没有合适的资源?快使用搜索试试~ 我知道了~
首页The Linux-Pam System Administrator Guide.pdf
资源详情
资源评论
资源推荐
The Linux-PAM System
Administrators' Guide
Andrew G. Morgan <morgan@kernel.org>
Thorsten Kukuk <kukuk@thkukuk.de>
The Linux-PAM System Administrators' Guide
by Andrew G. Morgan and Thorsten Kukuk
Version 0.99.7.0, 16. January 2007
Abstract
This manual documents what a system-administrator needs to know about the Linux-PAM library. It covers the correct
syntax of the PAM configuration file and discusses strategies for maintaining a secure system.
iv
1. Introduction ................................................................................................................... 1
2. Some comments on the text .............................................................................................. 2
3. Overview ....................................................................................................................... 3
4. The Linux-PAM configuration file ..................................................................................... 5
4.1. Configuration file syntax ....................................................................................... 5
4.2. Directory based configuration ................................................................................. 8
4.3. Example configuration file entries ........................................................................... 8
5. Security issues .............................................................................................................. 10
5.1. If something goes wrong ...................................................................................... 10
5.2. Avoid having a weak `other' configuration .............................................................. 10
6. A reference guide for available modules ............................................................................ 11
6.1. pam_access - logdaemon style login access control ................................................... 11
6.2. pam_cracklib - checks the password against dictionary words ...................................... 14
6.3. pam_debug - debug the PAM stack ........................................................................ 18
6.4. pam_deny - locking-out PAM module .................................................................... 19
6.5. pam_echo - print text messages ............................................................................. 20
6.6. pam_env - set/unset environment variables .............................................................. 21
6.7. pam_exec - call an external command .................................................................... 23
6.8. pam_faildelay - change the delay on failure per-application ........................................ 24
6.9. pam_filter - filter module ..................................................................................... 25
6.10. pam_ftp - module for anonymous access ............................................................... 26
6.11. pam_group - module to modify group access .......................................................... 27
6.12. pam_issue - add issue file to user prompt .............................................................. 29
6.13. pam_keyinit - display the keyinit file .................................................................... 30
6.14. pam_lastlog - display date of last login ................................................................. 32
6.15. pam_limits - limit resources ................................................................................ 33
6.16. pam_listfile - deny or allow services based on an arbitrary file ................................... 36
6.17. pam_localuser - require users to be listed in /etc/passwd ........................................... 38
6.18. pam_loginuid - record user's login uid to the process attribute .................................... 38
6.19. pam_mail - inform about available mail ................................................................ 39
6.20. pam_mkhomedir - create users home directory ....................................................... 41
6.21. pam_motd - display the motd file ......................................................................... 42
6.22. pam_namespace - setup a private namespace .......................................................... 42
6.23. pam_nologin - prevent non-root users from login .................................................... 46
6.24. pam_permit - the promiscuous module .................................................................. 47
6.25. pam_rhosts - grant access using .rhosts file ............................................................ 48
6.26. pam_rootok - gain only root access ...................................................................... 49
6.27. pam_securetty - limit root login to special devices ................................................... 50
6.28. pam_selinux - set the default security context ......................................................... 51
6.29. pam_shells - check for valid login shell ................................................................. 52
6.30. pam_succeed_if - test account characteristics .......................................................... 52
6.31. pam_tally - login counter (tallying) module ............................................................ 54
6.32. pam_time - time controled access ......................................................................... 57
6.33. pam_umask - set the file mode creation mask ......................................................... 59
6.34. pam_unix - traditional password authentication ....................................................... 60
6.35. pam_userdb - authenticate against a db database ..................................................... 63
6.36. pam_warn - logs all PAM items .......................................................................... 64
6.37. pam_wheel - only permit root access to members of group wheel ............................... 65
6.38. pam_xauth - forward xauth keys between users ...................................................... 66
7. See also ....................................................................................................................... 69
8. Author/acknowledgments ................................................................................................ 70
9. Copyright information for this document ........................................................................... 71
1
Chapter 1. Introduction
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the
local system administrator to choose how applications authenticate users.
In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch
between the authentication mechanism(s) it uses. Indeed, one may entirely upgrade the local authentication
system without touching the applications themselves.
Historically an application that has required a given user to be authenticated, has had to be compiled to use
a specific authentication mechanism. For example, in the case of traditional UN*X systems, the identity
of the user is verified by the user entering a correct password. This password, after being prefixed by a two
character ``salt'', is encrypted (with crypt(3)). The user is then authenticated if this encrypted password
is identical to the second field of the user's entry in the system password database (the /etc/passwd
file). On such systems, most if not all forms of privileges are granted based on this single authentication
scheme. Privilege comes in the form of a personal user-identifier (UID) and membership of various groups.
Services and applications are available based on the personal and group identity of the user. Traditionally,
group membership has been assigned based on entries in the /etc/group file.
It is the purpose of the Linux-PAM project to separate the development of privilege granting software from
the development of secure and appropriate authentication schemes. This is accomplished by providing a
library of functions that an application may use to request that a user be authenticated. This PAM library
is configured locally with a system file, /etc/pam.conf (or a series of configuration files located
in /etc/pam.d/) to authenticate a user request via the locally available authentication modules. The
modules themselves will usually be located in the directory /lib/security or /lib64/security
and take the form of dynamically loadable object files (see dlopen(3)).
剩余74页未读,继续阅读
Joy-橘子
- 粉丝: 76
- 资源: 22
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- RTL8188FU-Linux-v5.7.4.2-36687.20200602.tar(20765).gz
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
- SPC统计方法基础知识.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论2