Mastering Red Hat Linux 9 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Mastering Red Hat Linux 9 [Electronic resources] - نسخه متنی

Michael Jang

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
توضیحات
افزودن یادداشت جدید









Using Pluggable Authentication Modules



Another level of security is based on Pluggable Authentication Modules (PAM). These modules are typically used to limit access to specific applications, such as halt or redhat-config-network, to the root user. Different modules let you regulate access by user, password, or access location. Control flags determine whether passing a PAM command line is enough to qualify the user to access the subject application.






Note


The definitions associated with PAM often overlap. For the purpose of this chapter, the commands that call PAM modules are “applications,” and commands in PAM module files are “command lines.”





Basic Configuration



PAM includes a series of dynamically loadable modules that can be customized for specific applications. PAM configuration files are stored in the /etc/pam.d directory. Individual modules are stored in the /lib/security directory and are documented in the /usr/share/doc/pam-version/txts directory.


PAM command lines are all organized in the following format:


module_type  control_flag  module_location  arguments


In the sections that follow, we examine modules and control flags. The module location is simply the location of the file, normally in /lib/security. Arguments are associated with each module.





Module Types



There are four different types of PAM modules, each related to user authentication:


Password Linux login consoles don’t allow users to try to log in again and again, at least not easily. This is because of a PAM password module that sets limits for the number of attempted logins and password length.


Session This type of module creates settings for an application. For example, PAM session modules can limit the number of times any specific user can log into a Linux server.


Account This type of module manages access based on policies. For example, PAM account modules can allow or deny access based on a user list, time, or password expiration.


Auth Short for authentication, an auth module checks the identity of a user. For example, PAM authentication modules can prompt for a username and password.


A common argument for each module is service=system-auth, which calls the system-auth PAM module for username and password requirements.





Control Flags



There are four possible control flags for each PAM command line. These flags, shown in Table 22.1, determine the action of the application when the module command succeeds or fails.

























Table 22.1: Control Flags in PAM


Control Flag




Description




optional




The module doesn’t really matter, unless all other modules also have the optional control flag.




required




If the module fails, the application associated with this file also fails.




requisite




If the module fails, immediately stop the authentication process and don’t allow use of the command; later commands in the PAM file are ignored.




sufficient




If the module succeeds, immediately stop the authentication process, and OK the use of the command; later commands in the PAM file are ignored.






A PAM Example



Chapter 15. Let’s take this file, line by line:


auth  sufficient  pam_rootok.so


The auth module type tells you that this command line is going to check the identity of a user. The sufficient control flag lets the application run if this command line succeeds. The pam_rootok.so module in the /lib/security dierectory returns PAM_SUCCESS if the user is root. In other words, if the root user runs redhat-config-xfree86, no other command lines in this file are run, and the application starts.


auth  sufficient  pam_timestamp.so


This command also uses the auth module type with a sufficient control flag. The pam_timestamp.so module normally returns PAM_SUCCESS for regular users who have run sudo in the past 5 minutes.


auth   required   pam_stack.so service=system-auth


This command uses the auth module type with a required control flag. The pam_stack.so module returns PAM_SUCCESS if the service=system-auth argument is satisfied. The system-auth module requires the user to enter the root password.


session  required  pam_permit.so


This command uses the session module type with a required control flag. The pam_permit.so module always returns PAM_SUCCESS, so proceed to the next line.


session  optional  pam_xauth.so


This command uses the session module type with an optional control flag. The pam_xauth.so module does not return success or failure. The optional flag makes this command line trivial with respect to this file. However, you can add a debug argument to log access requests in /var/log/ messages.


session  optional  pam_timestamp.so


This command also uses the session module type with an optional control flag. The pam_ timestamp.so module updates any available timestamp file, normally located in the /var/run/sudo directory. There’s one more command in this file:


account  required  pam_permit.so


This command uses the account module type with a required control flag. The pam_permit.so module always returns PAM_SUCCESS.






/ 220