PAM
#Linux-PAM 模块的作用:
-authentication management;
-account management;
-session management;
-password management;
+----------------+
| application: X |
+----------------+ / +----------+ +================+
| authentication-[---->--\--] Linux- |--<--| PAM config file|
| + [----<--/--] PAM | |================|
|[conversation()][--+ \ | | | X auth .. a.so |
+----------------+ | / +-n--n-----+ | X auth .. b.so |
| | | __| | | _____/
| service user | A | | |____,-----'
| | | V A
+----------------+ +------|-----|---------+ -----+------+
+---u-----u----+ | | |
| auth.... |--[ a ]--[ b ]--[ c ]
+--------------+
| acct.... |--[ b ]--[ d ]
+--------------+
| password |--[ b ]--[ c ]
+--------------+
| session |--[ e ]--[ c ]
+--------------+
#判断是否适用PAM模块来认证
[risen@ ~]$ ldd /usr/bin/passwd | grep pam libpam.so.0 => /lib64/libpam.so.0 (0x00007f2893598000) libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007f2893394000)
#配置语法
<module typpe> <control flag> <module name> <module arguments>
[pam.d]# more system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=Linux password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
#module type
account : this module type performs non-authentication based account management. [基于非认证的帐号管理]
Used to restrict/permit access to a service based on:
-the time of day, 【时间】
-currently available system resources (maximum number of users) 【最大用户数】
-the location of the applicant user -- 'root' login only on the console. 【登陆入口】
auth:
this module type provides two aspects of authenticating the user. 【用户认证】
Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. [帐号密码]
Secondly, the module can grant group membership or other privileges through its credential granting properties.
password:
this module type is required for updating the authentication token associated with the user.
Typically, there is one module for each 'challenge/response' based authentication (auth) type.
session:
this module type is associated with doing things that need to be done for the user before/after they can be given service.
Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.
Type | Function | Description |
---|---|---|
account | pam_acct_mgmt | Tests if the user is allowed to access the service, meaning if the password is not expired, if the user is allowed during this time of day, if the load is not too high, etc. |
auth | pam_authenticate | This is the actual authentication. In the good old fashioned way it means that the password is checked to see if the user is who he or she claims to be. |
pam_setcred | Sets UID, GID and limits | |
session | pam_open_session | Things that should be done when the user is authenticated, and thus logs in. |
pam_close_session | Things that should be done when the user logs off. | |
password | pam_chauthtok | Used when the user wants to change the authentication credentials (password). Check password length, strength, etc. |
#For the simple (historical) syntax valid control values are:
required
failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.
【如果本条目验证失败,那最终本次认证一定失败,但认证过程不因此打断。整个栈运行完毕之后才会返回(已经注定了的)“认证失败”信号。】
requisite
like required, however, in the case that such a module returns a failure, control is directly returned to the application or to the superior PAM stack. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.
【此条目验证结果必须成功才能继续认证,如果在此处测试失败,则会立即将失败结果通知给用户。】
sufficient
if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected.
【如果本条目的条件被满足,且本条目之前没有任何required条目失败,则立即返回“认证成功”信号;如果对本条目的验证失败,不对结果造成影响。】
optional
the success or failure of this module is only important if it is the only module in the stack associated with this service+type.
【该条目返回的通过/失败结果被忽略。当没有其他模块被引用时,标记为optional模块并且成功验证时该模块才是必须的。该模块被调用来执行一些操作,并不影响模块堆栈的结果。】
include
include all lines of given type from the configuration file specified as an argument to this control.
【include与条目结果的处理方式无关。该标志用于直接引用其他PAM模块的配置参数】
substack
include all lines of given type from the configuration file specified as an argument to this control. This differs from include in that evaluation of the done and die actions in a substack does not cause skipping the rest of the complete module stack, but only of the substack. Jumps in a substack also can not make evaluation jump out of it, and the whole substack is counted as one module when the jump is done in a parent stack. The reset action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation.
【运行其他配置文件中的流程,并将整个运行结果作为该行的结果进行输出。该模式和 include 的不同点在于认证结果的作用域:如果某个流程栈 include 了一个带 requisite 的栈,这个 requisite 失败将直接导致认证失败,同时退出栈;而某个流程栈 substack 有同样的栈时,requisite 的失败只会导致这个子栈返回失败信号,母栈并不会在此退出。】
#【返回值=行为】的复杂验证模式
##Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax. They are as follows:
required
[success=ok new_authtok_reqd=ok ignore=ignore default=bad]
requisite
[success=ok new_authtok_reqd=ok ignore=ignore default=die]
sufficient
[success=done new_authtok_reqd=done default=ignore]
optional
[success=ok new_authtok_reqd=ok default=ignore]
default 代表其他所有没有明确说明的返回值。
The last of these, default, implies 'all valueN's not mentioned explicitly. Note, the full list of PAM errors is available in /usr/include/security/_pam_types.h. The actionN can take one of the following forms:
ignore
The return status will not contribute to the return code.
bad
The return status is set to fail.
die
The return status is set to fail and the stack is terminated immediately and the return status reported to the application
ok
If the modules fails, the total stack state will be fail, if the stack was already fail, the return code of this module will do nothing.
done
Some as ok, but with direct termination of the stack
N (an unsigned integer)
equivalent to ok with the side effect of jumping over the next N modules in the stack. Note that N equal to 0 is not allowed (and it would be identical to ok in such case).
reset
Clear all memory of the state of the module stack and start again with the next module.
ignore:在一个栈中有多个认证条目的情况下,如果标记 ignore 的返回值被命中,那么这条返回值不会对最终的认证结果产生影响。
bad:标记 bad 的返回值被命中时,最终的认证结果注定会失败。此外,如果这条 bad 的返回值是整个栈的第一个失败项,那么整个栈的返回值一定是这个返回值,后面的认证无论结果怎样都改变不了现状了。
die:标记 die 的返回值被命中时,马上退出栈并宣告失败。整个返回值为这个 die 的返回值。
ok:在一个栈的运行过程中,如果 ok 前面没有返回值,或者前面的返回值为 PAM_SUCCESS,那么这个标记了 ok 的返回值将覆盖前面的返回值。但如果前面执行过的验证中有最终将导致失败的返回值,那 ok 标记的值将不会起作用。
done:在前面没有 bad 值被命中的情况下,done 值被命中之后将马上被返回,并退出整个栈。
N(一个自然数):功效和 ok 类似,并且会跳过接下来的 N 个验证步骤。如果 N = 0 则和 ok 完全相同。
reset:清空之前生效的返回值,并且从下面的验证起重新开始。
#For system administrators:
abort
Critical error (?module fail now request)
acct_expired
User account has expired
auth_err
Authentication failure
authinfo_unavail
Underlying authentication service can not retrieve authentication information
authtok_err
Authentication token manipulation error
authtok_expired
user's authentication token has expired
authtok_disable_aging
Authentication token aging disabled
authtok_recover_err
Authentication information cannot be recovered
cred_err
Failure setting user credentials
cred_expired
User credentials expired
cred_insufficient
Can not access authentication data due to insufficient credentials
cred_unavail
Underlying authentication service can not retrieve user credentials unavailable
default
all not explicitly mentioned values
ignore
Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient
maxtries
An authentication service has maintained a retry count which has been reached. No further retries should be attempted
module_unknown
module is not known
new_authtok_reqd
New authentication token required. This is normally returned if the machine security policies require that the password should be changed beccause the password is NULL or it has aged
perm_denied
Permission denied
session_err
Can not make/remove an entry for the specified session
success
Successful function return
try_again
Preliminary check by password service
user_unknown
User not known to the underlying authenticaiton module