Linux-PAM认证模块
源贴:
用户访问服务器的时候,服务器的某一个服务程序把用户的谁请求发送到PAM模块进行认证。对于不同的服务器应用程序所对应的PAM模块也是不同的。如果想查看某个程序是否支持PAM认证,可以用ldd命令进行检查:
例如:查看sshd是不是支持PAM模块认证:
由于在程序模块里链接了libpam.so.0 =< /lib/libpam.so.0 ,说明此程序可以进行PAM认证。
当一个服务器请求PAM模块的时候,PAM本身是不提供服务验证的,它是调用其它的一群模块来进行服务器请求验证,这样的文件全放在了/lib/security中。具体到哪一个服务使用哪一种具体的模块,这是由具体的PAM服务文件定义的(/etc/pam.d/).
[root@localhost root]# ls /etc/pam.d/
authconfig neat redhat-config-network suchfn other redhat-config-network-cmd sudochsh passwd redhat-config-network-druid system-authhalt poweroff rhn_register up2dateinternet-druid ppp setup up2date-configkbdrate reboot smtp up2date-noxlogin redhat-config-mouse sshdPAM服务文件
1、# more /etc/pam.d/login
auth required pam_securetty.soauth required pam_stack.so service=system-authauth required pam_nologin.soaccount required pam_stack.so service=system-authpassword required pam_stack.so service=system-authsession required pam_stack.so service=system-authsession optional pam_console.soPAM服务文件的格式(四部分)
| Module-type | control-flag | module-path | arguments |
Module-type: auth、account、session、password
Control-flag:required、requisite、sufficient、optional
eg:
| auth | required | pam_securety.so |
| auth | required | pam_stack.so service=system_auth |
Module-type(属于认证里面的第一部分,主要是分配权限)
auth:认证、授权(检查用户的名字、密码正确与否);
account:检查用户的帐户是否到期、禁用等。
session:控制会话
password:控制用户修改密码过程
Control-flag (属于认证里面的第二部分,控制标识位)
required:必须通过此认证,否则不再往下认证下去,直接退出;
requisite:必须通过认证,但以后还有机会,可以往下认证;
sufficient:一经通过,后面的不再认证(只要通过这个条件则直接通过);
optional:可选的,通不通过均可。
常用的PAM服务文件
1)、login ---- /etc/pam.d/login 2)、ipop3d --- /etc/pam.d/pop
3)、ftp ---- /etc/pam.d/ftp 或 vsftpd -- /etc/pam.d/vsftpd
4)、sshd--- /etc/pam.d/sshd 5)、su --- /etc/pam.d/su 6)、imap--- /etc/pam.d/imcp
认证堆栈
①、auth required pam_securety.so
②、auth required pam_stack.so service=system-auth③、auth required pam_nologin.so
如果①号认证结束,则在后面有个结束标志,转到下一个认证即②号认证,依次类推,相同类型的认证会放在一起进行。
其中pam_stack.so调用一个子模块服务,通过这个服务再调用一个第三方的模块进行认证授权。
常用PAM模块
1)、pam_access.so 控制访问者的地址与帐号的名称
2)、pam_listfile.so 控制访问者的帐号名称或登陆位置
3)、pam_limits.so 控制为用户分配的资源
4)、pam_rootok.so 对管理员(uid=0)无条件通过
5)、pam_userdb.so 设定独立用户帐号数据库认证
如下:
[root@localhost root]# cd /etc/pam.d/
[root@localhost pam.d]# more login#%PAM-1.0auth required pam_securetty.soauth required pam_stack.so service=system-authauth required pam_nologin.soaccount required pam_stack.so service=system-authpassword required pam_stack.so service=system-authsession required pam_stack.so service=system-authsession optional pam_console.so[root@localhost pam.d]# cd /usr/share/doc/pam-0.75/txts/[root@localhost txts]# lspam_appl.txt README.pam_ftp README.pam_shellspam_modules.txt README.pam_limits README.pam_stackpam.txt README.pam_listfile README.pam_stressREADME README.pam_localuser README.pam_tallyREADME.pam_access README.pam_mail README.pam_timeREADME.pam_chroot README.pam_nologin README.pam_timestampREADME.pam_console README.pam_permit README.pam_unixREADME.pam_cracklib README.pam_pwdb README.pam_userdbREADME.pam_deny README.pam_rhosts README.pam_warnREADME.pam_env README.pam_rootok README.pam_wheelREADME.pam_filter README.pam_securetty README.pam_xauth[root@localhost txts]# more README.pam_securettypam_securetty: Allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securettyAlso checks to make sure that /etc/securetty is a plain
file and not world writable.- Elliot Lee , Red Hat Software.
July 25, 1996.[root@localhost txts]# more /etc/securettyconsolevc/1vc/2vc/3vc/4vc/5vc/6vc/7vc/8vc/9vc/10vc/11tty1tty2tty3tty4tty5tty6tty7tty8tty9tty10tty11[root@localhost txts]# more /etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required /lib/security/$ISA/pam_env.soauth sufficient /lib/security/$ISA/pam_unix.so likeauth nullokauth required /lib/security/$ISA/pam_deny.soaccount required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowpassword required /lib/security/$ISA/pam_deny.sosession required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so[root@localhost txts]# pwd/usr/share/doc/pam-0.75/txts[root@localhost txts]# more README.pam_nologin# $Id: README,v 1.1.1.1 2000/06/20 22:11:46 agmorgan Exp $#This module always lets root in; it lets other users in only if the file
/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it'scontents are displayed to the user.module services provided:
auth _authentication and _setcred (blank)
Michael K. Johnson
[root@localhost txts]# touch /etc/nologin[root@localhost txts]# useradd leekwen[root@localhost txts]# passwd leekwenChanging password for user leekwen.New password:Retype new password:passwd: all authentication tokens updated successfully.[root@localhost txts]# ssh leekwen@192.168.0.188leekwen@192.168.0.188's password:Permission denied, please try again.leekwen@192.168.0.188's password:Permission denied, please try again.leekwen@192.168.0.188's password:Permission denied (publickey,password,keyboard-interactive).[root@localhost txts]# rm /etc/nologinrm: remove regular empty file `/etc/nologin'? y[root@localhost txts]# ssh leekwen@192.168.0.188leekwen@192.168.0.188's password:[leekwen@localhost leekwen]$ pwd/home/leekwen[leekwen@localhost leekwen]$ exitlogoutConnection to 192.168.0.188 closed.[root@localhost txts]# cd /etc/pam.d/[root@localhost pam.d]# more login#%PAM-1.0auth required pam_securetty.soauth required pam_stack.so service=system-authauth required pam_nologin.soaccount required pam_stack.so service=system-authpassword required pam_stack.so service=system-authsession required pam_stack.so service=system-authsession optional pam_console.so [root@localhost pam.d]# tty/dev/pts/2[root@localhost pam.d]# ls /dev/tty1/dev/tty1