linux pam 中文说明书,Linux pam

Q9W5:DbVTtY7_nw

Warning:Original file contains whitespace invisible,do not edit casually,required Filetype:Markdown,Syntax:Markdown,Editor:Sublime Text.

MANUAL SECTIONS:

The standard sections of the manual include:

1 命令 User Commands

2 系统调用 System Calls

3 库函数 C Library Functions

4 特殊文件 Devices and Special Files

5 文件格式 File Formats and Conventions

6 游戏 Games et. Al.

7 杂项信息 Miscellanea

8 系统管理 System Administration tools and Daemons

How to search a command for specific information

you can man man to check follows:

man number command

man -f command = whatis command

man -k command = apropos command

info command

related command:

crypt(3)

dlopen(3)

syslog(3)

related file(directory):

/etc/passwd

/usr/lib/security

/lib/security

/lib64/security

/usr/include/security/ | grep types.h

/etc/security/access.conf

if /etc/pam.d exists,PAM will ignore /etc/pam.conf

Linux-PAM deals with four separate types of management:

authentication management

account management

session management

password management

The format of /etc/pam.conf of each rule is a space separated collection of tokens,the first three being case-insensitive:

service type control module-path module-arguments

The syntax of each file in /etc/pam.d/ is similar to that of the /etc/pam.conf file and is made up of lines of the following form:

type control module-path module-arguments

The service is typically the familiar name of the corresponding application: login and su are good examples. The service-name, other, is reserved for giving default rules. Only lines that mention the current service (or in the absence of such, the other entries) will be associated with the given service-application.

The type is the management group that the rule corresponds to. It is used to specify which of the management groups the subsequent module is to be associated with. Valid entries are:

account

this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login only on the console.

auth

this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other privileges through its credential granting properties.

password

this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.

session

this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.

常用PAM模块介绍

PAM模块 管理类型 说明

pam_unix.so auth 提示用户输入密码,并与/etc/shadow文件相比对.匹配返回0

pam_unix.so account 检查用户的账号信息(包括是否过期等).帐号可用时,返回0.

pam_unix.so password 修改用户的密码. 将用户输入的密码,作为用户的新密码更新shadow文件

pam_shells.so (auth，account) 如果用户想登录系统，那么它的shell必须是在/etc/shells文件中

pam_deny.so (account，auth，password，session) 该模块可用于拒绝访问

pam_deny.so (account，auth，password，session)模块任何时候都返回成功

pam_securetty.so auth 如果用户要以root登录时,则登录的tty必须在/etc/securetty之中

pam_listfile.so (account，auth，password，session) 访问应用程的控制开关

pam_cracklib.so password 这个模块可以插入到一个程序的密码栈中,用于检查密码的强度

pam_limits.so session 定义使用系统资源的上限，root用户也会受此限制，可以通过/etc/security/limits.conf或/etc/security/limits.d/*.conf来设定

related topic

Filesystem Hierarchy Standard(FHS)