Saturday, September 26, 2009

Understanding Linux-PAM

Preface



これは、自分が PAM (Pluggable Authentication Modules) を理解すべく、情報をまとめたポストだ。





Introduction



普段から Linux ディストリビューションを操作したりする人は、"PAM" という単語を聞いて、それが Linux に関係する技術的な用語だと理解できるはずだ。ただし、はたしてどれくらいの人が、正確に理解しているだろうか。少なくとも、自分は理解していなかった。私が理解していた内容といえば、

認証で利用できる機能を提供してくれる何か

くらいであった。最近 OpenLDAP を頻繁に操作している途中で、OpenLDAP のバックエンドデータベースに保持しているユーザ情報により、Linux ホストにログインさせたりするため PAM や NSS を操作したいた。途中、自分が理解していないことが多すぎると感じたため、ちょうどよい機会だと考えた。

簡単にまとめると、個々のアプリケーションが、それぞれ認証ロジックを用意せず、提供される PAM を利用すると幸せになれますよ、と。とりあえず man を確認してみるべく

% man pam



を実行したところ

This manual is intended to offer a quick introduction to Linux-PAM. For more information the reader is directed to the Linux-PAM system administrators´ guide.



と記載されている。





Configuration



pam.conf により設定する方法は、out of date のようだ。

/etc/pam.conf



このマシン Ubuntu 9.04 Server 32-bit における、デフォルトの pam.conf は、以下の内容で記述されている。

# ---------------------------------------------------------------------------#
# /etc/pam.conf #
# ---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#

# Format:
# serv. module ctrl module [path] ...[args..] #
# name type flag #


"#" は、コメントアウトを意味するため、すべての行がコメントアウトされている。NOTE という部分に記述されているが、このファイル pam.conf は、/etc/pam.d ディレクトリが存在しない場合のみ使用される。

Directory based configuration - /etc/pam.d



これも Ubuntu 9.04 Server 32-bit であり、デフォルトの /etc/pam.d ディレクトリに保存されているファイルだ。

% ls -l /etc/pam.d
total 60
-rw-r--r-- 1 root root 182 2009-04-17 16:53 atd
-rw-r--r-- 1 root root 384 2009-04-04 14:42 chfn
-rw-r--r-- 1 root root 581 2009-04-04 14:42 chsh
-rw-r--r-- 1 root root 1208 2009-09-26 14:36 common-account
-rw-r--r-- 1 root root 1221 2009-09-26 14:36 common-auth
-rw-r--r-- 1 root root 1440 2009-09-26 14:36 common-password
-rw-r--r-- 1 root root 1201 2009-09-26 14:36 common-session
-rw-r--r-- 1 root root 289 2008-11-13 00:47 cron
-rw-r--r-- 1 root root 3592 2009-04-04 14:42 login
-rw-r--r-- 1 root root 520 2009-03-21 18:28 other
-rw-r--r-- 1 root root 92 2009-04-04 14:42 passwd
-rw-r--r-- 1 root root 168 2009-02-21 02:24 ppp
-rw-r--r-- 1 root root 1272 2009-01-29 05:58 sshd
-rw-r--r-- 1 root root 2305 2009-04-04 14:42 su
-rw-r--r-- 1 root root 119 2009-02-17 12:22 sudo
%


"login" ファイルの内容が、どのように記述されているかを確認してみる。

% cat /etc/pam.d/login 
#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain. (When SELinux
# is disabled, this returns success.)
session required pam_selinux.so close

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session optional pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this. (When
# SELinux is disabled, this returns success.)
session required pam_selinux.so open
%


やや多いので、コメントアウトされている行と、空行を削除した情報のみを取得してみる。

% grep -v '\(^#\)\|\(^[   ]*$\)' /etc/pam.d/login 
auth optional pam_faildelay.so delay=3000000
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
auth requisite pam_nologin.so
session required pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
session required pam_selinux.so open
%


/etc/pam.d ディレクトリの各ファイルは、次のフォーマットで記述されている。

type control module-path module-arguments


type



The type is the management group that the rule corresponds to. It is used to specify which of the management groups the subsequent module is to be associated with. Valid entries are:

account


this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login only on the console.

auth


this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other privileges through its credential granting properties.

session


this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.

password


this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc

control



required


failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

requisite


like required, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.

sufficient


success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules.

optional


the success or failure of this module is only important if it is the only module in the stack associated with this service+type.

module-path



module-path is either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location: /lib/security/ or /lib64/security/, depending on the architecture.

module-arguments



module-arguments are a space separated list of tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets.





