📄 425-427.html
字号:
<HTML>
<HEAD>
<TITLE>Using Linux:Managing Users and Groups</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>
-->
<!--ISBN=0789716232//-->
<!--TITLE=Using Linux//-->
<!--AUTHOR=William Ball//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Que//-->
<!--CHAPTER=25//-->
<!--PAGES=425-427//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="422-424.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch26/429-431.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P>One special feature of PAM is its “stackable” nature. That is, every line in the configuration file is evaluated during the authentication process (with the exceptions shown later). Each line specifies a module that performs some authentication task and returns either a success or failure flag. A summary of the results is returned to the application program calling PAM.
</P>
<P>Let’s examine a sample PAM configuration file, <TT>/etc/pam.d/login</TT>.</P>
<!-- CODE //-->
<PRE>
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow
nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow
nullok use_authtok
session required /lib/security/pam_pwdb.so
</PRE>
<!-- END CODE //-->
<P>You can see that the first line begins with a hash symbol and is therefore a comment. You can ignore it.
</P>
<P>Now go through the rest of the file line by line:</P>
<!-- CODE SNIP //-->
<PRE>
auth required /lib/security/pam_securetty.so
</PRE>
<!-- END CODE SNIP //-->
<P>specifies that the <TT>module_type</TT> is <TT>auth</TT>, which means it will want a password. The <TT>control_flag</TT> is set to <TT>required</TT>, so this module must return a success or the login will fail. The module itself is the <TT>pam_securetty.so</TT> module, which verifies that logins on the root account can only happen on the terminals mentioned in the <TT>/etc/securetty</TT> file.</P>
<!-- CODE SNIP //-->
<PRE>
auth required /lib/security/pam_pwdb.so shadownullok
</PRE>
<!-- END CODE SNIP //-->
<P>Similar to the previous line, this line wants to use a password for authentication, and if the password fails, the authentication process will return a failure flag to the calling application. The <TT>pam_pwdb.so</TT> module behavior is based on the <TT>module_type</TT>. In this case, the <TT>auth</TT> type allows <TT>pam_pwdb.so</TT> to do basic password checking against the <TT>/etc/passwd</TT> file. The shadow parameter tells it to check the <TT>/etc/shadow</TT> file if it is there, and the <TT>nullok</TT> parameter tells the module to allow users to change their password from an empty one to something. (Normally, it treats empty passwords as an account locking mechanism.)</P>
<!-- CODE SNIP //-->
<PRE>
auth required /lib/security/pam_nologin.so
</PRE>
<!-- END CODE SNIP //-->
<P>The <TT>pam_nologin.so</TT> module checks for the <TT>/etc/nologin</TT> file. If it is present, only root is allowed to log in, and others are turned away with an error message. If the file does not exist, it always returns a success.</P>
<!-- CODE SNIP //-->
<PRE>
account required /lib/security/pam_pwdb.so
</PRE>
<!-- END CODE SNIP //-->
<P>Because the <TT>module_type</TT> is account, the <TT>pam_pwdb.so</TT> module will silently check that the user is even allowed to log in (for example, has his password expired?). If all the parameters check out okay, it will return a success.</P>
<!-- CODE SNIP //-->
<PRE>
password required /lib/security/pam_cracklib.so
</PRE>
<!-- END CODE SNIP //-->
<P>The <TT>password</TT> <TT>module_type</TT> account means that we will be using the <TT>pam_cracklib.so</TT> module during a password change. The <TT>pam_cracklib.so</TT> module performs a variety of checks to see whether a password is “too easy” to crack by potential intruders.</P>
<!-- CODE SNIP //-->
<PRE>
password required /lib/security/pam_pwdb.so shadow
nullok use_authtok
</PRE>
<!-- END CODE SNIP //-->
<P>This is another example of the versatility of the <TT>pam_pwdb.so</TT> module. With the <TT>module_type</TT> set to password, it will perform the actual updating of the <TT>/etc/passwd</TT> file. The shadow parameters tell it to check for the existence of the <TT>/etc/shadow</TT> file and update that file if it does exist. <TT>nullok</TT> allows users to change their passwords from empty entries to real passwords. The last option, <TT>use_authtok</TT>, forces <TT>pam_pwdb.so</TT> to use the password retrieved from a previous <TT>module_type</TT> entry of password.</P>
<!-- CODE SNIP //-->
<PRE>
session required /lib/security/pam_pwdb.so
</PRE>
<!-- END CODE SNIP //-->
<P>This is the fourth and final usage of the <TT>pam_pwdb.so</TT> module. This time it sends login successes and failures to the system logs because the <TT>module_type</TT> is set to session.</P>
<P><FONT SIZE="+1"><B>The <I>other</I> File
</B></FONT></P>
<P>What happens when you need to authenticate someone for a service, but you don’t have a PAM configuration file for him? Simple. Use the <TT>/etc/pam.d/other</TT> configuration file—a sort of catch-all type of setup.</P>
<P>In this situation, if a user tries to authenticate himself using a PAM-aware application (for example, the FTP server) but the configuration file for it is not there (in the case of the FTP server, the <TT>/etc/pam.d/ftp</TT> file got accidentally removed), PAM will default to using the configuration file <TT>/etc/pam.d/other</TT>.</P>
<P>By default, the other configuration file is set to a paranoid setting so that all authentication attempts are logged and then promptly denied. It is recommended that you keep it that way.</P>
<P><FONT SIZE="+1"><B>Oh No! I Can’t Log In!</B></FONT></P>
<P>In the immortal words of Douglas Adams, “don’t panic.” Like many other configuration errors that can occur under Linux, this one can be fixed by either booting into single user mode or booting off a floppy. (See Chapter 24, “Using LILO and LOADLIN,” for details on booting into single user mode.)
</P>
<P>After you are back into the system in single user mode, simply edit the <TT>/etc/pam.d/login</TT> file so that it contains only the following lines:</P>
<!-- CODE SNIP //-->
<PRE>
auth required /lib/security/pam_unix_auth.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_unix_passwd.so
session required /lib/security/pam_unix_session.so
</PRE>
<!-- END CODE SNIP //-->
<P>This simplified login configuration will stick to the original UNIX authentication method, which should hopefully work well enough to get you back into the system in multiuser mode.
</P>
<P>After you are back in multiuser mode, be sure to go back and fix the login configuration file to reflect what you really wanted to do instead of what it did—lock you out!</P>
<P><FONT SIZE="+1"><B>Debugging/Auditing</B></FONT></P>
<P>While you are debugging the PAM configuration files, be sure to keep an eye on the system log files. (Usually in <TT>/var/log</TT>.) Most of the error logging will occur there.</P>
<P>When you have things working the way you like, be sure to check those files for auditing information from PAM. It reports not only authentication successes but failures as well. Multiple failures for a particular person or for a range of people in a short time could indicate trouble.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="422-424.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch26/429-431.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
</td>
</tr>
</table>
<!-- begin footer information -->
</body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -