Linux Advanced _PAM authentication mechanism

PAM authentication mechanism

PAM: Pluggable Authentication Modules
authentication library: text file, MySQL, NIS, LDAP, etc.
Sun's general framework and mechanism to one certification in 1995 related to the development of
PAM is to focus on how to verify a user's service API, by providing some dynamic link library and a unified set of API, to separate the authentication service and the service provided by the system
enables system administrators the flexibility of different services to different authentication mode without having to change the service program needed
an authentication framework, not their own certification
it provides a central mechanism for authentication for all services for local login, remote login, such as: telnet, rlogin, fsh, ftp , point to point protocol PPP, su-peer applications, the system administrator to develop by PAM configuration file different authentication policies for different applications; application developers to implement a call to the authentication methods PAM API through in the service program (pam_xxxx ()); and the PAM service module developers are using the PAM SPI write module (main call function pam_sm_xxxx () calls for PAM interface library, different authentication mechanism added to the system In; PAM interface library (libpam) then reads the configuration file, the application and the corresponding PAM service module link

PAM architecture

PAM documents

1. Module file directory:/lib64/security/*.so
2. Environment-related settings:/etc/security/
3. Main profiles: /etc/pam.confdefault does not exist
4. A dedicated configuration file for each application module: /etc/pam.d/APP_NAME
   Note: The /etc/pam.d/presence of /etc/pam.confthe failure

pam authentication principle

1. PAM authentication generally follow this order: Service (Service) → PAM (Profile) → pam _ * so.
2. PAM authentication must first determine that a service, and then load the appropriate PAM configuration file (located in the /etc/pam.d), the last call authentication file (located in / lib64 / security under) for secure authentication
   

PAM authentication mechanism

• PAM authentication process:
  1. User execution passwdprogram, and enter the password
  2. passwdstart calling PAM module, PAM module will search passwdPAM settings file for the program, this file is usually set in the program of the same name inside /etc/pam.d/ file, i.e. PAM searches /etc/pam.d/pam_unix_passwd.sothis setting file
  3 via the /etc/pam.d/pam_unix_passwd.sodata set file, the relevant access module PAM provided to verify
  4. the verification result back to passwdthe program, and passwdthe program will return in accordance with the PAM the results determine the next action (re-enter the password or authenticated)
  

PAM configuration file

1. General /etc/pam.conf configuration file format
   application type control module-path arguments
2. Private profile /etc/pam.d/* format
   type control module-path arguments
3. Description:
   • Service Name (application)
     telnet、login、ftp, and the service name "OTHER" on behalf of all other services are not explicitly configured in the file
   • 模块类型（module-type）
     control PAM库该如何处理与该服务相关的PAM模块的成功或失败情况
     module-path 用来指明本模块对应的程序文件的路径名
     Arguments 用来传递给该模块的参数
     Auth 账号的认证和授权
     Account 与账号管理相关的非认证类的功能，如：用来限制/允许用户对某个服务的访问时间，当前有效的系统资源(最多可以有多少个用户)，限制用户的位置(例如：root用户只能从控制台登录)
     Password 用户修改密码时密码复杂度检查机制等功能
     Session 用户获取到服务之前或使用服务完成之后需要进行一些附加的操作，如：记录打开/关闭数据的信息，监视目录等
     -type 表示因为缺失而不能加载的模块将不记录到系统日志,对于那些不总是安装在系统上的模块有用
4. 简单方式实现：一个关健词实现
   • required ：一票否决，表示本模块必须返回成功才能通过认证，但是如果该模块返回失败，失败结果也不会立即通知用户，而是要等到同一type中的所有模块全部执行完毕再将失败结果返回给应用程序，即为必要条件
   • sufficient ：一票通过，表明本模块返回成功则通过身份认证的要求，不必再执行同一type内的其它模块，但如果本模块返回失败可忽略，即为充分条件
   • optional ：表明本模块是可选的，它的成功与否不会对身份认证起关键作用，其返回值一般被忽略
   • include： 调用其他的配置文件中定义的配置信息
5. 复杂详细实现：使用一个或多个“status=action”
   [status1=action1 status2=action …]
   • Status:检查结果的返回状态
   • Action:采取行为 ok，done，die，bad，ignore，reset
     ok 模块通过，继续检查
     done 模块通过，返回最后结果给应用
     bad 结果失败，继续检查
     die 结果失败，返回失败结果给应用
     ignore 结果忽略，不影响最后结果
     reset 忽略已经得到的结果

