系統安全-PAM

Pluggable Authentication Modules（可插入驗證模塊，簡稱PAM）

Linux-PAM（Pluggable Authentication Modules for Linux，基於Linux的插入式驗證模塊）是一組共享庫，使用這些模塊，系統管理者能夠自由選擇應用程序使用的驗證機制。也就是說。勿需從新編譯應用程序就能夠切換應用程序使用的驗證機制。將系統提供的服務和該服務的認證方式分開，使得系統管理員能夠靈活地根據須要給不一樣的服務配置不一樣的認證方式而無需更改服務程序，同時也便於向系統中添加新的認證手段。應用程序經過libpam函數庫來提供服務，應用程序與PAM的結合經過配置文件來完成。

使用ldd命令查看有哪些程序使用pam驗證，並不是全部的程序都是用PAM

[root@localhost ~]# ldd `which login` | grep pam.so
    libpam.so.0 => /lib64/libpam.so.0 (0x00007ff2566cc000)
[root@localhost ~]# ldd `which sshd` | grep pam.so
    libpam.so.0 => /lib64/libpam.so.0 (0x00007f83bdf05000)
[root@localhost ~]# 

這些功能模塊存放在/lib/security/目錄裏，應用程序經過libpam函數庫來動態加載所須要的模塊，實現認證方式，每個認證模塊都會返回pass和fail結果，從而決定驗證的成功與否。經過配置文件來定製服務使用那些模塊，通常來講它們都存放在/etc/pam.d/目錄下，

/etc/pam.d/login
/etc/pam.d/sshd

 注意：pam產生的日誌記錄會在/var/log/secure

以字符終端驗證程序login爲例，來初步瞭解一下pam的驗證過程

[root@localhost ~]# cat /etc/pam.d/login 
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
[root@localhost ~]# 

PAM驗證類型：

*auth驗證使用者身份，提示輸入帳號和密碼
*account基於時間或者密碼有效期來決定是否容許訪問
*password禁止用戶反覆嘗試登錄，在變動密碼時進行密碼複雜性控制
*session進行日誌記錄，或者限制用戶登陸的次數，資源使用

PAM控制類型：

required必要條件，表示本模塊必須返回成功才能經過認證；若是返回成功，繼續後續驗證，最後是否成功由有序驗證決定；

可是若是該模塊返回失敗的話，失敗結果也不會當即通知用戶，二十要等全部模塊所有執行完畢再將失敗結果返回給應用程序。

requisite必要條件與required類型，該模塊必須返回成功才能經過認證；若是返回成功，繼續後續驗證，最後是否成功由後續驗證決定；

可是一旦該模塊返回失敗，將再也不執行任何模塊，而是直接將控制權返回給應用程序。

sufficient：

充分條件，表名本模塊返回成功已經足以經過身份認證的請求，沒必要再執行其餘的模塊；若是驗證成功，就馬上返回成；

可是若是本模塊返回失敗的話能夠忽略。

optional可選條件，代表本模塊是可選的，它的成功與否通常不會對身份認證起關鍵做用，其返回值通常被忽略。

include包含，後邊是一個文件

[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@localhost ~]# 

*pam_securetty.so

pam_securetty root能夠登陸的tty

[root@localhost ~]# cat /etc/securetty 
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
ttyS0
ttysclp0
sclp_line0
3270/tty1
hvc0
hvc1
hvc2
hvc3
hvc4
hvc5
hvc6
hvc7
hvsi0
hvsi1
hvsi2
xvc0