Available modules



PAM で利用できるモジュールは /lib/security ディレクトリに保存されている。64-bit バージョンのインストールした場合 /lib64/security ディレクトリに保存されている。Ubuntu 9.04 Server 32-bit の場合 /lib64 ディレクトリは、/lib ディレクトリへのシンボリックリンクのようだ。

Ubuntu 8.10 Desktop 64-bit の例



% ls -dl /lib64
lrwxrwxrwx 1 root root 4 2009-07-25 00:36 /lib64 -> /lib
%


Ubuntu 9.04 Server 32-bit の例



% ls -l /lib/security/*
-rw-r--r-- 1 root root 13916 2009-03-21 18:33 /lib/security/pam_access.so
-rw-r--r-- 1 root root 9496 2009-03-27 17:28 /lib/security/pam_ck_connector.so
-rw-r--r-- 1 root root 5392 2009-03-21 18:33 /lib/security/pam_debug.so
-rw-r--r-- 1 root root 5264 2009-03-21 18:33 /lib/security/pam_deny.so
-rw-r--r-- 1 root root 9456 2009-03-21 18:33 /lib/security/pam_echo.so
-rw-r--r-- 1 root root 13596 2009-03-21 18:33 /lib/security/pam_env.so
-rw-r--r-- 1 root root 9572 2009-03-21 18:33 /lib/security/pam_exec.so
-rw-r--r-- 1 root root 5380 2009-03-21 18:33 /lib/security/pam_faildelay.so
-rw-r--r-- 1 root root 13612 2009-03-21 18:33 /lib/security/pam_filter.so
-rw-r--r-- 1 root root 5340 2009-03-21 18:33 /lib/security/pam_ftp.so
-rw-r--r-- 1 root root 13656 2009-03-21 18:33 /lib/security/pam_group.so
-rw-r--r-- 1 root root 9516 2009-03-21 18:33 /lib/security/pam_issue.so
-rw-r--r-- 1 root root 9456 2009-03-21 18:33 /lib/security/pam_keyinit.so
-rw-r--r-- 1 root root 9496 2009-03-21 18:33 /lib/security/pam_lastlog.so
-rw-r--r-- 1 root root 17808 2009-03-21 18:33 /lib/security/pam_limits.so
-rw-r--r-- 1 root root 9500 2009-03-21 18:33 /lib/security/pam_listfile.so
-rw-r--r-- 1 root root 5352 2009-03-21 18:33 /lib/security/pam_localuser.so
-rw-r--r-- 1 root root 5352 2009-03-21 18:33 /lib/security/pam_loginuid.so
-rw-r--r-- 1 root root 9464 2009-03-21 18:33 /lib/security/pam_mail.so
-rw-r--r-- 1 root root 17792 2009-03-21 18:33 /lib/security/pam_mkhomedir.so
-rw-r--r-- 1 root root 5356 2009-03-21 18:33 /lib/security/pam_motd.so
-rw-r--r-- 1 root root 34388 2009-03-21 18:33 /lib/security/pam_namespace.so
-rw-r--r-- 1 root root 5356 2009-03-21 18:33 /lib/security/pam_nologin.so
-rw-r--r-- 1 root root 5324 2009-03-21 18:33 /lib/security/pam_permit.so
lrwxrwxrwx 1 root root 13 2009-09-26 14:27 /lib/security/pam_rhosts_auth.so -> pam_rhosts.so
-rw-r--r-- 1 root root 5340 2009-03-21 18:33 /lib/security/pam_rhosts.so
-rw-r--r-- 1 root root 5332 2009-03-21 18:33 /lib/security/pam_rootok.so
-rw-r--r-- 1 root root 9464 2009-03-21 18:33 /lib/security/pam_securetty.so
-rw-r--r-- 1 root root 17752 2009-03-21 18:33 /lib/security/pam_selinux.so
-rw-r--r-- 1 root root 9536 2009-03-21 18:33 /lib/security/pam_sepermit.so
-rw-r--r-- 1 root root 5352 2009-03-21 18:33 /lib/security/pam_shells.so
-rw-r--r-- 1 root root 13564 2009-03-21 18:33 /lib/security/pam_stress.so
-rw-r--r-- 1 root root 9496 2009-03-21 18:33 /lib/security/pam_succeed_if.so
-rw-r--r-- 1 root root 13600 2009-03-21 18:33 /lib/security/pam_tally.so
-rw-r--r-- 1 root root 9532 2009-03-21 18:33 /lib/security/pam_time.so
-rw-r--r-- 1 root root 9504 2009-03-21 18:33 /lib/security/pam_umask.so
lrwxrwxrwx 1 root root 11 2009-09-26 14:27 /lib/security/pam_unix_acct.so -> pam_unix.so
lrwxrwxrwx 1 root root 11 2009-09-26 14:27 /lib/security/pam_unix_auth.so -> pam_unix.so
lrwxrwxrwx 1 root root 11 2009-09-26 14:27 /lib/security/pam_unix_passwd.so -> pam_unix.so
lrwxrwxrwx 1 root root 11 2009-09-26 14:27 /lib/security/pam_unix_session.so -> pam_unix.so
-rw-r--r-- 1 root root 50848 2009-03-21 18:33 /lib/security/pam_unix.so
-rw-r--r-- 1 root root 9492 2009-03-21 18:33 /lib/security/pam_userdb.so
-rw-r--r-- 1 root root 5320 2009-03-21 18:33 /lib/security/pam_warn.so
-rw-r--r-- 1 root root 5360 2009-03-21 18:33 /lib/security/pam_wheel.so
-rw-r--r-- 1 root root 13716 2009-03-21 18:33 /lib/security/pam_xauth.so
%


// TODO : いくつかのモジュールをピックアップして説明を記述する。



Examples



// TODO





Resources



The Linux-PAM System Administrators' Guide

Linux.com :: Let PAM take care of GNU/Linux security for you

No comments: