Linux-PAM认证模块.doc

Linux-PAM认证模块用户访问服务器的时候，服务器的某一个服务程序把用户的谁请求发送到PAM模块进行认证。对于不同的服务器应用程序所对应的PAM模块也是不同的。如果想查看某个程序是否支持PAM认证，可以用ldd命令进行检查：例如：查看sshd是不是支持模块认证：由于在程序模块里链接了libpam.so.0 = /lib/libpam.so.0 ,说明此程序可以进行认证。当一个服务器请求PAM模块的时候，本身是不提供服务验证的，它是调用其它的一群模块来进行服务器请求验证，这样的文件全放在了/lib/security中。具体到哪一个服务使用哪一种具体的模块，这是由具体的服务文件定义的（/etc/pam.d/）.rootlocalhost root# ls /etc/pam.d/authconfig neat redhat-config-network suchfn other redhat-config-network-cmd sudochsh passwd redhat-config-network-druid system-authhalt poweroff rhn_register up2dateinternet-druid ppp setup up2date-configkbdrate reboot smtp up2date-noxlogin redhat-config-mouse sshd PAM服务文件 、# more /etc/pam.d/login auth required pam_securetty.soauth required pam_stack.so service=system-authauth required pam_nologin.soaccount required pam_stack.so service=system-authpassword required pam_stack.so service=system-authsession required pam_stack.so service=system-authsession optional pam_console.so PAM服务文件的格式（四部分） Module-typecontrol-flagmodule-pathargumentsModule-type： auth、account、session、passwordControl-flag：required、requisite、sufficient、optionaleg： auth required pam_securety.soauthrequiredpam_stack.so service=system_authModule-type（属于认证里面的第一部分，主要是分配权限）auth：认证、授权（检查用户的名字、密码正确与否）；account：检查用户的帐户是否到期、禁用等。session：控制会话password：控制用户修改密码过程Control-flag （属于认证里面的第二部分，控制标识位）required：必须通过此认证，否则不再往下认证下去，直接退出；requisite：必须通过认证，但以后还有机会，可以往下认证；sufficient：一经通过，后面的不再认证（只要通过这个条件则直接通过）；optional：可选的，通不通过均可。 常用的PAM服务文件1）、login - /etc/pam.d/login 2）、ipop3d /etc/pam.d/pop3）、ftp - /etc/pam.d/ftp 或 vsftpd /etc/pam.d/vsftpd4）、sshd /etc/pam.d/sshd 5）、su /etc/pam.d/su 6）、imap /etc/pam.d/imcp 认证堆栈、auth required pam_securety.so、auth required pam_stack.so service=system-auth、auth required pam_nologin.so如果号认证结束，则在后面有个结束标志，转到下一个认证即号认证,依次类推，相同类型的认证会放在一起进行。其中pam_stack.so调用一个子模块服务，通过这个服务再调用一个第三方的模块进行认证授权。 常用PAM模块1）、pam_access.so 控制访问者的地址与帐号的名称2）、pam_listfile.so 控制访问者的帐号名称或登陆位置3）、pam_limits.so 控制为用户分配的资源4）、pam_rootok.so 对管理员（uid=0）无条件通过5）、pam_userdb.so 设定独立用户帐号数据库认证如下：rootlocalhost root# cd /etc/pam.d/rootlocalhost pam.d# more login#%PAM-1.0auth required pam_securetty.soauth required pam_stack.so service=system-authauth required pam_nologin.soaccount required pam_stack.so service=system-authpassword required pam_stack.so service=system-authsession required pam_stack.so service=system-authsession optional pam_console.sorootlocalhost pam.d# cd /usr/share/doc/pam-0.75/txts/rootlocalhost txts# lspam_appl.txt README.pam_ftp README.pam_shellspam_modules.txt README.pam_limits README.pam_stackpam.txt README.pam_listfile README.pam_stressREADME README.pam_localuser README.pam_tallyREADME.pam_access README.pam_mail README.pam_timeREADME.pam_chroot README.pam_nologin README.pam_timestampREADME.pam_console README.pam_permit README.pam_unixREADME.pam_cracklib README.pam_pwdb README.pam_userdbREADME.pam_deny README.pam_rhosts README.pam_warnREADME.pam_env README.pam_rootok README.pam_wheelREADME.pam_filter README.pam_securetty README.pam_xauthrootlocalhost txts# more README.pam_securettypam_securetty: Allows root logins only if the user is logging in on a secure tty, as defined by the listing in /etc/securetty Also checks to make sure that /etc/securetty is a plain file and not world writable. Elliot Lee , Red Hat Software. July 25, 1996.rootlocalhost txts# more /etc/securettyconsolevc/1vc/2vc/3vc/4vc/5vc/6vc/7vc/8vc/9vc/10vc/11tty1tty2tty3tty4tty5tty6tty7tty8tty9tty10tty11rootlocalhost txts# more /etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required /lib/security/$ISA/pam_env.soauth sufficient /lib/security/$ISA/pam_unix.so likeauth nullokauth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type=password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowpassword required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.sosession required /lib/security/$ISA/pam_unix.sorootlocalhost txts# pwd/usr/share/doc/pam-0.75/txtsrootlocalhost txts# more README.pam_nologin# $Id: README,v 2000/06/20 22:11:46 agmorgan Exp $# This module always lets root in; it lets other users in only if the file/etc/nologin doesnt exist. In any case, if /etc/nologin exists, itscontents are displayed to the user. module services provided: auth _authentication and _setcred (blank) Michael K. Johnsonrootlocalhost txts# touch /etc/nologinrootlocalhost txts# useradd leekwenrootlocalhost txts# passwd leekwenChanging password for user leekwen.New password:Retype new password:passwd: all authentication tokens updated successfully.rootlocalhost txts# ssh leekwen88leekwen88s password:Permission denied, please try again.leekwen88s password:Permission denied, please try again.leekwen88s password:Permission denied (publickey,password,keyboard-interactive).rootlocalhost txts# rm /etc/nologinrm: remove regular empty file /etc/nologin? yrootlocalhost txts# ssh leekwen88leekwen88s password:leekwenlocalhost leekwen$ pwd/home/leekwenleekwenlocalhost leekwen$ exitlogoutConnection to 88 closed.rootlocalhost txts# cd /etc/pam.d/rootlocalhost pam.d# more login#%PAM-1.0auth required pam_securetty.soauth required pam_stack.so service=system-authauth required pa