pamÄ£¿éµÄһЩ»ù´¡

[i=s] ±¾Ìû×îºóÓÉ ty8080 ÓÚ 2009-9-10 13:46 ±à¼­ [/i]

±¾ÈËÔÚѧϰpamÄ£¿éʱÕûÀíµÄһЩ±Ê¼Ç

PAMµÄ·Ö²ãÌåϵ½á¹¹

Ó¦ÓóÌÐò²ã-------Ó¦Óýӿڲ㣨PAM API ÅäÖÃÎļþ£©----------¼ø±ðÄ£¿é

µÚ¶þ²ã£ºÓ¦ÓýӿڲãÓÐÁ½ÀàAPI½Ó¿Ú£º
£¨1£©ÓÃÓÚµ÷ÓÃϲãÌض¨Ä£¿éµÄ½Ó¿Ú
£¨2£©ÌṩϲãÄ£¿éÓëÓ¦ÓóÌÐò¼äͨÐŵĽӿÚ
¼ø±ðÀà½Ó¿Ú£ºpam_authenticate()ÓÃÓÚ¼ø±ðÓû§

²é¿´Ò»³ÌÐòÊÇ·ñÖ§³ÖpamÄ£¿é¡£±ÈÈç²é¿´vsftp
[root@mail ~]# ldd /usr/sbin/vsftpd |grep 'pam'
libpam.so.0 => /lib/libpam.so.0 (0x00b9f000)
¿ÉÒÔ¿´µ½vsftp¼ÓÔØÁËpam¿â¡£

pamÄ£¿éµÄ´æ·Å·¾¶
[root@mail ~]# ls /lib/security/

²é¿´ÑéÖ¤ÐÅÏ¢
[root@mail ~]# vim /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke

ÒÔÉÏÊÇlogin³ÌÐòµÄpamÑéÖ¤µÄÐÅÏ¢
µ×²ãÄ£¿éÀàÐÍ£º
auth£ºÓû§Ãû|ÃÜÂëÏà¹ØÐÅÏ¢µÄ¼ø±ðÄ£¿é
account £º·ÇÓû§ÃûÃÜÂëÏà¹ØÐÅÏ¢(Èçʱ¼ä»òÍø¶Î)auth ºÍ accountÑéÖ¤³É¹¦ºó¼´¿ÉµÇ¼
session £ºµÇ¼ºóÏÞÖƵ±Ç°Ê¹ÓÃ×ÊÔ´µÄ»á»°ÀàÄ£¿é
password £ºµÇ¼ºó¸üÐÂÃÜÂëʱºòÑéÖ¤


Ìõ¼þ£º
required £º±ØÒªµÄ£¬¼´Ê¹³ö´íÒ²²»»áÂíÉϱ¨´í£¬¶øÊǼÌÐøÑéÖ¤ÏÂÈ¥£¬µ«ÊÇÑéÖ¤ÒѾ­Ê§°ÜÁË¡£
include £º°üº¬ÆäËûÎļþ
optional £º²»»áÓ°Ïì½á¹û
sufficient £º Èç¹û³É¹¦ÔòÖ±½Ó·µ»Ø³É¹¦,Èô²»³É¹¦ÔòÍùÏÂ×ß
requisite £º Èç¹û³É¹¦ÔòÍùÏÂ×ß,Èô²»³É¹¦ÔòÖ±½Ó±¨´í

pam_securetty.soÌṩ±ê×¼µÄUnix°²È«ttyµÄ¼ì²é£¬ ³ý·ÇPAM_TTYµÄÖµÁÐÔÚ /etc/securettyÀï, ·ñÔò¶ÔrootµÄÈÏÖ¤½«»áʧ°Ü. ¶ÔËùÓÐÆäËûÓû§, ÔòΪ³É¹¦.

