Pluggable Authentication Modules(可插入验证模块,简称PAM)

Linux-PAM(Pluggable Authentication Modules for Linux,基于Linux的插入式验证模块)是一组共享库,使用这些模块,系统管理者可以自由选择应用程序使用的验证机制。也就是说。勿需重新编译应用程序就可以切换应用程序使用的验证机制。将系统提供的服务和该服务的认证方式分开,使得系统管理员可以灵活地根据需要给不同的服务配置不同的认证方式而无需更改服务程序,同时也便于向系统中添加新的认证手段。应用程序通过libpam函数库来提供服务,应用程序与PAM的结合通过配置文件来完成。

使用ldd命令查看有哪些程序使用pam验证,并非所有的程序都是用PAM

[root@localhost ~]# ldd `which login` | grep pam.so

    libpam.so. => /lib64/libpam.so. (0x00007ff2566cc000)

[root@localhost ~]# ldd `which sshd` | grep pam.so

    libpam.so. => /lib64/libpam.so. (0x00007f83bdf05000)

[root@localhost ~]#

这些功能模块存放在/lib/security/目录里,应用程序通过libpam函数库来动态加载所需要的模块,实现认证方式,每一个认证模块都会返回pass和fail结果,从而决定验证的成功与否。通过配置文件来定制服务使用那些模块,一般来说它们都存放在/etc/pam.d/目录下,

/etc/pam.d/login

/etc/pam.d/sshd

注意:pam产生的日志记录会在/var/log/secure

以字符终端验证程序login为例,来初步了解一下pam的验证过程

[root@localhost ~]# cat /etc/pam.d/login

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       substack     system-auth

auth       include      postlogin

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

session    include      postlogin

-session   optional     pam_ck_connector.so

[root@localhost ~]#

PAM验证类型:

*auth验证使用者身份,提示输入账号和密码

*account基于时间或者密码有效期来决定是否允许访问

*password禁止用户反复尝试登陆,在变更密码时进行密码复杂性控制

*session进行日志记录,或者限制用户登录的次数,资源使用

PAM控制类型:

required必要条件,表示本模块必须返回成功才能通过认证;如果返回成功,继续后续验证,最后是否成功由有序验证决定;

但是如果该模块返回失败的话,失败结果也不会立即通知用户,二十要等所有模块全部执行完毕再将失败结果返回给应用程序。

requisite必要条件与required类型,该模块必须返回成功才能通过认证;如果返回成功,继续后续验证,最后是否成功由后续验证决定;

但是一旦该模块返回失败,将不再执行任何模块,而是直接将控制权返回给应用程序。

sufficient:

充分条件,表名本模块返回成功已经足以通过身份认证的请求,不必再执行其他的模块;如果验证成功,就立刻返回成;

但是如果本模块返回失败的话可以忽略。

optional可选条件,表明本模块是可选的,它的成功与否一般不会对身份认证起关键作用,其返回值一般被忽略。

include包含,后边是一个文件

[root@localhost ~]# cat /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        required      pam_faildelay.so delay=

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >=  quiet_success

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid <  quiet

account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry= authtok_type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

-session     optional      pam_systemd.so

session     [success= default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

[root@localhost ~]#

*pam_securetty.so

pam_securetty root可以登录的tty

[root@localhost ~]# cat /etc/securetty

console

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

vc/

tty1

tty2

tty3

tty4

tty5

tty6

tty7

tty8

tty9

tty10

tty11

ttyS0

ttysclp0

sclp_line0

/tty1

hvc0

hvc1

hvc2

hvc3

hvc4

hvc5

hvc6

hvc7

hvsi0

hvsi1

hvsi2

xvc0

删除tty3看看是否root还能在tty3登录(不能)

*pam_env.so登录时选择是否设置环境变量

[root@localhost ~]# cat /etc/security/pam_env.conf

#

# This is the configuration file for pam_env, a PAM module to load in

# a configurable list of environment variables for a

#

# The original idea for this came from Andrew G. Morgan ...

#<quote>

#   Mmm. Perhaps you might like to write a pam_env module that reads a

#   default environment from a file? I can see that as REALLY

#   useful... Note it would be an "auth" module that returns PAM_IGNORE

#   for the auth part and sets the environment returning PAM_SUCCESS in

#   the setcred function...

#</quote>

#

# What I wanted was the REMOTEHOST variable set, purely for selfish

# reasons, and AGM didn't want it added to the SimpleApps login

# program (which is where I added the patch). So, my first concern is

# that variable, from there there are numerous others that might/would

# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....

