PAM was originally integrated in Solaris, which has been ported to other systems, such as Linux, Sunos, HP-UX 9.0, etc.
First, the structure of PAM
The entire frame structure of the PAM is shown below:
The system administrator will formulate the authentication policy through the PAM configuration file, which means what kind of authentication method that is used;
Use program developers to achieve calls to authentication methods by using the PAM API in the service program; and PAM service module (SE
The developer of RVICE MODULE uses the PAM SPI (Service Module API) to write a certification module (main
Export some functions PAM_SM_XXXX (
For libpam calls), different authentication mechanisms (such as traditional UNIX authentication)
Method, Kerberos, etc.) Add to the system; PAM core library (libpam) reads the configuration file, in accordance with will
The program and the corresponding authentication method are linked.
Second, four management interfaces supported by PAM:
1, authentication management (Authentication Management)
Mainly to accept username and password, and then authenticate the user's password, and responsible for setting some secrets of users.
information.
2, Account Management (Account Management)
Mainly check if the account is allowed to log in to the system, whether the account has expired, whether the login of the account has time period
Restrictions, etc..
3, password management (Password Management)
Mainly used to modify the user's password.
4, session management (session management)
It is mainly to provide management and accounting of the session.
Third, PAM file:
/usr/lib/libpam.so.* PAM core library
/etc/pam.conf or /etc/pam.d/ PAM configuration file
/usr/lib/security/pam_*.so dynamically loaded PAM Service Module
For Redhat, its directory is not / usr / lib, but / lib.
Fourth, PAM configuration:
The configuration of the PAM is through a single profile /etc/pam.conf. RedHat also supports another configuration method, that is,
Set the directory /etc/pam.d/, and this priority is higher than the single configuration file.
1, use the configuration file /etc/pam.conf
This file consists of the following rows:
Service-name module-type control-flag module-path arguments
The name of the service-name service, such as Telnet, Login, FTP, etc., service name "other" represents all no
Other services configured in this document.
The Module-Type module has four types: auth, account, session, password, corresponding to PAM support
Four management methods. The same service can call multiple PAM modules for authentication, which constitutes a Stack.
Control-flag is used to tell the PAM library how to handle the success or failure of the PAM module associated with the service. It has four
Possible values: Required, Requisite, Sufficient, Optional.
Required means that this module must return success to pass authentication, but if the module returns a failure, failed
The result will not immediately notify the user, but to wait until all the modules in the same stack are all executed, and will fail then
Returns to the application. It can be considered a necessary condition. Requisite is similar to request, which must return success to pass authentication, but once the module returns
Failure, will no longer perform any modules in the same Stack, but directly returns control to the application. Be a must
To condition. Note: This only redhat support, Solaris does not support.
Sufficient Indicates that this module returns success is enough to pass the requirements of identity, do not have to perform the same Stack
Other modules, but if the module returns a failure, it can be ignored. It can be considered a sufficient condition.
Optional indicates that this module is optional, and its success will generally do not play a key role in identity authentication, it returns
The value is generally ignored.
For Control-Flag, from Linux-PAM-0.63 versions, support a new grammar, specific to Linux
PAM documentation.
Module-path is used to indicate the path name of the program file corresponding to this module, generally use absolute path, if not given
Absolute path, default this file is under directory / usr / lib / security.
Arguments is the parameters used to pass to the module. Generally, the parameters of each module are different, which can be made from this module.
Developers are defined by themselves, but there are also the following common parameters:
Debug This module should use syslog (
Write debug information into the system log file.
NO_WARN indicates that the module should not send a warning information to the application.
Use_first_pass indicates that the module cannot prompt the user to enter a password, and the previous module should be used from the user there.
Get the password.
Try_first_pass indicates that the module should first use the previous module from the user to get the password, if
Password verification is not passed, then prompt the user to enter a new password.
Use_mapped_pass This module cannot prompt the user to enter a password, but use the mapped password.
EXPOSE_ACCOUNT allows the module to display information such as users' account names, usually only in a secure environment.
Because the leak username will have a certain degree of threat to safety.
