doc073.htm

来自「Reh Hat user manual. really goooood」· HTM 代码 · 共 218 行

<html><body>
<a href="doc074.html"><img src=../icons/next.gif alt="Next"></a>
<a href="doc000.html"><img src=../icons/up.gif alt="Up"></a>
<a href="doc072.html"><img src=../icons/previous.gif alt="Previous"></a>
<a href="doc000.html"><img src=../icons/contents.gif alt="Contents"></a>
<a href="doc123.html"><img src=../icons/index.gif alt="Index"></a>
<hr>
<h2><a name="s10.4">10.4 User Authentication with PAM</a></h2>
<title>User Authentication with PAM</title>

<a name="i236">

<p>Programs which give users access to privileges of any sort need to
be able to authenticate the users.  When you log into a system, you
provide your name and password, and the login process uses those
to authenticate the login---to verify that you are who you say you
are.  Other forms of authentication than passwords are possible, and
it is possible for the passwords to be stored in different ways.

<p>PAM, which stands for ``Pluggable Authentication Modules'', is a way of
allowing the system administrator to set authentication policy without
having to recompile programs which do authentication.  With PAM, you
control how the modules are plugged into the programs by editing a
configuration file.

<p>Most Red Hat Linux users will never need to touch this configuration file.
When you use RPM to install programs that need to do authentication,
they automatically make the changes that are needed to do normal password
authentication.  However, you may want to customize your configuration,
in which case you need to understand the configuration file.

<p><h3><a name="s10.4.1">10.4.1 Modules</a></h3>
<title>Modules</title>

<a name="i237">

<p>There are four types of modules defined by the PAM standard.
<tt>auth</tt> modules provide the actual authentication, perhaps
asking for and checking a password, and set ``credentials'' such as
group membership or kerberos ``tickets''. <tt>account</tt> modules check
to make sure that the authentication is allowed (the account has not
expired, the user is allowed to log in at this time of day, etc.).
<tt>password</tt> modules are used to set passwords.
<tt>session</tt> modules are used once a user has been authenticated
to make it possible for them to use their account, perhaps mounting
the user's home directory or making their mailbox available.

<p>These modules may be <em>stacked</em>, so that multiple modules are used.
For instance, rlogin normally makes use of at least two authentication
methods: if ``rhosts'' authentication succeeds, it is sufficient to allow
the connection; if it fails, then standard password authentication
is done.

<p>New modules can be added at any time, and PAM-aware applications can
then be made to use them.  For instance, if you have a one-time-password
calculator system, and you can write a module to support it (documentation
on writing modules is included with the system), PAM-aware programs can
use the new module and work with the new one-time-password calculators
without being recompiled or otherwise modified in any way.

<p><h3><a name="s10.4.2">10.4.2 Services</a></h3>
<title>Services</title>

<a name="i238">

<p>Each program which uses PAM defines its own ``service'' name.  The login
program defines the service type <tt>login</tt>, ftpd defines the service
type <tt>ftp</tt>, etc.  In general, the service type is the name of the
program used to <b>access</b> the service, not (if there is a difference)
the program used to <b>provide</b> the service.

<p><h3><a name="s10.4.3">10.4.3 The Configuration Files</a></h3>
<title>The Configuration Files</title>

<a name="i239">
<a name="i240">

<p>The directory <tt>/etc/pam.d</tt> is used to configure all PAM applications.
(This used to be <tt>/etc/pam.conf</tt> in earlier PAM versions; while the
<tt>pam.conf</tt> file is still read if no <tt>/etc/pam.d/</tt> entry is found,
its use is deprecated.)
Each application (really, each <b>service</b>) has its own file.
A file looks like this:

<p><blockquote><font size=-1><tt>
<pre>
#%PAM-1.0
auth      required  /lib/security/pam_securetty.so
auth      required  /lib/security/pam_pwdb.so shadow nullok
auth      required  /lib/security/pam_nologin.so
account   required  /lib/security/pam_pwdb.so
password  required  /lib/security/pam_cracklib.so
password  required  /lib/security/pam_pwdb.so shadow nullok use_authtok
session   required  /lib/security/pam_pwdb.so
</pre>
</tt></font></blockquote>

<p>The first line is a comment.  Any line that starts with a <tt>#</tt>
character is a comment.  The next three lines stack up three modules
to use for login authorization.  The first line makes sure that <em>if</em>
the user is trying to log in as root, the tty on which they are
logging in is listed in the <tt>/etc/securetty</tt> file <em>if</em>
that file exists.  The second line causes the user to be asked for
a password and the password checked.  The third line checks to see if the file
<tt>/etc/nologin</tt> exists, and if it does, displays the contents
of the file, and if the user is not root, does not let him or her log
in.