#

# Of course, these are a different kind of variable than REMOTEHOST in

# that they are things that are likely to be configured by

# administrators rather than set by logging in, how to treat them both

# in the same config file?

#

# Here is my idea:

#

# Each line starts with the variable name, there are then two possible

# options for each variable DEFAULT and OVERRIDE.

# DEFAULT allows and administrator to set the value of the

# variable  to some default value, if none is supplied then the empty

# string is assumed. The OVERRIDE option tells pam_env that it should

# enter in its value (overriding the default value) if there is one

# to use. OVERRIDE is not used, "" is assumed and no override will be

# done.

#

# VARIABLE   [DEFAULT=[value]]  [OVERRIDE=[value]]

#

# (Possibly non-existent) environment variables may be used in values

# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may

# be used in values using the @{string} syntax. Both the $ and @

# characters can be backslash escaped to be used as literal values

# values can be delimited with "", escaped " not supported.

# Note that many environment variables that you would like to use

# may not be set by the time the module is called.

# For example, HOME is used below several times, but

# many PAM applications don't make it available by the time you need it.

#

#

# First, some special variables

#

# Set the REMOTEHOST variable for any hosts that are remote, default

# to "localhost" rather than not being set at all

#REMOTEHOST    DEFAULT=localhost OVERRIDE=@{PAM_RHOST}

#

# Set the DISPLAY variable if it seems reasonable

#DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

#

#

#  Now some simple variables

#

#PAGER        DEFAULT=less

#MANPAGER    DEFAULT=less

#LESS        DEFAULT="M q e h15 z23 b80"

#NNTPSERVER    DEFAULT=localhost

#PATH        DEFAULT=${HOME}/bin:/usr/local/bin:/bin\

#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11

#

# silly examples of escaped variables, just to show how they work.

#

#DOLLAR        DEFAULT=\$

#DOLLARDOLLAR    DEFAULT=    OVERRIDE=\$${DOLLAR}

#DOLLARPLUS    DEFAULT=\${REMOTEHOST}${REMOTEHOST}

#ATSIGN        DEFAULT=""    OVERRIDE=\@

[root@localhost ~]#

*pam_unix.so系统中核心的一个pam模块,专门研制下面两个文件,验证用户密码/etc/passwd,/etc/shadow

[root@localhost ~]# cat /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        required      pam_faildelay.so delay=

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >=  quiet_success

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid <  quiet

account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry= authtok_type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

-session     optional      pam_systemd.so

session     [success= default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

[root@localhost ~]#

*pam_seccesed_if.so uid <500

uid < 500立刻成功

*pam_permit.so 永远返回成功

*pam_nologin.so

/etc/nolog这个文件只要存在,非root用户不能登录系统,但是已经登录的没有影响。在这个文件中还可以随意写一些信息,root用户登录可以看到

*pam_access.so 限制用户user不能通过ttyx登录

[root@localhost ~]# cat /etc/pam.d/login

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       substack     system-auth

auth       include      postlogin

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

session    include      postlogin

-session   optional     pam_ck_connector.so

[root@localhost ~]#

*pam_echo.so

[root@localhost ~]# cat /etc/pam.d/passwd

#%PAM-1.0

auth       include    system-auth

account    include    system-auth

password   substack    system-auth

-password   optional    pam_gnome_keyring.so use_authtok

password   substack    postlogin

[root@localhost ~]# 
[root@localhost ~]# cat /etc/pam.d/sshd

#%PAM-1.0

auth       required    pam_sepermit.so

auth       substack     password-auth

auth       include      postlogin

# Used with polkit to reauthorize users in remote sessions

-auth      optional     pam_reauthorize.so prepare

account    required     pam_nologin.so

account    include      password-auth

password   include      password-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open env_params

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      password-auth

session    include      postlogin

# Used with polkit to reauthorize users in remote sessions

-session   optional     pam_reauthorize.so prepare

[root@localhost ~]#

*pam_time.so允许的时间范围(Only the account service is supported)

[root@localhost ~]# cat /etc/security/time.conf

# this is an example configuration file for the pam_time module. Its syntax

# was initially based heavily on that of the shadow package (shadow-).

#

# the syntax of the lines is as follows:

#

#       services;ttys;users;times

#

# white space is ignored and lines maybe extended with '\\n' (escaped

# newlines). As should be clear from reading these comments,

# text following a '#' is ignored to the end of the line.

#

# the combination of individual users/terminals etc is a logic list

# namely individual tokens that are optionally prefixed with '!' (logical

# not) and separated with '&' (logical and) and '|' (logical or).

#

# services

#    is a logic list of PAM service names that the rule applies to.

#

# ttys

#    is a logic list of terminal names that this rule applies to.

#

# users

#    is a logic list of users or a netgroup of users to whom this

#    rule applies.

#

# NB. For these items the simple wildcard '*' may be used only once.

#

# times

#    the format here is a logic list of day/time-range

#    entries the days are specified by a sequence of two character

#    entries, MoTuSa for example is Monday Tuesday and Saturday. Note

#    that repeated days are unset MoMo = no day, and MoWk = all weekdays

#    bar Monday. The two character combinations accepted are

#

#        Mo Tu We Th Fr Sa Su Wk Wd Al

#

#    the last two being week-end days and all  days of the week

#    respectively. As a final example, AlFr means all days except Friday.

#

#    each day/time-range can be prefixed with a '!' to indicate "anything

#    but"

#

#    The time-range part is two -hour times HHMM separated by a hyphen

#    indicating the start and finish time (if the finish time is smaller

#    than the start time it is deemed to apply on the following day).

#

# for a rule to be active, ALL of service+ttys+users must be satisfied

# by the applying process.

#

#

# Here is a simple example: running blank on tty* (any ttyXXX device),

# the users 'you' and 'me' are denied service all of the time

#

#blank;tty* & !ttyp*;you|me;!Al0000-

# Another silly example, user 'root' is denied xsh access

# from pseudo terminals at the weekend and on mondays.

#xsh;ttyp*;root;!WdMo0000-

#

# End of example file.

#

[root@localhost ~]#

系统安全-PAM的更多相关文章

  1. Linux系统运维之路

    九月份开始,半年内搞定运维,博客会慢慢的更新,vim编辑器,Nginx配置文件优化 运维基础 运维基础-Linux发展史.安装.基本操作 运维基础-用户和组管理 运维基础-文件权限管理 运维基础-进程 ...

