some dynamic link libraries and a set of unified API, system administrators can choose how the application authenticates users without knowing the internal implementation details of the application or recompiling the code.

1. Pam framework pam framework consists of the following four parts:

PAM applications, also known as consumers

PAM library

PAM profile

PAM service module, also known as provider

The framework provides a unified implementation approach for verification-related activities. In this way, application developers can use PAM services without having to understand the semantics of policies. The algorithm is provided centrally. The algorithm can be modified independently of each application. With PAM, administrators can adjust the validation process to the needs of a particular system without having to change any applications. The adjustment is performed through the PAM configuration file pam.conf.

II. Detailed explanation of the configuration of PAM

The PAM configuration file can be written in two ways:

One is to write it in the / etc/pam.conf file, but in the system after centos6, this file is gone. Another way to write it is to put the PAM configuration file in the / etc/pam.d/ directory, and its rule content does not contain the service section, that is, does not contain the service name, and the name of the file in the / etc/pam.d directory is the service name. For example, vsftpd,login, etc., but the leftmost service list is missing. Such as: / etc/pam.d/sshd

The configuration file can be divided into four columns from the figure above

The first column represents the module type

The second column represents the control flag

The third column represents the module path

The fourth column represents the module parameters

Module type of 1.PAM

Linux-PAM has four module types, each representing four different tasks

They are: authentication management (auth), account management (account), session management (session) and password (password) management. A type may have multiple lines, which are called sequentially by the PAM module.

The management mode shows that auth is used to identify the user. For example: prompt the user to enter the password, or judge whether the user is root or not. Account checks the attributes of the account. For example, whether login is allowed, whether the maximum number of users is reached, or whether root users are allowed to log in at this terminal. Session this module is used to define what the user will do before logging in and after the user logs out. For example, login connection information, opening and closing of user data, mounting file system, etc. Password is updated with user information. For example, modify the user password. 2.The control flag of PAM

PAM uses control tags to process and judge the return values of each module. (only simple authentication marks are described here)

The control flag indicates that required means that even if a module fails to authenticate the user, PAM will not return an error message until all modules have been executed. This is done in order not to let the user know which module has been rejected. If the user is validated successfully, all modules will return a success message. Requisite is similar to required, but if the module returns a failure, it immediately returns a failure to the application, indicating a failure of this type. Sufficient means that if a user passes the authentication of this module, the PAM structure will immediately return the verification success information (even if there is a module fail, the fail result will be ignored) and return control to the application. Subsequent cascading modules are no longer executed even if the requisite or required control flags are used. If the verification fails, the function of sufficient is the same as that of optional. Optional means that even if the verification of the module specified in this line fails, the user is allowed to accept the service provided by the application, generally returning PAM_IGNORE (ignore). 3. Module path

Module path. That is, the location of the module to be called. If it is a 64-bit system, it is generally saved in / lib64/security, such as pam_unix.so

The same module can appear in different types. It performs different operations in different types. This is because each module

Different execution functions are compiled for different module types.

4. Module parameters

Module parameters, that is, the parameters passed to the module. There can be multiple parameters separated by spaces, such as:

Password required pam_unix.so nullok obscure min=4 max=8 md5

III. Introduction of commonly used PAM modules

PAM module combined with the management type description pam_unix.soauth prompts the user to enter the password, and compares it with the / etc/shadow file. Match returns 0account to check the user's account information (including whether it has expired, etc.). When the account number is available, it returns 0.

Password changes the user's password. Update the shadow file with the password entered by the user as the user's new password

Pam_shells.soauthaccount if the user wants to log in to the system Then its shell must be one of the shellpam_deny.soaccountauthpasswordsession in the / etc/shells file. This module can be used to deny access to the pam_permit.soauthaccountpasswordsession module and return success at any time. Pam _ securetty.soauth if the user wants to log in as root, the logged in tty must be in / etc/securetty. Pam _ listfile.soauthaccountpassword session access application control switch pam_cracklib.sopassword this module can be inserted into the password stack of a program. Used to check the strength of passwords. Pam _ limits.sosession defines the upper limit of using system resources Root users will also be subject to this restriction. You can set the instance through / etc/security/limits.conf or / etc/security/limits.d/*.conf.

1 、 pam_securetty.so

Restrict root login from tty1,tty2,tty5 (it doesn't make sense, it just demonstrates the use of pam_securetty)

Add the following line to / etc/pam.d/login

Auth required pam_securetty.so

Annotate tty1,tty2,tty5 in / etc/pam.d/securetty

After that, log in again using the root user, which will appear

In fact, this is not only limited to root users, but also other users can be qualified in this way, when the system installation is complete, use this method to enhance security.

2 、 pam_listfile.so

Only essun users can log in remotely through ssh

Add a line to the / etc/pam.d/sshd file

Auth required pam_listfile.so item=user sense=allow ``file`` = ``/ etc/ sshdusers`` onerr=succeed

Add two users, essun and tom

Edit the file specified by file to add the previous user essun

# echo "essun" > / etc/sshdusers logs in with the tom user

You can see the prompt for the password, which will be prompted when you enter the correct password

It's like entering the wrong password. When logging in with essun users, there is no prompt to refuse to log in.

Note: if root also uses ssh remote connection here, it will also be restricted by pam_listfile.so.

In fact, the methods and routines of using pam modules are similar.

If you want to know more about the use of PAM module, please man modules

Warm reminder:

If an error occurs, Linux-PAM may change the security of the system. It depends on your own choice, you can choose insecure (open system) and absolute security (deny any access). In general, Linux-PAM tends to favor the latter when an error occurs. Any configuration error may make the whole or part of the system inaccessible.

The biggest problem you may encounter when configuring Linux-PAM may be that the Linux-PAM configuration file / etc/pam.d/* has been deleted. If this happens, your system will be locked.

There is a way to restore, the best way is to use a backup image to restore the system, or log in to single-use.

The above is what the PAM authentication mechanism of Linux system is, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.