02-PAM
pam
插入式验证模块(Pluggable Authentication Module,PAM)API 将公开一组功能,应用程序程序员可以使用这些功能来实现与安全性相关的功能,例如用户验证、数据加密、LDAP 等。 通用框架,提供了与各种类型存储进行交互的公共实现,以及多种辅助类的功能
认证库(存储)
多种类型的存储:文件、关系型数据库管理系统、LDAP、NIX
组成
libraries
pluggable modules
configuration files
原理
library实现了PAM的API并服务于管理PAM事务,调用PAM的定义于 模块 中的SPI,插入式模块是被 库 根据配置文件中的服务类型动态载入的,事务成功与否不仅仅取决于插入式模块,更取决于配置文件中定义的服务类型。PAM可以说也是一个layer,为每个程序提供一个公共“接口”。
-
The PAM Project provides a solution by adding an extra layer. Programs that need authentication use a standard library or API (Application Programming Interface), and system administrators can configure what checks will be done by that library separately. (Checks are implemented via independent modules; you even can program your own modules.) This way, you can change your security checks dynamically, and all utilities will follow your new rules automatically. In other words, you can modify the authentication mechanism used by any PAM-aware application, without ever touching the application itself. For programmers, this also is a good thing, because they need not be concerned with the mechanisms that will be used. Simply by using the PAM libraries, whenever the application is run, the appropriate checks will be made
pam库文件
[[email protected] ~]# ldd /bin/login
linux-vdso.so.1 => (0x00007fffe0d4a000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007fa04a101000)
libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007fa049efd000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fa049cd5000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fa049ab0000)
libc.so.6 => /lib64/libc.so.6 (0x00007fa0496ef000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fa0494ea000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fa049289000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fa049064000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa04a326000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa048e47000) ldd命令可以发现/bin/login程序所依赖的共享库文件,其中libpam*就是PAM的库文件
[[email protected] ~]# ls /lib64/ | grep pam
libpamc.so.0
libpamc.so.0.82.1
libpam_misc.so.0
libpam_misc.so.0.82.0
libpam.so.0
libpam.so.0.83.1 pam模块
/lib64/security/*
/lib/security/*
[[email protected] ~]# ls /lib64/security/
pam_access.so pam_filter.so pam_mkhomedir.so pam_selinux.so pam_unix_acct.so
pam_cap.so pam_fprintd.so pam_motd.so pam_sepermit.so pam_unix_auth.so
pam_chroot.so pam_ftp.so pam_namespace.so pam_shells.so pam_unix_passwd.so
pam_console.so pam_gnome_keyring.so pam_nologin.so pam_smbpass.so pam_unix_session.so
pam_cracklib.so pam_group.so pam_oddjob_mkhomedir.so pam_sss.so pam_unix.so
pam_debug.so pam_issue.so pam_permit.so pam_stress.so pam_userdb.so
pam_deny.so pam_keyinit.so pam_postgresok.so pam_succeed_if.so pam_warn.so
pam_echo.so pam_lastlog.so pam_pwhistory.so pam_systemd.so pam_wheel.so
pam_env.so pam_limits.so pam_pwquality.so pam_tally2.so pam_xauth.so
pam_exec.so pam_listfile.so pam_rhosts.so pam_time.so
pam_faildelay.so pam_localuser.so pam_rootok.so pam_timestamp.so
pam_faillock.so pam_loginuid.so pam_securetty.so pam_tty_audit.so
pam_filter pam_mail.so pam_selinux_permit.so pam_umask.so 配置文件
为各种调用了pam的应用提供其专用配置
/etc/pam.conf #通用配置文件
/etc/pam.d/* #专用配置文件
通常每个应用使用一个 单独 的配置文件
配置文件格式
通用配置文件
application type control module-path module-arguments
专用配置文件
type control module-path module-arguments
type:检查的功能类别
auth:账号的认证和授权,即账号密码的比对
this module type provides two aspects of authenticating the user. Firstly, it establishes
that the user is who they claim to be, by instructing the application to prompt the user
for a password or other means of identification. Secondly, the module can grant group
membership or other privileges through its credential granting properties.
account:与账号管理相关的非认证类的功能,即
this module type performs non-authentication based account management. It is typically
used to restrict/permit access to a service based on the time of day, currently available system
resources (maximum number of users) or perhaps the location of the applicant user -- 'root'
login only on the console.
password:用户修改密码时密码复杂度检查机制
this module type is required for updating the authentication token associated with the user.