2, use the configuration directory /etc/pam.d/ (only for Redhat Linux)
The name of each file in this directory corresponds to the service name, such as the FTP service corresponding file /etc/pam.d/ftp. If named X
The configured file /etc/pam.d/xxxx of the XXX service is not stored, the service will use the default configuration file / ET
C / pam.d / other. Each file consists of a text line as follows:
Module-Type Control-Flag Module-Path Arguments
The meaning of each field is the same as the /etc/pam.conf.
3, the configuration of the configuration
Example 1: Configuring the default authentication method with /etc/pam.conf.
The following example will reject all services that are not configured in /etc/pam.conf. Other representatives are not configured
All other services, the role of the PAM_DENY module is simply refused to pass authentication.
Other auth request /usr/lib/security/pam_deny.so
Other Account Required /usr/lib/security/pam_deny.so
Other Password Required /usr/lib/security/pam_deny.so
Other session required /usr/lib/security/pam_deny.so
Example 2: Configure the authentication method of the RSH service via the /etc/pam.d/rsh file.
RSH service authentication user, first use the /etc/hosts.equiv and.rhosts file authentication method, then according to / ETC
The presence or absence of the / nologin file determines whether the user is allowed to use RSH, and finally use Password Database to authenticate the user.
Auth Required /LIB/Security/pam_rhosts_auth.so
Auth Required /Lib/security/pam_nologin.so
Account Required /LIB/Security/pam_pwdb.so
Session Required /LIB/Security/pam_pwdb.so
Example 3: Configure the authentication method of ftpd through /tc/pam.conf.
Below is the three steps of the FTPD service using the PAM module for user authentication. First use the PAM_FTP module to check the current user is
No is an anonymous user, if it is an anonymous user, the Sufficient control flag indicates that there is no need to make a rear authentication step.
Directly passed the certification; otherwise continue using the PAM_UNIX_AUTH module to perform standard UNIX certification, ie / etc / passw
D and / etc / shadow are certified; after passing the authentication of the PAM_UNIX_AUTH module, continue to use PAM_LISTFIL
The E module checks if the user appears in file / etc / ftpusers, if it is Deny.
ftpd Auth Sufficient /usR/LIB/Security/pam_ftp.so
ftpd Auth Required /usR/LIB/Security/pam_unix_AUTH.SO USE_FIRST_PASS
ftpd Auth Required /usR/LIB/Security/pam_listfile.so /
OneRR = succeed item = user sense = deny file = / etc / ftpuser
s
V. Password-mapping
Password mapping allows users to use different passwords under different authentication mechanisms, with a master password (Primary Pass)
Word), other passwords are secondary passwords (SECONDARY Passwords, there may be multiple). The master password is used to enter the password
Line relaxation. After passing by the master code authentication, the authentication module will use the master password to encrypt the secondary password (also known as mapped pa.
SSWORD) Decryption and certify the secondary password.
Note: If a one-time password is used, you do not use a password mapping.
All service modules must support the following four mapping options (in the fourth part, it is easy to explain):
1, USE_FIRST_PASS
This option indicates that this module cannot prompt the user to enter a password, but use the existing password, that is, from the first one to the user
Enter the password to get the password there and take the password to authenticate.
2, TRY_FIRST_PASS
This option indicates that this module first tries to use the existing password, that is, from the first module to the user prompts the password.
The password is obtained and the password is certified. If the password confirmation fails, then prompt the user to enter the password.
3, use_mapped_pass
This option indicates that this module cannot prompt the user to enter a password, and the mapping password should be used, that is, the master password will be added.
The password is decrypted and certified.
4, TRY_MAPPED_PASS
This option indicates that this module first tries to use the mapped password, that is, use the master password to decrypt the encrypted secondary password.
And certified. If the password authentication fails, then the user can enter the password.
Example of password mapping:
Here is the configuration of the Login service in /etc/pam.conf. Here Login has three certification mechanisms: Kerberos, UN
IX and RSA authentication, two Required control flags indicate that users must use the Login service through Kerberos authentication and UNIX authentication, and the Optional option describes that RSA certification is optional. First user input home password for Kerberos certification
The USE_MAPPED_PASS Option indicates that UNIX authentication module uses the master password to decrypt the secondary password used for UNIX authentication and
The password is authenticated; try_first_pass options indicate the RSA authentication module first using the first module (ie Kerberos)
The password of the module as a password for authentication, when the password authentication fails, the user input is used for RSA certification.