¿ÉÒԱ༭°²È«ttyÁбíµÄÖµ
vim /etc/securetty

pam ʵÀýÓ¦ÓÃ
pam°ïÖúÎĵµ
cd /usr/share/doc/pam-0.99.6.2/html/
firefox Linux-PAM_SAG.html
Ò»¡¢ÏÞÖÆËùÓÐÓû§Ö±Í¨tty3µÇ¼
1£® vim /etc/pam.d/login
ÔÚaccount required pam_nologin.soÉϼÓÉÏÒ»ÐÐÑéÖ¤£º
account required pam_access.so
2£®È»ºóÅäÖÃpam_access.soÄ£¿éµÄÅäÖÃÐÅÏ¢
vim /etc/security/access.conf
-:ALL:ALL EXCEPT tty3
ÒÔÉÏÅäÖõľßÌåÒâ˼
-:¾Ü¾ø£¬ALL:ËùÓÐÓû§£¬ALL:ËùÓÐÖÕ¶Ë EXCEPT : ³ýÁËÖ®Íâ¡£
¾ÙÀý£º -:ty:ALL EXCEPT 192.168.0. .ty.com
ÉÏÃæÀý×ÓµÄÒâ˼ÏÞÖÆtyÖ»ÄÜ´Ó192.168.0.0/24 .ty.comµÇ¼

¶þ¡¢µ±¶à¸öÓ¦Óö¼ÐèҪͬһ¸öÄ£¿é×÷ÑéÖ¤£¬µ«ÊÇËûÃÇÒªÇóµÄÑéÖ¤·½Ê½ÓÖ²»Í¬µÄʱºò£¬ÎÒÃÇ¿ÉÒÔ·Ö±ðÖ¸¶¨ÅäÖÃÎļþ£º
1£®vim /etc/pam.d/sshd
ÔÚaccount required pam_nologin.soÉϼÓÉÏÒ»ÐÐÑéÖ¤£º
account required pam_access.so accessfile=/etc/sshdaccess.conf
Ö¸¶¨ÅäÖÃÎļþ´æµ½ÄÄÀï
2£®vim /etc/sshdaccess.conf
-:ty:ALL EXCEPT 192.168.1.
ÏÞÖÆtyÖ»ÄÜ´Ó192.168.1.0/24Íø¶ÎsshµÇ¼

Èý¡¢ÉèÖÃSSHDºÚÃûµ¥£¨pam_listfile.so£©¸ÃÄ£¿éÄ¿Ç°Ö»ÓÐRHLEÖ§³Ö
1£®vim /etc/pam.d/sshd
ÔÚµÚÒ»ÐÐÇ°²åÈ룺
auth required pam_listfile.so file=/etc/sshdusers item=user sense=deny

½âÊÍ£ºfile= ÊÇÖ¸¶¨ºÚÃûµ¥Îļþ item= Ãûµ¥ÐÎʽ(¿ÉÒÔÊÇÓû§ÃûÒ²¿ÉÒÔÊÇIP)
sense= ȨÏÞ£¨denyºÚ allow °×£©
2£®±àдºÚÃûµ¥
vim /etc/sshdaccess.conf
ty
haha


ËÄ¡¢¶Ôsshd½øÐÐʱ¼äÏÞÖÆ£¨pam_time.so£©
1£®vim /etc/pam.d/sshd
ÔÚaccount required pam_nologin.soÉϲåÈëÒ»ÐУº
account required pam_time.so
2£®±à¼­pam_time.soÄ£¿éµÄÅäÖÃÎļþ
vim /etc/security/time.conf
*;*;*;MoTuWeThFr0900-1800

½âÊÍ£º¹¤×÷ÈÕµÄ9µãµ½18µãÔÊÐí·ÃÎÊ

Îå¡¢ÀûÓÃpam_limits.soÄ£¿é¶Ôϵͳ×ÊÔ´ÏÞÖÆ
1£®vim /etc/security/limits.conf
apache hard nporc 3
½âÊÍ£ºÓ²ÏÞÖÆapacheÖ»ÄÜ´ò¿ªÈý¸ö½ø³Ì