Intention content
PAM authentication mechanism
PAM: Pluggable Authentication Modules
authentication library: text file, MySQL, NIS, LDAP, etc.
Sun's general framework and mechanism to one certification in 1995 related to the development of
PAM is to focus on how to verify a user's service API, by providing some dynamic link library and a unified set of API, to separate the authentication service and the service provided by the system
enables system administrators the flexibility of different services to different authentication mode without having to change the service program needed
an authentication framework, not their own certification
it provides a central mechanism for authentication for all services for local login, remote login, such as: telnet, rlogin, fsh, ftp , point to point protocol PPP, su-peer applications, the system administrator to develop by PAM configuration file different authentication policies for different applications; application developers to implement a call to the authentication methods PAM API through in the service program (pam_xxxx ()); and the PAM service module developers are using the PAM SPI write module (main call function pam_sm_xxxx () calls for PAM interface library, different authentication mechanism added to the system In; PAM interface library (libpam) then reads the configuration file, the application and the corresponding PAM service module link
PAM architecture
PAM documents
- Module file directory:
/lib64/security/*.so
- Environment-related settings:
/etc/security/
- Main profiles:
/etc/pam.conf
default does not exist - A dedicated configuration file for each application module:
/etc/pam.d/APP_NAME
Note: The/etc/pam.d/
presence of/etc/pam.conf
the failure
pam authentication principle
- PAM authentication generally follow this order: Service (Service) → PAM (Profile) → pam _ * so.
- PAM authentication must first determine that a service, and then load the appropriate PAM configuration file (located in the /etc/pam.d), the last call authentication file (located in / lib64 / security under) for secure authentication
PAM authentication mechanism
- PAM authentication process:
1. User executionpasswd
program, and enter the password
2.passwd
start calling PAM module, PAM module will searchpasswd
PAM settings file for the program, this file is usually set in the program of the same name inside /etc/pam.d/ file, i.e. PAM searches/etc/pam.d/pam_unix_passwd.so
this setting file
3 via the/etc/pam.d/pam_unix_passwd.so
data set file, the relevant access module PAM provided to verify
4. the verification result back topasswd
the program, andpasswd
the program will return in accordance with the PAM the results determine the next action (re-enter the password or authenticated)
PAM configuration file
- General /etc/pam.conf configuration file format
application type control module-path arguments
- Private profile /etc/pam.d/* format
type control module-path arguments
- Description:
- Service Name (application)
telnet、login、ftp
, and the service name "OTHER" on behalf of all other services are not explicitly configured in the file - 模块类型(module-type)
control
PAM库该如何处理与该服务相关的PAM模块的成功或失败情况
module-path
用来指明本模块对应的程序文件的路径名
Arguments
用来传递给该模块的参数
Auth
账号的认证和授权
Account
与账号管理相关的非认证类的功能,如:用来限制/允许用户对某个服务的访问时间,当前有效的系统资源(最多可以有多少个用户),限制用户的位置(例如:root用户只能从控制台登录)
Password
用户修改密码时密码复杂度检查机制等功能
Session
用户获取到服务之前或使用服务完成之后需要进行一些附加的操作,如:记录打开/关闭数据的信息,监视目录等
-type
表示因为缺失而不能加载的模块将不记录到系统日志,对于那些不总是安装在系统上的模块有用
- Service Name (application)
- 简单方式实现:一个关健词实现
- required :一票否决,表示本模块必须返回成功才能通过认证,但是如果该模块返回失败,失败结果也不会立即通知用户,而是要等到同一type中的所有模块全部执行完毕再将失败结果返回给应用程序,即为必要条件
- sufficient :一票通过,表明本模块返回成功则通过身份认证的要求,不必再执行同一type内的其它模块,但如果本模块返回失败可忽略,即为充分条件
- optional :表明本模块是可选的,它的成功与否不会对身份认证起关键作用,其返回值一般被忽略