Secondary password.
Login Auth Required Pam_kerb_auth.so Debug
Login Auth Required Pam_unix_AUTH.SO USE_MAPPED_PASS
Login Auth Optional Pam_RSA_AUTH.SO TRY_FIRST_PASS
Sixth, PAM API
1, Framework API:
Any service program that supports PAM must be PAM_START when performing authentication.
Start initialization, finally take PAM
_end
End to clean up.
2, certification management API:
PAM_AUTHENTICATE
Certified the username / password.
PAM_SETCRED
Use to modify the secret information of the user.
3, Account Management API:
PAM_ACCT_MGMT
Check if the account itself has the right to log in to the system, the account is expired, whether the account has a login time
Restrictions, etc.
4, password management API:
Pam_chauthtok
Modify the user's password.
5, session management API:
A session is pam_open_session
Start, finally take PAM_CLOSE_SESSION (
end.
6, other:
PAM_GET_ITEM
, PAM_SET_ITEM (
Status information used to read and write the PAM transaction (Transaction).
PAM_GET_DATA (
, PAM_SET_DATA (
Used to obtain and set information about the PAM module and sessions.
PAM_PUTENV (
Pam_getenv (
, PAM_GETENVLIST (
Used to read and write environment variables.
PAM_STRERROR
Returns the related error message.
Example program (taken from Sun's White Paper):
The following example uses the PAM API to write a simple Login service program (Note: This is not a complete program, so the province
Slightly call the PAM_CLOSE_SESSION).
#include
/* Callback */
Static int login_conv (int Num_msg, struct pam_message ** msg, struct pam_response
** Response, Void * AppData_ptr);
Struct Pam_conv PAM_CONV = {Login_Conv, Null};
PAM_HANDLE_T * PAMH; / * Perform authentication PAM handle * /
Void Main (int Argc, char * argv [], char ** renvp)
{
/ * Initialization, and provide a callback function * /
IF (("Login", User_Name, & Pam_Conv, & Pamh)! = PAM_SUCCESS
Login_exit (1);
/ * Set some parameters * /
PAM_SET_ITEM (Pamh, Pam_Tty, TTYN);
PAM_SET_ITEM (Pamh, Pam_Rhost, Remote_host);
While (! automated && retry Status = PAM_AUTHENTICATE (PAMH, 0); / * Password authentication management, check user input Whether the password is correct * / Authenticated = (status == PAM_SUCCESS); } IF (status! = pam_success) { FPRINTF (stderr, "error:% s / n", PAM_STRERROR (PAMH, STATUS)); / * Show error original Because * / Login_exit (1); } / * Call the account management API after password authentication, check if the user account has expired * / IF ((Status = PAM_ACCT_MGMT (Pamh, 0))! = PAM_SUCCESS) { IF (status == PAM_AUTHTOK_EXPIRED) { Status = PAM_CHAUTHTOK (PAMH, 0); / * When the user is required to change the password * / IF (status! = pam_success) Login_exit (1); } } / * Open the session after the account management check is opened * / IF (status = pam_open_session (pamh, 0)! = PAM_SUCCESS) Login_exit (status); / * Set user group * / Setgid (PWD-> PW_GID); / * * Initialize The Supplementary Group Access List Before * Pam_Setcred Because Pam Modules Might Add Groups * During the Pam_Setcred Call * / INITGROUPS (user_name, pwd-> pw_gid); Status = PAM_SETCRED (PAMH, PAM_ESTABLISH_CRED); IF (status! = pam_success) Login_exit (status); / * Set up real user ID (or valid user ID) * / SetUID (PWD-> PW_UID); PAM_END (PAMH, PAM_SUCCESS); / * End of PAM transaction * / / * This can be used to implement other content related to login * / } / * If an error is cleared, the site is cleared and exits * / Static void login_exit (int exit_code) { IF (PAMH) PAM_END (PAMH, PAM_ABORT); exit (exit_code); } / * This callback function is called by the PAM authentication module to display an error message or to obtain user input, using the map The service program of the interface should use the graphical interface to obtain user input or display prompt information * / INT login_conv (int Num_msg, struct pam_message ** msg, struct pam_response ** resp ONSE, VOID * AppData_ptr) { While (NUM_MSG -) { Switch (m-> msg_style) { Case