• module-path: 模块路径
  + 相对路径：
  /lib64/security目录下的模块可使用相对路径
  如：pam_shells.so、pam_limits.so
  + 绝对路径：
• 模块通过读取配置文件完成用户对系统资源的使用控制
  /etc/security/*.conf
  注意：修改PAM配置文件将马上生效
  建议：编辑pam规则时，保持至少打开一个root会话，以防止root身份验证错误
  Arguments 用来传递给该模块的参数

pam文档说明

/user/share/doc/pam-*
rpm -qd pam
man 模块名 (如man pam_rootok)
Linux-PAM系统管理员指南:《The Linux-PAM System Administrators’ Guide》

PAM模块示例

模块：pam_shells

• 功能：检查有效shell
• man pam_shells
• 示例：不允许使用/bin/csh的用户本地登录

vim /etc/pam.d/login
      添加 auth required pam_shells.so
vim /etc/shells
      去掉 /bin/csh

#添加用户，指定为csh
useradd –s /bin/csh testuser
#testuser将不可登录
tail /var/log/secure

模块：pam_securetty.so

• 功能：只允许root用户在/etc/securetty列出的安全终端上登陆
• 示例：允许root在telnet登陆

vi /etc/pam.d/remote
      #将下面一行加上注释
      #auth required pam_securetty.so 
#或者/etc/securetty文件中加入：pts/0,pts/1…pts/n

模块：pam_nologin.so

• 功能：
  1. 如果/etc/nologin文件存在,将导致非root用户不能登陆
  2. 如果用户shell是/sbin/nologin 时，当该用户登陆时，会显示/etc/nologin文件内容，并拒绝登陆

模块：pam_limits.so

• 功能：在用户级别实现对其可使用的资源的限制，例如：可打开的文件数量，可运行的进程数量，可用内存空间
• 修改限制的实现方式：
  (1) ulimit命令，立即生效，但无法保存
  -n 每个进程最多的打开的文件描述符个数
  -u 最大用户进程数
  -S 使用 soft（软）资源限制
  -H 使用 hard（硬）资源限制
  (2) 配置文件：/etc/security/limits.conf, /etc/security/limits.d/*.conf
  配置文件：每行一个定义:<domain> <type> <item> <value>
  1. <domain> 应用于哪些对象
  Username 单个用户
  @group 组内所有用户
  * 所有用户
  2. <type> 限制的类型
  Soft 软限制,普通用户自己可以修改
  Hard 硬限制,由root用户设定，且通过kernel强制生效
  - 二者同时限定
  3. <item> 限制的资源
  nofile 所能够同时打开的最大文件数量,默认为1024
  nproc 所能够同时运行的进程的最大数量,默认为1024
  4. <value> 指定具体值
   
• 命令：ulimit

选项	意义	示例	Explanation
-H	Set hard resource limits, once set can not be increased	ulimit -Hs 64	Restrictions thread stack size to 64K
-S	Set the resource limits can be increased after setting	ulimit -Sn 32	Limit the maximum file descriptors 32
-a	Displays all current limit information	ulimit -a	Displays all current limit information
-c	The maximum size of core files, the unit blocks	ulimit -c unlimited	core files generated does not limit
-d	The maximum process data segment size in K	ulimit -d unlimited	Without limiting process data segment size
-f	The maximum memory size can be locked, the unit blocks	ulimit -f 2048	The maximum limit process can create a file for the 2048blocks
-l	The maximum locked memory size in K	ulimit -l 32	Limit the maximum memory size of 32K locked
-m	The maximum memory size in K	ulimit -m unlimited	No limit on the maximum memory
-n	It can open the maximum number of file descriptors	ulimit -n 128	The maximum file descriptors can use 128
-p	Pipe buffer size in K	ulimit -p 512	Restrictive passage buffer size is 512K
-s	Thread stack size in K	ulimit -s 512	Restrictions thread stack size to 512K
-t	The maximum CPU usage time in seconds	ulimit -t unlimited	No time limit on the maximum CPU utilization
-u	The maximum number of user processes available	ulimit -u 64	Up to 64 users can limit process
-v	The maximum process virtual memory available in K	ulimit -v 2000	2000K limit the maximum available virtual memory

• Example: limit the number of files and the number of users running the most open processes

[root]$ vim /etc/pam.d/system-auth
      session required pam_limits.so
[root]$ vim /etc/security/limits.conf
      apache – nofile 10240 #用户apache可打开10240个文件
      student hard nproc 20 #用户student不能运行超过20个进程

• Production Case

      *  soft  core  unlimited
      *  hard  core  unlimited
      *  soft  nproc  1000000
      *  hard  nproc  1000000
      *  soft  nofile  1000000
      *  hard  nofile  1000000
      *  soft  memlock  32000
      *  hard  memlock  32000
      *  soft  msgqueue  8192000
      *  hard  msgqueue  8192000