  2. Linux Pam后门总结拓展

    首发先知社区: https://xz.aliyun.com/t/7902 前言 渐渐发现pam后门在实战中存在种植繁琐.隐蔽性不强等缺点,这里记录下学习pam后门相关知识和pam后门的拓展改进. 0x ...

  3. Linux System Account SSH Weak Password Detection Automatic By System API

    catalog . Linux弱口令攻击向量 . Linux登录验证步骤 . PAM . 弱口令风险基线检查 1. Linux弱口令攻击向量 0x1: SSH密码暴力破解 hydra -l root ...

  4. SELinux深入理解

    ps:今天在远程给服务器配置https的时候,一直乱码,以前做系统的系统第一件事情,就是关闭selinx,今天忘记了,然后就悲剧了... 弄了半天才弄好,镇定思痛,好好的来看下selinux 1. 简 ...

  5. 深入理解SELinux

      目录(?)[+]   1. 简介 SELinux带给Linux的主要价值是:提供了一个灵活的,可配置的MAC机制. Security-Enhanced Linux (SELinux)由以下两部分组 ...

  6. [转]CentO下限制SSH登录次数

    应公司内部网站等级测评的需求,正逐渐加强系统安全防护. 设备默认 3 次验证失败自动退出,并且结束会话:网络登录连接超时自动退出时间 5 分钟: 第一种方法:已验证. 1.ssh超时时间设置 # cd ...

  7. [转]SELinux管理与配置

    原文链接:http://blog.csdn.net/huangbiao86/article/details/6641893 1.1 SElinux概述 SELinux(Security-Enhance ...

  8. ftp实现普通账号和vip账号限速

    ftp工作流程: ftp回话包含了两个通道,控制通道和数据通道,ftp的工作有两种模式,一种是主动模式,一种是被动模式,以ftpserver为参照物,主动模式,服务器主动连接客户端传输,被动模式,等待 ...

  9. Linux禁止普通用户su至root

    linux系统为了限制权限,有时候需要禁止普通用户su到root用户 为禁止普通用户su至root,需要分别修改/etc/pam.d/su和/etc/login.defs两个配置文件. 二.详细配置 ...

随机推荐

  1. 【bzoj1191】[HNOI2006]超级英雄Hero - 二分图匹配

    现在电视台有一种节目叫做超级英雄,大概的流程就是每位选手到台上回答主持人的几个问题,然后根据回答问题的多少获得不同数目的奖品或奖金.主持人问题准备了若干道题目,只有当选手正确回答一道题后,才能进入下一 ...

  2. hdu 6118 度度熊的交易计划

    度度熊的交易计划 Time Limit: 12000/6000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Others)Total S ...

  3. es6总结(六)--新数据类型-Symbol

  4. PE+ 1.0 ( Pump Express Plus 1.0 )

    Dialog iW1788 for PE+ 1.0 Dialog iW1680 for PE PE+1.0 for up to 15W battery, improve charging time, ...

  5. iOS开发之手势gesture详解(二)

    与其他用户界面控件交互 UIControl子类会覆盖parentView的gesture.例如当用户点击UIButton时,UIButton会接受触摸事件,它的parentView不会接收到.这仅适用 ...

  6. 利用github搭建个人网站

    1.注册一个github  https://github.com/ 2.新建一个仓库  仓库名 用 Owner.github.io 的格式,然后点击创建 3.源码上传至github 安装github桌 ...

  7. 透明代理Transparent Proxy

    透明代理Transparent Proxy   透明代理Transparent Proxy类似于普通代理,它可以使得处于局域网的主机直接访问外网.但不同之处,它不需要客户端进行任何设置.这样,客户端误 ...

  8. awk数组详解、实战

    1.其它编程语言数组的下标一般从0开始,awk中数组下标默认从1开始,也可以从0开始设置: awk 'BEGIN{huluwa[0]="大娃";huluwa[1]="二娃 ...

  9. Eval is evil ('Eval是魔鬼') --- eval()函数

    Eval is evil ('Eval是魔鬼') eval() 函数可计算某个字符串,并执行其中的的 JavaScript 代码.语法:eval(string): eval的使用场合是什么呢?有时候我 ...

  10. uitableview中文排序问题

    1,uitableview中涉及到排序的问题,查找资料后发现使用UILocalizedIndexedCollation可以很好处理中文和英文系统下中文的排序.而且如果第一个汉字首字母一样那么就会按照第 ...