Pluggable Authentication Modules(可插入验证模块,简称PAM)

Linux-PAM(Pluggable Authentication Modules for Linux,基于Linux的插入式验证模块)是一组共享库,使用这些模块,系统管理者可以自由选择应用程序使用的验证机制。也就是说。勿需重新编译应用程序就可以切换应用程序使用的验证机制。将系统提供的服务和该服务的认证方式分开,使得系统管理员可以灵活地根据需要给不同的服务配置不同的认证方式而无需更改服务程序,同时也便于向系统中添加新的认证手段。应用程序通过libpam函数库来提供服务,应用程序与PAM的结合通过配置文件来完成。

使用ldd命令查看有哪些程序使用pam验证,并非所有的程序都是用PAM

[root@localhost ~]# ldd `which login` | grep pam.so

    libpam.so. => /lib64/libpam.so. (0x00007ff2566cc000)

[root@localhost ~]# ldd `which sshd` | grep pam.so

    libpam.so. => /lib64/libpam.so. (0x00007f83bdf05000)

[root@localhost ~]#

这些功能模块存放在/lib/security/目录里,应用程序通过libpam函数库来动态加载所需要的模块,实现认证方式,每一个认证模块都会返回pass和fail结果,从而决定验证的成功与否。通过配置文件来定制服务使用那些模块,一般来说它们都存放在/etc/pam.d/目录下,

/etc/pam.d/login

/etc/pam.d/sshd

注意:pam产生的日志记录会在/var/log/secure

以字符终端验证程序login为例,来初步了解一下pam的验证过程

[root@localhost ~]# cat /etc/pam.d/login

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       substack     system-auth

auth       include      postlogin

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

session    include      postlogin

-session   optional     pam_ck_connector.so

[root@localhost ~]#

PAM验证类型:

*auth验证使用者身份,提示输入账号和密码

*account基于时间或者密码有效期来决定是否允许访问

*password禁止用户反复尝试登陆,在变更密码时进行密码复杂性控制

*session进行日志记录,或者限制用户登录的次数,资源使用

PAM控制类型:

required必要条件,表示本模块必须返回成功才能通过认证;如果返回成功,继续后续验证,最后是否成功由有序验证决定;

但是如果该模块返回失败的话,失败结果也不会立即通知用户,二十要等所有模块全部执行完毕再将失败结果返回给应用程序。

requisite必要条件与required类型,该模块必须返回成功才能通过认证;如果返回成功,继续后续验证,最后是否成功由后续验证决定;

但是一旦该模块返回失败,将不再执行任何模块,而是直接将控制权返回给应用程序。

sufficient:

充分条件,表名本模块返回成功已经足以通过身份认证的请求,不必再执行其他的模块;如果验证成功,就立刻返回成;

但是如果本模块返回失败的话可以忽略。

optional可选条件,表明本模块是可选的,它的成功与否一般不会对身份认证起关键作用,其返回值一般被忽略。

include包含,后边是一个文件

[root@localhost ~]# cat /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        required      pam_faildelay.so delay=

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >=  quiet_success

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid <  quiet

account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry= authtok_type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

-session     optional      pam_systemd.so

session     [success= default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

[root@localhost ~]#

*pam_securetty.so

pam_securetty root可以登录的tty

[root@localhost ~]# cat /etc/securetty

console

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

tty1

tty2

tty3

tty4

tty5

tty6

tty7

tty8

tty9

tty10

tty11

ttyS0

ttysclp0

sclp_line0

/tty1

hvc0

hvc1

hvc2

hvc3

hvc4

hvc5

hvc6

hvc7

hvsi0

hvsi1

hvsi2

xvc0

删除tty3看看是否root还能在tty3登录(不能)

*pam_env.so登录时选择是否设置环境变量

[root@localhost ~]# cat /etc/security/pam_env.conf

#

# This is the configuration file for pam_env, a PAM module to load in

# a configurable list of environment variables for a

#

# The original idea for this came from Andrew G. Morgan ...

#<quote>

#   Mmm. Perhaps you might like to write a pam_env module that reads a

#   default environment from a file? I can see that as REALLY

#   useful... Note it would be an "auth" module that returns PAM_IGNORE

#   for the auth part and sets the environment returning PAM_SUCCESS in

#   the setcred function...

#</quote>

#

# What I wanted was the REMOTEHOST variable set, purely for selfish

# reasons, and AGM didn't want it added to the SimpleApps login

# program (which is where I added the patch). So, my first concern is

# that variable, from there there are numerous others that might/would

# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....

