Shulou(Shulou.com)06/01 Report--

This article mainly analyzes how to analyze the relevant knowledge points of pam in Linux system, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to have a look, and follow the editor to learn more about "how to analyze pam in Linux".

First, a brief introduction to pam

PAM (Pluggable Authentication Modules) is a pluggable authentication module, which is an efficient, flexible and convenient authentication method at the user level, and it is also a commonly used authentication method for Linux servers.

Of course, the deployment of PAM authentication varies from version to version of Linux.

It provides a central mechanism for authentication of all services, which is suitable for login, remote login (telnet,rlogin,fsh,ftp, Point-to-Point Protocol (PPP)), su and other applications.

The system administrator formulates different authentication policies for different applications through the PAM configuration file; the application developer uses PAM API (pam_xxxx ()) in the service program to call the authentication method; and the developer of the PAM service module uses PAM SPI to write the module (mainly leads to some functions pam_sm_xxxx () for the PAM interface library to call) to add different authentication mechanisms to the system. The PAM interface library (libpam) reads the configuration file and connects the application to the corresponding PAM service module.

The PAM framework structure is shown in the figure.

Second, pam authentication principle PAM authentication generally follows this order: Service (service) → PAM (configuration file) → pam_*.so. PAM authentication first determines which service, then loads the corresponding PAM configuration file (under / etc/pam.d), and finally calls the authentication file (under / lib/security) for security authentication. The authentication schematic is shown in the following figure:

When the user visits the server, one of the server's service programs sends the user's request to the PAM module for authentication. The corresponding PAM modules are also different for different server applications. If you want to check whether a program supports PAM authentication, you can use the ldd command to check, for example, whether sshd supports PAM module authentication, as shown in the following figure:

3. Objectively speaking, the composition of PAM authentication is quite complex. Here we simply introduce that PAM authentication includes four common types of authentication (module type):

1. Authentication Management (authentication management)

Accept the user name and password, then authenticate the user's password, and be responsible for setting some secret information of the user.

2. Account Management (account management)

Check whether the account is allowed to log on to the system, whether the account has expired, whether the login of the account has a time limit, and so on.

3. Password Management (password management)

It is mainly used to change the user's password.

4. Session Management (session management)

It mainly provides session management and accounting (accounting).

4. Pam verification control type (Control Values) validation control type can also be called Control Flags, which is used to return results of PAM verification type. There are four types of verification control types:

1. Required verification still continues when it fails, but returns Fail (the user will not know where it failed).

2. If requisite verification fails, the whole verification process ends immediately and Fail is returned.

3. If the sufficient verification is successful, it will be returned immediately and will not continue, otherwise the result will be ignored and continued.

4. Optional will not be affected regardless of the verification result (usually used in the session type).

The result returned by the PAM validation type is as follows:

To facilitate your understanding, give two examples, as shown in the following figure:

From the above two figures, you can see that when the required fails, it will continue, but it will still fail in the end. If the requisite verification fails, it ends immediately. On the other hand, if the sufficient is verified successfully, it will end immediately.

This is the end of the introduction on "how to analyze pam in the Linux system". More related content can be searched for previous articles, hoping to help you answer questions and questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.