- include: 调用其他的配置文件中定义的配置信息
- 复杂详细实现:使用一个或多个“status=action”
[status1=action1 status2=action …]
- Status:检查结果的返回状态
- Action:采取行为 ok,done,die,bad,ignore,reset
ok 模块通过,继续检查
done 模块通过,返回最后结果给应用
bad 结果失败,继续检查
die 结果失败,返回失败结果给应用
ignore 结果忽略,不影响最后结果
reset 忽略已经得到的结果
- module-path: 模块路径
+ 相对路径:
/lib64/security目录下的模块可使用相对路径
如:pam_shells.so、pam_limits.so
+ 绝对路径: - 模块通过读取配置文件完成用户对系统资源的使用控制
/etc/security/*.conf
注意:修改PAM配置文件将马上生效
建议:编辑pam规则时,保持至少打开一个root会话,以防止root身份验证错误
Arguments 用来传递给该模块的参数
pam文档说明
/user/share/doc/pam-*
rpm -qd pam
man 模块名 (如man pam_rootok
)
Linux-PAM系统管理员指南:《The Linux-PAM System Administrators’ Guide》
PAM模块示例
模块:pam_shells
- 功能:检查有效shell
- man pam_shells
- 示例:不允许使用/bin/csh的用户本地登录
vim /etc/pam.d/login
添加 auth required pam_shells.so
vim /etc/shells
去掉 /bin/csh
#添加用户,指定为csh
useradd –s /bin/csh testuser
#testuser将不可登录
tail /var/log/secure
模块:pam_securetty.so
- 功能:只允许root用户在/etc/securetty列出的安全终端上登陆
- 示例:允许root在telnet登陆
vi /etc/pam.d/remote
#将下面一行加上注释
#auth required pam_securetty.so
#或者/etc/securetty文件中加入:pts/0,pts/1…pts/n
模块:pam_nologin.so
- 功能:
1. 如果/etc/nologin文件存在,将导致非root用户不能登陆
2. 如果用户shell是/sbin/nologin 时,当该用户登陆时,会显示/etc/nologin文件内容,并拒绝登陆
模块:pam_limits.so
- 功能:在用户级别实现对其可使用的资源的限制,例如:可打开的文件数量,可运行的进程数量,可用内存空间
- 修改限制的实现方式:
(1) ulimit命令,立即生效,但无法保存
-n 每个进程最多的打开的文件描述符个数
-u 最大用户进程数
-S 使用 soft(软)资源限制
-H 使用 hard(硬)资源限制
(2) 配置文件:/etc/security/limits.conf, /etc/security/limits.d/*.conf
配置文件:每行一个定义:<domain> <type> <item> <value>
1.<domain>
应用于哪些对象
Username
单个用户
@group
组内所有用户
*
所有用户
2.<type>
限制的类型
Soft
软限制,普通用户自己可以修改
Hard
硬限制,由root用户设定,且通过kernel强制生效
-
二者同时限定
3.<item>
限制的资源
nofile
所能够同时打开的最大文件数量,默认为1024
nproc
所能够同时运行的进程的最大数量,默认为1024
4.<value>
指定具体值
- 命令:
ulimit
选项 | 意义 | 示例 | Explanation |
---|---|---|---|
-H |
Set hard resource limits, once set can not be increased | ulimit -Hs 64 |
Restrictions thread stack size to 64K |
-S |
Set the resource limits can be increased after setting | ulimit -Sn 32 |
Limit the maximum file descriptors 32 |
-a |
Displays all current limit information | ulimit -a |
Displays all current limit information |
-c |
The maximum size of core files, the unit blocks | ulimit -c unlimited |
core files generated does not limit |
-d |
The maximum process data segment size in K | ulimit -d unlimited |
Without limiting process data segment size |
-f |
The maximum memory size can be locked, the unit blocks | ulimit -f 2048 |
The maximum limit process can create a file for the 2048blocks |
-l |
The maximum locked memory size in K | ulimit -l 32 |
Limit the maximum memory size of 32K locked |
-m |
The maximum memory size in K | ulimit -m unlimited |
No limit on the maximum memory |
-n |
It can open the maximum number of file descriptors | ulimit -n 128 |
The maximum file descriptors can use 128 |
-p |
Pipe buffer size in K | ulimit -p 512 |
Restrictive passage buffer size is 512K |
-s |
Thread stack size in K | ulimit -s 512 |
Restrictions thread stack size to 512K |
-t |
The maximum CPU usage time in seconds | ulimit -t unlimited |
No time limit on the maximum CPU utilization |
-u |
The maximum number of user processes available | ulimit -u 64 |
Up to 64 users can limit process |
-v |
The maximum process virtual memory available in K | ulimit -v 2000 |
2000K limit the maximum available virtual memory |
- Example: limit the number of files and the number of users running the most open processes
[root]$ vim /etc/pam.d/system-auth
session required pam_limits.so
[root]$ vim /etc/security/limits.conf
apache – nofile 10240 #用户apache可打开10240个文件
student hard nproc 20 #用户student不能运行超过20个进程
- Production Case
* soft core unlimited
* hard core unlimited
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
* soft memlock 32000
* hard memlock 32000
* soft msgqueue 8192000
* hard msgqueue 8192000