刪除tty3看看是否root還能在tty3登陸（不能）

*pam_env.so登陸時選擇是否設置環境變量

[root@localhost ~]# cat /etc/security/pam_env.conf 
#
# This is the configuration file for pam_env, a PAM module to load in
# a configurable list of environment variables for a
#
# The original idea for this came from Andrew G. Morgan ...
#<quote>
#   Mmm. Perhaps you might like to write a pam_env module that reads a
#   default environment from a file? I can see that as REALLY
#   useful... Note it would be an "auth" module that returns PAM_IGNORE
#   for the auth part and sets the environment returning PAM_SUCCESS in
#   the setcred function...
#</quote>
#
# What I wanted was the REMOTEHOST variable set, purely for selfish
# reasons, and AGM didn't want it added to the SimpleApps login
# program (which is where I added the patch). So, my first concern is
# that variable, from there there are numerous others that might/would
# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
#
# Of course, these are a different kind of variable than REMOTEHOST in
# that they are things that are likely to be configured by
# administrators rather than set by logging in, how to treat them both
# in the same config file?
#
# Here is my idea:
#
# Each line starts with the variable name, there are then two possible
# options for each variable DEFAULT and OVERRIDE.
# DEFAULT allows and administrator to set the value of the
# variable  to some default value, if none is supplied then the empty
# string is assumed. The OVERRIDE option tells pam_env that it should
# enter in its value (overriding the default value) if there is one
# to use. OVERRIDE is not used, "" is assumed and no override will be
# done.
#
# VARIABLE   [DEFAULT=[value]]  [OVERRIDE=[value]]
#
# (Possibly non-existent) environment variables may be used in values
# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
# be used in values using the @{string} syntax. Both the $ and @
# characters can be backslash escaped to be used as literal values
# values can be delimited with "", escaped " not supported.
# Note that many environment variables that you would like to use
# may not be set by the time the module is called.
# For example, HOME is used below several times, but
# many PAM applications don't make it available by the time you need it.
#
#
# First, some special variables
#
# Set the REMOTEHOST variable for any hosts that are remote, default
# to "localhost" rather than not being set at all
#REMOTEHOST    DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
#
# Set the DISPLAY variable if it seems reasonable
#DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
#
#
#  Now some simple variables
#
#PAGER        DEFAULT=less
#MANPAGER    DEFAULT=less
#LESS        DEFAULT="M q e h15 z23 b80"
#NNTPSERVER    DEFAULT=localhost
#PATH        DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
#
# silly examples of escaped variables, just to show how they work.
#
#DOLLAR        DEFAULT=\$
#DOLLARDOLLAR    DEFAULT=    OVERRIDE=\$${DOLLAR}
#DOLLARPLUS    DEFAULT=\${REMOTEHOST}${REMOTEHOST}
#ATSIGN        DEFAULT=""    OVERRIDE=\@
[root@localhost ~]# 

*pam_unix.so系統中核心的一個pam模塊，專門研製下面兩個文件，驗證用戶密碼/etc/passwd,/etc/shadow

[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@localhost ~]# 

*pam_seccesed_if.so uid <500

uid < 500馬上成功

*pam_permit.so 永遠返回成功

*pam_nologin.so

/etc/nolog這個文件只要存在，非root用戶不能登陸系統，可是已經登陸的沒有影響。在這個文件中還能夠隨意寫一些信息，root用戶登陸能夠看到

*pam_access.so 限制用戶user不能經過ttyx登陸

[root@localhost ~]# cat /etc/pam.d/login 
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
[root@localhost ~]# 

*pam_echo.so

[root@localhost ~]# cat /etc/pam.d/passwd
#%PAM-1.0
auth       include    system-auth
account    include    system-auth
password   substack    system-auth
-password   optional    pam_gnome_keyring.so use_authtok
password   substack    postlogin
[root@localhost ~]# 

[root@localhost ~]# cat /etc/pam.d/sshd 
#%PAM-1.0
auth       required    pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
[root@localhost ~]# 

*pam_time.so容許的時間範圍（Only the account service is supported）

[root@localhost ~]# cat /etc/security/time.conf 
# this is an example configuration file for the pam_time module. Its syntax
# was initially based heavily on that of the shadow package (shadow-960129).
#
# the syntax of the lines is as follows:
#
#       services;ttys;users;times
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). As should be clear from reading these comments,
# text following a '#' is ignored to the end of the line.
#
# the combination of individual users/terminals etc is a logic list
# namely individual tokens that are optionally prefixed with '!' (logical
# not) and separated with '&' (logical and) and '|' (logical or).
#
# services
#    is a logic list of PAM service names that the rule applies to.
#
# ttys
#    is a logic list of terminal names that this rule applies to.
#
# users
#    is a logic list of users or a netgroup of users to whom this
#    rule applies.
#
# NB. For these items the simple wildcard '*' may be used only once.
#
# times
#    the format here is a logic list of day/time-range
#    entries the days are specified by a sequence of two character
#    entries, MoTuSa for example is Monday Tuesday and Saturday. Note
#    that repeated days are unset MoMo = no day, and MoWk = all weekdays
#    bar Monday. The two character combinations accepted are
#
#        Mo Tu We Th Fr Sa Su Wk Wd Al
#
#    the last two being week-end days and all 7 days of the week
#    respectively. As a final example, AlFr means all days except Friday.
#
#    each day/time-range can be prefixed with a '!' to indicate "anything
#    but"
#
#    The time-range part is two 24-hour times HHMM separated by a hyphen
#    indicating the start and finish time (if the finish time is smaller
#    than the start time it is deemed to apply on the following day).
#
# for a rule to be active, ALL of service+ttys+users must be satisfied
# by the applying process.
#

#
# Here is a simple example: running blank on tty* (any ttyXXX device),
# the users 'you' and 'me' are denied service all of the time
#

#blank;tty* & !ttyp*;you|me;!Al0000-2400

# Another silly example, user 'root' is denied xsh access
# from pseudo terminals at the weekend and on mondays.

#xsh;ttyp*;root;!WdMo0000-2400

#
# End of example file.
#
[root@localhost ~]#