#

# Of course, these are a different kind of variable than REMOTEHOST in

# that they are things that are likely to be configured by

# administrators rather than set by logging in, how to treat them both

# in the same config file?

#

# Here is my idea:

#

# Each line starts with the variable name, there are then two possible

# options for each variable DEFAULT and OVERRIDE.

# DEFAULT allows and administrator to set the value of the

# variable  to some default value, if none is supplied then the empty

# string is assumed. The OVERRIDE option tells pam_env that it should

# enter in its value (overriding the default value) if there is one

# to use. OVERRIDE is not used, "" is assumed and no override will be

# done.

#

# VARIABLE   [DEFAULT=[value]]  [OVERRIDE=[value]]

#

# (Possibly non-existent) environment variables may be used in values

# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may

# be used in values using the @{string} syntax. Both the $ and @

# characters can be backslash escaped to be used as literal values

# values can be delimited with "", escaped " not supported.

# Note that many environment variables that you would like to use

# may not be set by the time the module is called.

# For example, HOME is used below several times, but

# many PAM applications don't make it available by the time you need it.

#

#

# First, some special variables

#

# Set the REMOTEHOST variable for any hosts that are remote, default

# to "localhost" rather than not being set at all

#REMOTEHOST    DEFAULT=localhost OVERRIDE=@{PAM_RHOST}

#

# Set the DISPLAY variable if it seems reasonable

#DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

#

#

#  Now some simple variables

#

#PAGER        DEFAULT=less

#MANPAGER    DEFAULT=less

#LESS        DEFAULT="M q e h15 z23 b80"

#NNTPSERVER    DEFAULT=localhost

#PATH        DEFAULT=${HOME}/bin:/usr/local/bin:/bin\

#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11

#

# silly examples of escaped variables, just to show how they work.

#

#DOLLAR        DEFAULT=\$

#DOLLARDOLLAR    DEFAULT=    OVERRIDE=\$${DOLLAR}

#DOLLARPLUS    DEFAULT=\${REMOTEHOST}${REMOTEHOST}

#ATSIGN        DEFAULT=""    OVERRIDE=\@

[root@localhost ~]#

*pam_unix.so系统中核心的一个pam模块,专门研制下面两个文件,验证用户密码/etc/passwd,/etc/shadow

[root@localhost ~]# cat /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        required      pam_faildelay.so delay=

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >=  quiet_success

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid <  quiet

account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry= authtok_type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

-session     optional      pam_systemd.so

session     [success= default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

[root@localhost ~]#

*pam_seccesed_if.so uid <500

uid < 500立刻成功

*pam_permit.so 永远返回成功

*pam_nologin.so

/etc/nolog这个文件只要存在,非root用户不能登录系统,但是已经登录的没有影响。在这个文件中还可以随意写一些信息,root用户登录可以看到

*pam_access.so 限制用户user不能通过ttyx登录

[root@localhost ~]# cat /etc/pam.d/login

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       substack     system-auth

auth       include      postlogin

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

session    include      postlogin

-session   optional     pam_ck_connector.so

[root@localhost ~]#

*pam_echo.so

[root@localhost ~]# cat /etc/pam.d/passwd

#%PAM-1.0

auth       include    system-auth

account    include    system-auth

password   substack    system-auth

-password   optional    pam_gnome_keyring.so use_authtok

password   substack    postlogin

[root@localhost ~]# 
[root@localhost ~]# cat /etc/pam.d/sshd

#%PAM-1.0

auth       required    pam_sepermit.so

auth       substack     password-auth

auth       include      postlogin

# Used with polkit to reauthorize users in remote sessions

-auth      optional     pam_reauthorize.so prepare

account    required     pam_nologin.so

account    include      password-auth

password   include      password-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open env_params

