Linux-PAM认证模块
用户访问服务器的时候,服务器的某一个服务程序把用户的谁请求发送到PAM模块进行认证。对于不同的服务器应用程序所对应的PAM模块也是不同的。如果想查看某个程序是否支持PAM认证,可以用ldd命令进行检查:
例如:查看sshd是不是支持PAM模块认证:
由于在程序模块里链接了libpam.so.0 =< /lib/libpam.so.0 ,说明此程序可以进行PAM认证。
当一个服务器请求PAM模块的时候,PAM本身是不提供服务验证的,它是调用其它的一群模块来进行服务器请求验证,这样的文件全放在了/lib/security中。具体到哪一个服务使用哪一种具体的模块,这是由具体的PAM服务文件定义的(/etc/pam.d/).
[root@localhost root]# ls /etc/pam.d/
authconfig neat redhat-config-network su
chfn other redhat-config-network-cmd sudo
chsh passwd redhat-config-network-druid system-auth
halt poweroff rhn_register up2date
internet-druid ppp setup up2date-config
kbdrate reboot smtp up2date-nox
login redhat-config-mouse sshd
PAM服务文件
1、# more /etc/pam.d/login
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
PAM服务文件的格式(四部分)
Module-type | control-flag | module-path | arguments |
auth | required | pam_securety.so |
auth | required | pam_stack.so service=system_auth |
①、auth required pam_securety.so
②、auth required pam_stack.so service=system-auth
③、auth required pam_nologin.so
[root@localhost root]# cd /etc/pam.d/
[root@localhost pam.d]# more login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
[root@localhost pam.d]# cd /usr/share/doc/pam-0.75/txts/
[root@localhost txts]# ls
pam_appl.txt README.pam_ftp README.pam_shells
pam_modules.txt README.pam_limits README.pam_stack
pam.txt README.pam_listfile README.pam_stress
README README.pam_localuser README.pam_tally
README.pam_access README.pam_mail README.pam_time
README.pam_chroot README.pam_nologin README.pam_timestamp
README.pam_console README.pam_permit README.pam_unix
README.pam_cracklib README.pam_pwdb README.pam_userdb
README.pam_deny README.pam_rhosts README.pam_warn
README.pam_env README.pam_rootok README.pam_wheel
README.pam_filter README.pam_securetty README.pam_xauth
[root@localhost txts]# more README.pam_securetty
pam_securetty:
Allows root logins only if the user is logging in on a
"secure" tty, as defined by the listing in /etc/securetty
Also checks to make sure that /etc/securetty is a plain
file and not world writable.
- Elliot Lee , Red Hat Software.
July 25, 1996.
[root@localhost txts]# more /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
[root@localhost txts]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
[root@localhost txts]# pwd
/usr/share/doc/pam-0.75/txts
[root@localhost txts]# more README.pam_nologin
# $Id: README,v 1.1.1.1 2000/06/20 22:11:46 agmorgan Exp $
#
This module always lets root in; it lets other users in only if the file
/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's
contents are displayed to the user.
module services provided:
auth _authentication and _setcred (blank)
Michael K. Johnson
[root@localhost txts]# touch /etc/nologin
[root@localhost txts]# useradd leekwen
[root@localhost txts]# passwd leekwen
Changing password for user leekwen.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost txts]# ssh leekwen@192.168.0.188
leekwen@192.168.0.188's password:
Permission denied, please try again.
leekwen@192.168.0.188's password:
Permission denied, please try again.
leekwen@192.168.0.188's password:
Permission denied (publickey,password,keyboard-interactive).
[root@localhost txts]# rm /etc/nologin
rm: remove regular empty file `/etc/nologin'? y
[root@localhost txts]# ssh leekwen@192.168.0.188
leekwen@192.168.0.188's password:
[leekwen@localhost leekwen]$ pwd
/home/leekwen
[leekwen@localhost leekwen]$ exit
logout
Connection to 192.168.0.188 closed.
[root@localhost txts]# cd /etc/pam.d/
[root@localhost pam.d]# more login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
[root@localhost pam.d]# tty
/dev/pts/2
[root@localhost pam.d]# ls /dev/tty1
/dev/tty1