Pam_Prompt_echo_off: R-> Resp = STRDUP (GetPass (M-> MSG)); Break; Case Pam_Prompt_echo_on: (void) FPUTS (M-> MSG, STDOUT); r-> Resp = malloc (PAM_MAX_RESP_SIZE); FGETS (r-> resp, pam_max_resp_size, stdin); / * add code here to remove / n from fputs * / Break; Case Pam_ERROR_MSG: (void) FPUTS (M-> MSG, STDERR); Break; Case Pam_Text_info: (void) FPUTS (M-> MSG, STDOUT); Break; DEFAULT: Log_ERROR (); Break; } } Return (PAM_SUCCESS); } Seven, PAM SPI When the service program (ftpd, telnetd, etc.) calls the PAM API function PAM_XXX ( Time, by the PAM frame (libpam) According to the service in the /etc/pam.conf file, the corresponding SPI function PAM_SM_XXX in the pointed PAM module ( ). as follows: The name of the API function is PAM_XXX ( The name of the corresponding SPI function is PAM_SM_XXX ( , That is, each service module needs Termrate the corresponding function for libpam call. For your convenience, then column. API corresponding to SPI Account Management PAM_ACCT_MGMT PAM_SM_ACCT_MGMT ( Certification Management PAM_AUTHENTICATE PAM_ SM_AUTHENTICATE Password management PAM_CHAUTHTOK PAM_ SM_CHAUTHTOK Session Management PAM_OPEN_SESSION PAM_ SM_OPEN_SESSION Session Management PAM_CLOSE_SESSION PAM_ SM_CLOSE_Session Certification Management PAM_SETCRED PAM_ SM_SETCRED ( Eight, commonly used PAM service modules Here is the list of PAM modules provided by Linux (only part of it): Module file module function description related profile PAM_ACCESS Provides login control /etc/security/access.conf PAM_CHROOT offers features similar to chroot commands PAM_CRACKLIB performs certain check library files libcrack and dictionary files for passwords / usr / lib / cracklib_dict Pam_deny always unconditionally failed PAM_ENV Setting or Cancel Environment Variable /etc/security/pam_env.conf PAM_FILTER filter Filters for the input and output stream Pam_ftp.so authenticates anonymous FTP users PAM_GROUP When the user requests the specified /etc/security/group.conf on the specified terminal The service is given the corresponding group permissions when the service is PAM_ISSUE is displayed before prompting users to enter the username / etc / Issue / etc / Issue file content PAM_KRB4 performs Kerberos authentication for user passwords corresponding Kerberos library files PAM_LASTLOG Displays / VAR / LOG / LastLog after the user logs in Users last log in for information and maintain / var / log / placelog file. PAM_LIMITS Limits System Resources /etc/security/limits.conf you can use by user sessions PAM_LISTFILE determines if a file specified is, for example / etc / ftpusers Allow or prohibit service service PAM_MAIL checks if there is a new email in the mailbox / var / spool / mail / xxxx PAM_MKHOMEDIR creates the main directory / etc / skel / PAM_MOTD Display / etc / motd file content / etc / motd Pam_nologin presence or absence of / etc / nologin file / ETC / NOLOGIN Come to determine if user authentication is successful PAM_PERMIT always unconditionally succeeds PAM_PWDB is an alternative to the PAM_UNIX_XXXX module. /etc/pwdb.conf Use Password Database Universal Interface Perform authentication. PAM_RADIUS provides remote authentication Dial-in user service (RADIUS) certification PAM_RHOSTS_AUTH utilizes files ~ / .rhosts and /etc/hosts.equiv and ~ / .rhosts /etc/hosts.equiv is certified by the user. PAM_ROOTOK Check if the user is a super user, if It is a super user that unconditionally passed certification. Pam_securetty offers standard UNIX SecureTty check / etc / securetty PAM_TIME provides time-based control, such as limit /etc/security/time.conf Users can only log in in a certain period of time PAM_UNIX provides standard UNIX certification / etc / passwd and / etc / shadow PAM_USERDB uses the Berkeley DB database to check Berkeley DB user password Pam_warn uses Syslog ( Record a alarm message Pam_wheel only allows users of the WHEEL group to have superusers Access permission
