• PAM


    #Linux-PAM 模块的作用:

      -authentication management;

      -account management;

      -session management;

      -password management;

      +----------------+
      | application: X |
      +----------------+       /  +----------+     +================+
      | authentication-[---->----] Linux-   |--<--| PAM config file|
      |       +        [----<--/--]   PAM    |     |================|
      |[conversation()][--+      |          |     | X auth .. a.so |
      +----------------+  |    /  +-n--n-----+     | X auth .. b.so |
      |                |  |       __|  |           |           _____/
      |  service user  |  A      |     |           |____,-----'
      |                |  |      V     A
      +----------------+  +------|-----|---------+ -----+------+
                             +---u-----u----+    |      |      |
                             |   auth....   |--[ a ]--[ b ]--[ c ]
                             +--------------+
                             |   acct....   |--[ b ]--[ d ]
                             +--------------+
                             |   password   |--[ b ]--[ c ]
                             +--------------+
                             |   session    |--[ e ]--[ c ]
                             +--------------+

    #判断是否适用PAM模块来认证

    [risen@ ~]$ ldd /usr/bin/passwd | grep pam
        libpam.so.0 => /lib64/libpam.so.0 (0x00007f2893598000)
        libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007f2893394000)

    #配置语法

    <module typpe>  <control flag>   <module name>   <module arguments>
    [pam.d]# more system-auth-ac 
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth        required      pam_faildelay.so delay=2000000
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
    auth        required      pam_deny.so
    
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     required      pam_permit.so
    
    password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=Linux
    password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    -session     optional      pam_systemd.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so

    #module type

    account : this module type performs non-authentication based account management. [基于非认证的帐号管理]
      Used to restrict/permit access to a service based on:
        -the time of day, 【时间】
        -currently available system resources (maximum number of users) 【最大用户数】
        -the location of the applicant user -- 'root' login only on the console. 【登陆入口】

    auth:
        this module type provides two aspects of authenticating the user. 【用户认证】
        Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. [帐号密码]
        Secondly, the module can grant group membership or other privileges through its credential granting properties.

    password:
        this module type is required for updating the authentication token associated with the user.
        Typically, there is one module for each 'challenge/response' based authentication (auth) type.

    session:
        this module type is associated with doing things that need to be done for the user before/after they can be given service.
        Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.

    TypeFunctionDescription
    account pam_acct_mgmt Tests if the user is allowed to access the service, meaning if the password is not expired, if the user is allowed during this time of day, if the load is not too high, etc.
    auth pam_authenticate This is the actual authentication. In the good old fashioned way it means that the password is checked to see if the user is who he or she claims to be.
    pam_setcred Sets UID, GID and limits
    session pam_open_session Things that should be done when the user is authenticated, and thus logs in.
    pam_close_session Things that should be done when the user logs off.
    password pam_chauthtok Used when the user wants to change the authentication credentials (password). Check password length, strength, etc.

    #For the simple (historical) syntax valid control values are:

    required
        failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.
    【如果本条目验证失败,那最终本次认证一定失败,但认证过程不因此打断。整个栈运行完毕之后才会返回(已经注定了的)“认证失败”信号。】

    requisite
        like required, however, in the case that such a module returns a failure, control is directly returned to the application or to the superior PAM stack. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.
    【此条目验证结果必须成功才能继续认证,如果在此处测试失败,则会立即将失败结果通知给用户。】

    sufficient
        if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected.
    【如果本条目的条件被满足,且本条目之前没有任何required条目失败,则立即返回“认证成功”信号;如果对本条目的验证失败,不对结果造成影响。】

    optional
        the success or failure of this module is only important if it is the only module in the stack associated with this service+type.
    【该条目返回的通过/失败结果被忽略。当没有其他模块被引用时,标记为optional模块并且成功验证时该模块才是必须的。该模块被调用来执行一些操作,并不影响模块堆栈的结果。】

    include
        include all lines of given type from the configuration file specified as an argument to this control.
    【include与条目结果的处理方式无关。该标志用于直接引用其他PAM模块的配置参数】

    substack
        include all lines of given type from the configuration file specified as an argument to this control. This differs from include in that evaluation of the done and die actions in a substack does not cause skipping the rest of the complete module stack, but only of the substack. Jumps in a substack also can not make evaluation jump out of it, and the whole substack is counted as one module when the jump is done in a parent stack. The reset action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation.
    【运行其他配置文件中的流程,并将整个运行结果作为该行的结果进行输出。该模式和 include 的不同点在于认证结果的作用域:如果某个流程栈 include 了一个带 requisite 的栈,这个 requisite 失败将直接导致认证失败,同时退出栈;而某个流程栈 substack 有同样的栈时,requisite 的失败只会导致这个子栈返回失败信号,母栈并不会在此退出。】

    #【返回值=行为】的复杂验证模式

    ##Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax. They are as follows:
    required
        [success=ok new_authtok_reqd=ok ignore=ignore default=bad]

    requisite
        [success=ok new_authtok_reqd=ok ignore=ignore default=die]

    sufficient
        [success=done new_authtok_reqd=done default=ignore]

    optional
        [success=ok new_authtok_reqd=ok default=ignore]

     default 代表其他所有没有明确说明的返回值。

    The last of these, default, implies 'all valueN's not mentioned explicitly. Note, the full list of PAM errors is available in /usr/include/security/_pam_types.h. The actionN can take one of the following forms:
    ignore
        The return status will not contribute to the return code.
    bad
        The return status is set to fail.
    die
        The return status is set to fail and the stack is terminated immediately and the return status reported to the application
    ok
        If the modules fails, the total stack state will be fail, if the stack was already fail, the return code of this module will do nothing.
    done
        Some as ok, but with direct termination of the stack
    N (an unsigned integer)
        equivalent to ok with the side effect of jumping over the next N modules in the stack. Note that N equal to 0 is not allowed (and it would be identical to ok in such case).
    reset
        Clear all memory of the state of the module stack and start again with the next module.

    ignore:在一个栈中有多个认证条目的情况下,如果标记 ignore 的返回值被命中,那么这条返回值不会对最终的认证结果产生影响。
    bad:标记 bad 的返回值被命中时,最终的认证结果注定会失败。此外,如果这条 bad 的返回值是整个栈的第一个失败项,那么整个栈的返回值一定是这个返回值,后面的认证无论结果怎样都改变不了现状了。
    die:标记 die 的返回值被命中时,马上退出栈并宣告失败。整个返回值为这个 die 的返回值。
    ok:在一个栈的运行过程中,如果 ok 前面没有返回值,或者前面的返回值为 PAM_SUCCESS,那么这个标记了 ok 的返回值将覆盖前面的返回值。但如果前面执行过的验证中有最终将导致失败的返回值,那 ok 标记的值将不会起作用。
    done:在前面没有 bad 值被命中的情况下,done 值被命中之后将马上被返回,并退出整个栈。
    N(一个自然数):功效和 ok 类似,并且会跳过接下来的 N 个验证步骤。如果 N = 0 则和 ok 完全相同。
    reset:清空之前生效的返回值,并且从下面的验证起重新开始。

    #For system administrators:

    abort
        Critical error (?module fail now request)
    acct_expired
        User account has expired
    auth_err
        Authentication failure
    authinfo_unavail
        Underlying authentication service can not retrieve authentication information
    authtok_err
        Authentication token manipulation error
    authtok_expired
        user's authentication token has expired
    authtok_disable_aging
        Authentication token aging disabled
    authtok_recover_err
        Authentication information cannot be recovered
    cred_err
        Failure setting user credentials
    cred_expired
        User credentials expired
    cred_insufficient
        Can not access authentication data due to insufficient credentials
    cred_unavail
        Underlying authentication service can not retrieve user credentials unavailable
    default
        all not explicitly mentioned values
    ignore
        Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient
    maxtries
        An authentication service has maintained a retry count which has been reached. No further retries should be attempted
    module_unknown
        module is not known
    new_authtok_reqd
        New authentication token required. This is normally returned if the machine security policies require that the password should be changed beccause the password is NULL or it has aged
    perm_denied
        Permission denied
    session_err
        Can not make/remove an entry for the specified session
    success
        Successful function return
    try_again
        Preliminary check by password service
    user_unknown
        User not known to the underlying authenticaiton module

  • 相关阅读:
    洛谷 P1195 口袋的天空
    洛谷 P3144 [USACO16OPEN]关闭农场Closing the Farm_Silver
    Bzoj3277 串
    Bzoj1312 / POJ3155 Neerc2006 Hard Life
    Bzoj2655 calc
    51Nod 1228 序列求和
    洛谷P2901 [USACO08MAR]牛慢跑Cow Jogging
    Bzoj1042 [HAOI2008]硬币购物
    Bzoj3884 上帝与集合的正确用法
    Bzoj4161 Shlw loves matrixI
  • 原文地址:https://www.cnblogs.com/crossworld/p/11531637.html
Copyright © 2020-2023  润新知