02-PAM
pam
插入式驗證模塊(Pluggable Authentication Module,PAM)API 將公開一組功能,應用程序程序員可以使用這些功能來實現與安全性相關的功能,例如用戶驗證、數據加密、LDAP 等。 通用框架,提供了與各種類型存儲進行交互的公共實現,以及多種輔助類的功能
認證庫(存儲)
多種類型的存儲:文件、關係型數據庫管理系統、LDAP、NIX
組成
libraries
pluggable modules
configuration files
原理
library實現了PAM的API並服務於管理PAM事務,調用PAM的定義於 模塊 中的SPI,插入式模塊是被 庫 根據配置文件中的服務類型動態載入的,事務成功與否不僅僅取決於插入式模塊,更取決於配置文件中定義的服務類型。PAM可以說也是一個layer,爲每個程序提供一個公共“接口”。
-
The PAM Project provides a solution by adding an extra layer. Programs that need authentication use a standard library or API (Application Programming Interface), and system administrators can configure what checks will be done by that library separately. (Checks are implemented via independent modules; you even can program your own modules.) This way, you can change your security checks dynamically, and all utilities will follow your new rules automatically. In other words, you can modify the authentication mechanism used by any PAM-aware application, without ever touching the application itself. For programmers, this also is a good thing, because they need not be concerned with the mechanisms that will be used. Simply by using the PAM libraries, whenever the application is run, the appropriate checks will be made
pam庫文件
[root@husa ~]# ldd /bin/login
linux-vdso.so.1 => (0x00007fffe0d4a000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007fa04a101000)
libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007fa049efd000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fa049cd5000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fa049ab0000)
libc.so.6 => /lib64/libc.so.6 (0x00007fa0496ef000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fa0494ea000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fa049289000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fa049064000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa04a326000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa048e47000)ldd命令可以發現/bin/login程序所依賴的共享庫文件,其中libpam*就是PAM的庫文件
[root@husa ~]# ls /lib64/ | grep pam
libpamc.so.0
libpamc.so.0.82.1
libpam_misc.so.0
libpam_misc.so.0.82.0
libpam.so.0
libpam.so.0.83.1pam模塊
/lib64/security/*
/lib/security/*
[root@husa ~]# ls /lib64/security/
pam_access.so pam_filter.so pam_mkhomedir.so pam_selinux.so pam_unix_acct.so
pam_cap.so pam_fprintd.so pam_motd.so pam_sepermit.so pam_unix_auth.so
pam_chroot.so pam_ftp.so pam_namespace.so pam_shells.so pam_unix_passwd.so
pam_console.so pam_gnome_keyring.so pam_nologin.so pam_smbpass.so pam_unix_session.so
pam_cracklib.so pam_group.so pam_oddjob_mkhomedir.so pam_sss.so pam_unix.so
pam_debug.so pam_issue.so pam_permit.so pam_stress.so pam_userdb.so
pam_deny.so pam_keyinit.so pam_postgresok.so pam_succeed_if.so pam_warn.so
pam_echo.so pam_lastlog.so pam_pwhistory.so pam_systemd.so pam_wheel.so
pam_env.so pam_limits.so pam_pwquality.so pam_tally2.so pam_xauth.so
pam_exec.so pam_listfile.so pam_rhosts.so pam_time.so
pam_faildelay.so pam_localuser.so pam_rootok.so pam_timestamp.so
pam_faillock.so pam_loginuid.so pam_securetty.so pam_tty_audit.so
pam_filter pam_mail.so pam_selinux_permit.so pam_umask.so配置文件
爲各種調用了pam的應用提供其專用配置
/etc/pam.conf #通用配置文件
/etc/pam.d/* #專用配置文件
通常每個應用使用一個 單獨 的配置文件
配置文件格式
通用配置文件
application type control module-path module-arguments
專用配置文件
type control module-path module-arguments
type:檢查的功能類別
auth:賬號的認證和授權,即賬號密碼的比對
this module type provides two aspects of authenticating the user. Firstly, it establishes
that the user is who they claim to be, by instructing the application to prompt the user
for a password or other means of identification. Secondly, the module can grant group
membership or other privileges through its credential granting properties.
account:與賬號管理相關的非認證類的功能,即
this module type performs non-authentication based account management. It is typically
used to restrict/permit access to a service based on the time of day, currently available system
resources (maximum number of users) or perhaps the location of the applicant user -- 'root'
login only on the console.
password:用戶修改密碼時密碼複雜度檢查機制
this module type is required for updating the authentication token associated with the user.