<p>Note that all three modules are checked, <em>even if the first
module fails</em>.  This is a security decision---it is designed to
not let the user know why their authentication was disallowed,
because knowing why it was disallowed might allow them to break
the authentication more easily.  You can change this behavior
by changing <tt>required</tt> to <tt>requisite</tt>; if any <tt>
requisite</tt> module returns failure, PAM fails immediately without
calling any other modules.

<p>The fifth line causes any necessary accounting to be done.  For
example, if shadow passwords have been enabled, the <tt>pam_pwdb.so</tt>
module will check to see if the account has expired, or if the
user has not changed his or her password and the grace period for
changing the password has expired.

<p>The sixth line specifies that if the login program changes the user's
password, it should use the <tt>pam_pwdb.so</tt> module to
do so.  (It will do so only if an <tt>auth</tt> module has determined
that the password needs to be changed---for example, if a shadow
password has expired.)

<p>The final line specifies that the <tt>pam_pwdb.so</tt> module
should be used to manage the session.  Currently, that module doesn't
do anything; it could be replaced (or supplemented by stacking)
by any necessary module.

<p>Note that the order of the lines within each file matters.
While it doesn't really matter much in which order <tt>required</tt>
modules are called, there are other <em>control flags</em> available.
While <tt>optional</tt> is rarely used, and never used by default on
a Red Hat Linux system, <tt>sufficient</tt> and <tt>requisite</tt> cause
order to become important.

<p>Let's look at the <tt>auth</tt> configuration for <tt>rlogin</tt>:

<p><blockquote><font size=-1><tt>
<pre>
auth  required    /lib/security/pam_securetty.so
auth  sufficient  /lib/security/pam_rhosts_auth.so
auth  required    /lib/security/pam_pwdb.so shadow nullok
auth  required    /lib/security/pam_nologin.so
</pre>
</tt></font></blockquote>

<p>That looks <em>almost</em> like the <tt>login</tt> entry, but there's an
extra line specifying an extra module, and the modules are
specified in a different order.

<p>First, <tt>pam_securetty.so</tt> keeps root logins from happening
on insecure terminals.  This effectively disallows all root rlogin
attempts.  If you wish to allow them (in which case we recommend
that you either not be internet-connected or be behind a good
firewall), you can simply remove that line.

<p>Second, <tt>pam_nologin.so</tt> checks <tt>/etc/nologin</tt>, as specified above.

<p>Third, if <tt>pam_rhosts_auth.so</tt> authenticates the user, PAM
immediately returns success to rlogin without any password checking
being done.  If <tt>pam_rhosts_auth.so</tt> fails to authenticate
the user, that failed authentication is ignored.

<p>Finally (if <tt>pam_rhosts_auth.so</tt> has failed to authenticate
the user), the <tt>pam_pwdb.so</tt> module performs normal password
authentication.

<p>Note that if you do not want to prompt for a password if the securetty
check fails, you can change the <tt>pam_securetty.so</tt> module from
<tt>required</tt> to <tt>requisite</tt>

<p><h3><a name="s10.4.4">10.4.4 Shadow Passwords</a></h3>
<title>Shadow Passwords</title>

<a name="i241">
<a name="i242">

<p>The default <tt>pam_pwdb.so</tt> module can support shadow passwords.
In order to convert your system to shadow passwords, use these
commands:

<p><blockquote><font size=-1><tt>
<pre>
cd /etc
pwconv5
chmod 600 passwd- shadow-
</pre>
</tt></font></blockquote>

<p>The <tt>pam_pwdb.so</tt> module will automatically detect that
you are using shadow passwords and make all necessary adjustments.

<p><h3><a name="s10.4.5">10.4.5 More Information</a></h3>
<title>More Information</title>


<p>This is just an introduction to PAM.  More information is included
with the system in <tt>/usr/doc/pam*</tt>,
including a <em>System Administrators' Guide</em>, a <em>Module Writers'
Manual</em>, an <em>Application Developers' Manual</em>, and the PAM
standard, DCE-RFC 86.0.  In addition, documentation is available
from the Red Hat web site, at <tt>http://www.redhat.com/linux-info/pam/</tt>.

<p><p><hr>
<a href="doc074.html"><img src=../icons/next.gif alt="Next"></a>
<a href="doc000.html"><img src=../icons/up.gif alt="Up"></a>
<a href="doc072.html"><img src=../icons/previous.gif alt="Previous"></a>
<a href="doc000.html"><img src=../icons/contents.gif alt="Contents"></a>
<a href="doc123.html"><img src=../icons/index.gif alt="Index"></a>
<hr>
</body></html>