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      password-auth

session    include      postlogin

# Used with polkit to reauthorize users in remote sessions

-session   optional     pam_reauthorize.so prepare

[root@localhost ~]#

*pam_time.so允许的时间范围(Only the account service is supported)

[root@localhost ~]# cat /etc/security/time.conf

# this is an example configuration file for the pam_time module. Its syntax

# was initially based heavily on that of the shadow package (shadow-).

#

# the syntax of the lines is as follows:

#

#       services;ttys;users;times

#

# white space is ignored and lines maybe extended with '\\n' (escaped

# newlines). As should be clear from reading these comments,

# text following a '#' is ignored to the end of the line.

#

# the combination of individual users/terminals etc is a logic list

# namely individual tokens that are optionally prefixed with '!' (logical

# not) and separated with '&' (logical and) and '|' (logical or).

#

# services

#    is a logic list of PAM service names that the rule applies to.

#

# ttys

#    is a logic list of terminal names that this rule applies to.

#

# users

#    is a logic list of users or a netgroup of users to whom this

#    rule applies.

#

# NB. For these items the simple wildcard '*' may be used only once.

#

# times

#    the format here is a logic list of day/time-range

#    entries the days are specified by a sequence of two character

#    entries, MoTuSa for example is Monday Tuesday and Saturday. Note

#    that repeated days are unset MoMo = no day, and MoWk = all weekdays

#    bar Monday. The two character combinations accepted are

#

#        Mo Tu We Th Fr Sa Su Wk Wd Al

#

#    the last two being week-end days and all  days of the week

#    respectively. As a final example, AlFr means all days except Friday.

#

#    each day/time-range can be prefixed with a '!' to indicate "anything

#    but"

#

#    The time-range part is two -hour times HHMM separated by a hyphen

#    indicating the start and finish time (if the finish time is smaller

#    than the start time it is deemed to apply on the following day).

#

# for a rule to be active, ALL of service+ttys+users must be satisfied

# by the applying process.

#

#

# Here is a simple example: running blank on tty* (any ttyXXX device),

# the users 'you' and 'me' are denied service all of the time

#

#blank;tty* & !ttyp*;you|me;!Al0000-

# Another silly example, user 'root' is denied xsh access

# from pseudo terminals at the weekend and on mondays.

#xsh;ttyp*;root;!WdMo0000-

#

# End of example file.

#

[root@localhost ~]#

系统安全-PAM的更多相关文章

  1. Linux系统运维之路

    九月份开始,半年内搞定运维,博客会慢慢的更新,vim编辑器,Nginx配置文件优化 运维基础 运维基础-Linux发展史.安装.基本操作 运维基础-用户和组管理 运维基础-文件权限管理 运维基础-进程 ...

  2. Linux Pam后门总结拓展

    首发先知社区: https://xz.aliyun.com/t/7902 前言 渐渐发现pam后门在实战中存在种植繁琐.隐蔽性不强等缺点,这里记录下学习pam后门相关知识和pam后门的拓展改进. 0x ...

  3. Linux System Account SSH Weak Password Detection Automatic By System API

    catalog . Linux弱口令攻击向量 . Linux登录验证步骤 . PAM . 弱口令风险基线检查 1. Linux弱口令攻击向量 0x1: SSH密码暴力破解 hydra -l root ...

  4. SELinux深入理解

    ps:今天在远程给服务器配置https的时候,一直乱码,以前做系统的系统第一件事情,就是关闭selinx,今天忘记了,然后就悲剧了... 弄了半天才弄好,镇定思痛,好好的来看下selinux 1. 简 ...

  5. 深入理解SELinux

      目录(?)[+]   1. 简介 SELinux带给Linux的主要价值是:提供了一个灵活的,可配置的MAC机制. Security-Enhanced Linux (SELinux)由以下两部分组 ...

  6. [转]CentO下限制SSH登录次数

    应公司内部网站等级测评的需求,正逐渐加强系统安全防护. 设备默认 3 次验证失败自动退出,并且结束会话:网络登录连接超时自动退出时间 5 分钟: 第一种方法:已验证. 1.ssh超时时间设置 # cd ...

  7. [转]SELinux管理与配置

    原文链接:http://blog.csdn.net/huangbiao86/article/details/6641893 1.1 SElinux概述 SELinux(Security-Enhance ...

  8. ftp实现普通账号和vip账号限速

    ftp工作流程: ftp回话包含了两个通道,控制通道和数据通道,ftp的工作有两种模式,一种是主动模式,一种是被动模式,以ftpserver为参照物,主动模式,服务器主动连接客户端传输,被动模式,等待 ...

  9. Linux禁止普通用户su至root

    linux系统为了限制权限,有时候需要禁止普通用户su到root用户 为禁止普通用户su至root,需要分别修改/etc/pam.d/su和/etc/login.defs两个配置文件. 二.详细配置 ...

随机推荐

  1. Xcode中断点的使用

    注:本文由破船译自:albertopasca.本文由HoNooD在iosfeed站点上做了推荐. 这里先推荐两篇Xcode相关的文章: Xcode Code Snippets iOS调试 — 基本技巧 ...

  2. flex宽度总结

    flex宽度相关的属性有三个 flex-grow,flex-shrink,flex-basis.下面分别介绍其相关特点: flex-grow 扩大因子,主轴有剩余空间时,元素分配到剩余空间的比率 fl ...

  3. [SDOI2011] 消防 (树的直径,尺取法)

    题目链接 Solution 同 \(NOIP2007\) 树网的核 . 令 \(dist_u\) 为以 \(u\) 为根节点的子树中与 \(u\) 的最大距离. \(~~~~dis_u\) 为 \(u ...

  4. UVA12230 Crossing Rivers (数学期望)

    题目链接 题意翻译 一个人每天需要从家去往公司,然后家与公司的道路是条直线,长度为 \(D\). 同时路上有 \(N\) 条河,给出起点和宽度\(W_i\) , 过河需要乘坐速度为\(V_i\) 的渡 ...

  5. select * from 为什么效率低?

    sql优化有很重要的一项叫做列裁剪(column pruning).如果不考虑索引,sql的执行算法大概分为sort-base和hash-base,不论是哪种,多出来的列都会带来很多无用的计算. “* ...

  6. C语言标准库 qsort bsearch 源码实现

    C语言是简洁的强大的,当然也有很多坑.C语言也是有点业界良心的,至少它实现了2个最最常用的算法:快速排序和二分查找. 我们知道,对于C语言标准库 qsort和 bsearch: a. 它是“泛型”的, ...

  7. 【CF1015A】Points in Segments(签到)

    题意:有一条上面有n个点的数轴,给定m次操作,每次覆盖(x[i],y[i]),求最后没有被覆盖过的点的数量与他们的编号 n,m<=100 思路: #include<cstdio> # ...

  8. yii 数据库添加,修改,删除相关操作总结

    yii中关于数据信息的添加数据,修改数据,删除数据的相关操作,刚刚学习没几天,仅记录了一些,以后慢慢再充实,有需要的朋友可以看看. 添加数据的方法 (1)save 方法(对象形式操作) $user=n ...

  9. ML | spectral clustering

    What's xxx In multivariate statistics and the clustering of data, spectral clustering techniques mak ...

  10. REBXOR

    题面 Description 给定一个含N个元素的数组A,下标从1开始.请找出下面式子的最大值. (A[l1]xorA[l2+1]xor-xorA[r1])+(A[l2]xorA[l2+1]xor-x ...