When a user access server, the service program will be sent to the PAM module request, PAM module based on service names in / etc / pam.d directory service to select a corresponding document, the final document in accordance with service specific PAM module selection for processing.
Ldd view services through the program whether or not to use a compile-time libpam.so, the decision whether to support the service program PAM authentication.
Pam specific document / lib / security directory, document services / etc / pam.d directory
PAM service file format
eg:
auth required pam_security.so
auth required pam_stack.so service = system-auth
sub-services that call the service file
Module-type:
auth check user and password, and assign permissions
account to check whether the account expired, the right to log on
session from the user to log on from the success of the session control
user password to control the process of changing your password
control-flag:
having to go through required request, or to withdraw from the end of
requisite if we do not continue to fall through can be certified through the back of a can.
sufficient downward through the certification is not required
optional optional
PAM services commonly used documents
login -------/etc/pam.d/login
ipop3d -------/etc/pam.d/pop
vsftpd -------/etc/pam.d/ftp (compiler installed) or / etc / pam.d / vsftpd (rpm install)
sshd -------/etc/pam.d/sshd
su -------/etc/pam.d/su
imap -------/etc/pam.d/imap
/ lib / security directory, the role of the various pam modules, refer to / usr/share/doc/pam-0.99.3.0 under the Help file.
Module-type the same type to form a stack.
PAM modules used
control of visitors pam_access.so name address and account number
pam_listfile.so control the name of the visitor's account or log location
pam_limits.so control the allocation of resources for users
pam_rootok.so of the administrator (uid = 0) conditions to allow the adoption of
pam_userdb.so database user account set up an independent certification
--- pam_access.so the use of modules to control access service sshd host and user
1. Modify modules to use this service documents, such as sshd: / etc / pam.d / sshd to add
account required pam_access.so
2. Modify profile module
/ etc / security / access.conf
-: Redhat: ALL EXCEPT 192.168.0. (Format)
3. Test
ssh redhat@192.168.0.22
ssh redhat@127.0.0.1
pam_access.so in accordance with the host, IP, user, or refused to allow access.
pam_listfile.so application (more detailed than pam_access.so control)
1. First of all check its Help file, see the specific format, the parameters of how
# less / usr/share/doc/pam-0.99.3.0/txts/README.pam_listfile
item user, tty, group note the contents of a list of documents
sense allow, deny or refuse to allow the user document
file to specify a document, under the item of content to add
onerr succeed, fail when the module itself wrong, the return value, such as can not open the file specified documents, generally set to succeed
2. Sshd will be applied to the service module
Pam_access.so will be added清掉above, and then in / etc / pam.d / sshd to add (first line)
auth required pam_listfile.so item = user sense = deny file = / etc / denyuser onerr = succeed
Add the location of attention to the order, otherwise do not see the effect of
3. To create a list of documents of Editors
# echo "redhat"> / etc / denyuser
4. Test
# ssh-l redhat 192.168.0.22 failed
# ssh-l chinaitlab 192.168.0.22 success
# w shows that the user has logged on and a recent operation
Application pam_limits.so
1. View the Help file, to confirm the location of its configuration file, parameter model
# less / usr/share/doc/pam-0.99.3.0/txt/README.pam_limits
hard hard limit (can not be achieved)
2. Sshd will be applied to the service module, modify document service
# vi / etc / pam.d / sshd to add:
session required pam_limits.so
session control the number of the user login process, file size, by controlling the process of the user's session to restrict the use of resources
3. Pam_limits.so Edit the configuration file / etc / security / limits.conf
redhat hard maxlogins 2
Redhat limit sshd to log on to the number of services can not reach 2.
4. Test
# ssh-l redhat 192.168.0.22 No. 1
# ssh-l redhat 192.168.0.22 No. 2
At the same time that can have up to a redhat User Login
Application pam_rootok.so
# chfn change the user's finger information
Ordinary users use this command to amend information, need to enter password to use, and you do not need root user.
Analysis:
# more / etc / pam.d / chfn
Auth sufficient pam_rootok.so first acts
Chfn services because of the pam files pam_rootok.so the first line of the application of the module, so when the root user is not required chfn authentication, no need to down, directly.
db module pam_userdb.so need a database storing user information, specifically how to use can be found in front of vsftpd virtual users.
In the use of PAM module, pay attention to the reference README.pam help.
0 评论:
发表评论