Typically, there is one module for each 'challenge/response' based authentication (auth)
type.
session:用户获取到服务之前或使用服务完成之后需要进行一些附加性操作
this module type is associated with doing things that need to be done for the user before/after
they can be given service. Such things include the logging of information concerning the
opening/closing of some data exchange with a user, mounting directories, etc.
control:同一种功能的多个检查之间如何进行组合
简单实现:使用一个关键字来定义
required:必须要通过检查的选项,否则即为失败;无论成功还是失败都需要后续同种功能的其他模块进行检查
requisite:一票否决,检测失败就直接返回失败;检测成功,则由后续同种功能的其他模块进行检查
sufficient:一票通过,检测成功就直接返回成功;检测失败,则由后续同种功能的其他模块进行检查
optional:可选的,参考性控制机制
include:调用其它配置文件中的同种功能的检测机制
substack:表示调用另外一个模块的限制
-
详细实现:使用一个或多个status=action
[status1=action1,status2=action2,...]
status:返回状态
action:采取的行为,比如ok(通过)、done(一票通过)、die(不通过)、bad(一票否决)、ignore(忽略无所谓)
module-path:模块文件路径
相对路径
相对于/lib64/security/目录而言
绝对路径
可位于任何可访问路径
module-arguments:模块的专用参数
不同的模块参数不同,需要自行查看相应模块的官方文档
模块示例
pam_limits.so:资源限制
在用户级别实现对其可使用的资源的限制,例如可打开的文件数量,可运行的进程数量,可用内存空间
修改限制的实现方式
1、ulimit命令
Modify shell resource limits.
Provides control over the resources available to the shell and processes
it creates, on systems that allow such control.
Options:
-S use the `soft' resource limit #使用soft资源闲置
-H use the `hard' resource limit #使用hard资源限制
-a all current limits are reported
-b the socket buffer size
-c the maximum size of core files created
-d the maximum size of a process's data segment
-e the maximum scheduling priority (`nice')
-f the maximum size of files written by the shell and its children
-i the maximum number of pending signals
-l the maximum size a process may lock into memory
-m the maximum resident set size
-n the maximum number of open file descriptors #最多的打开文件描述符个数
-p the pipe buffer size
-q the maximum number of bytes in POSIX message queues
-r the maximum real-time scheduling priority
-s the maximum stack size
-t the maximum amount of cpu time in seconds
-u the maximum number of user processes #最大用户进程数
-v the size of virtual memory
-x the maximum number of file locks -
2、配置文件
less /etc/security/limits.conf文件可以查看各种配置字段信息
/etc/security/limits.conf,/etc/security/limits.d/*.conf
每行一个定义
<domain> <type> <item> <value>
<domain>:应用于哪些对象
username
@group
*:所有用户
<type>:限制的类型
soft:软限制,普通用户可以自己修改
hard:硬限制,由root用户设定,且通过kernel强制生效
-:软硬使用相同限制
<item>:限制的资源类型
nofile:所能够同时打开的最大文件数量;默认为1024
nproc:所能够同时生成的最大进程数量;默认为2014
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
nginx - nofile 30000 上面nginx - nofile 30000一行就表示nginx用户可以打开的最大文件数量为30000个了。
模块?库?
模块是“finger”,库是“hand”
[http://stackoverflow.com/questions/4099975/difference-between-a-module-library-and-a-framework](http://stackoverflow.com/questions/4099975/difference-between-a-module-library-and-a-framework)
参考文献
http://ps-2.kev009.com/wisclibrary/aix52/usr/share/man/info/en_US/a_doc_lib/aixbman/security/pam_overview.htm
http://www.linuxjournal.com/magazine/pammdashsecuring-linux-boxes-everywhere?page=0,0
PAM官方文档:http://www.linux-pam.org/Linux-PAM-html/
![PAM 认证机制[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)