Typically, there is one module for each 'challenge/response' based authentication (auth)
type.
session:用戶獲取到服務之前或使用服務完成之後需要進行一些附加性操作
this module type is associated with doing things that need to be done for the user before/after
they can be given service. Such things include the logging of information concerning the
opening/closing of some data exchange with a user, mounting directories, etc.
control:同一種功能的多個檢查之間如何進行組合
簡單實現:使用一個關鍵字來定義
required:必須要通過檢查的選項,否則即爲失敗;無論成功還是失敗都需要後續同種功能的其他模塊進行檢查
requisite:一票否決,檢測失敗就直接返回失敗;檢測成功,則由後續同種功能的其他模塊進行檢查
sufficient:一票通過,檢測成功就直接返回成功;檢測失敗,則由後續同種功能的其他模塊進行檢查
optional:可選的,參考性控制機制
include:調用其它配置文件中的同種功能的檢測機制
substack:表示調用另外一個模塊的限制
-
詳細實現:使用一個或多個status=action
[status1=action1,status2=action2,...]
status:返回狀態
action:採取的行爲,比如ok(通過)、done(一票通過)、die(不通過)、bad(一票否決)、ignore(忽略無所謂)
module-path:模塊文件路徑
相對路徑
相對於/lib64/security/目錄而言
絕對路徑
可位於任何可訪問路徑
module-arguments:模塊的專用參數
不同的模塊參數不同,需要自行查看相應模塊的官方文檔
模塊示例
pam_limits.so:資源限制
在用戶級別實現對其可使用的資源的限制,例如可打開的文件數量,可運行的進程數量,可用內存空間
修改限制的實現方式
1、ulimit命令
Modify shell resource limits.
Provides control over the resources available to the shell and processes
it creates, on systems that allow such control.
Options:
-S use the `soft' resource limit #使用soft資源閒置
-H use the `hard' resource limit #使用hard資源限制
-a all current limits are reported
-b the socket buffer size
-c the maximum size of core files created
-d the maximum size of a process's data segment
-e the maximum scheduling priority (`nice')
-f the maximum size of files written by the shell and its children
-i the maximum number of pending signals
-l the maximum size a process may lock into memory
-m the maximum resident set size
-n the maximum number of open file descriptors #最多的打開文件描述符個數
-p the pipe buffer size
-q the maximum number of bytes in POSIX message queues
-r the maximum real-time scheduling priority
-s the maximum stack size
-t the maximum amount of cpu time in seconds
-u the maximum number of user processes #最大用戶進程數
-v the size of virtual memory
-x the maximum number of file locks-
2、配置文件
less /etc/security/limits.conf文件可以查看各種配置字段信息
/etc/security/limits.conf,/etc/security/limits.d/*.conf
每行一個定義
<domain> <type> <item> <value>
<domain>:應用於哪些對象
username
@group
*:所有用戶
<type>:限制的類型
soft:軟限制,普通用戶可以自己修改
hard:硬限制,由root用戶設定,且通過kernel強制生效
-:軟硬使用相同限制
<item>:限制的資源類型
nofile:所能夠同時打開的最大文件數量;默認爲1024
nproc:所能夠同時生成的最大進程數量;默認爲2014
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
nginx - nofile 30000上面nginx - nofile 30000一行就表示nginx用戶可以打開的最大文件數量爲30000個了。
模塊?庫?
模塊是“finger”,庫是“hand”
[http://stackoverflow.com/questions/4099975/difference-between-a-module-library-and-a-framework](http://stackoverflow.com/questions/4099975/difference-between-a-module-library-and-a-framework)
參考文獻
http://www.linuxjournal.com/magazine/pammdashsecuring-linux-boxes-everywhere?page=0,0
