专栏首页pythonloveLinux系统内部的名称解析与安全认证(原创)
原创

Linux系统内部的名称解析与安全认证(原创)

我们都知道计算机最喜欢的是数字,而人类喜欢的是语言,所以我们在计算机上运行的进程、定义的用户、端口号、协议、ip地址等都需要转换成数字的形式让计算机明白,在Linux上实现这种功能的框架就是nsswitch。

The Name Service Switch (NSS) is a facility in Unix-like operating systems that provides a variety of sources for common configuration databases and name resolution mechanisms. These sources include local operating system files (such as /etc/passwd, /etc/group, and /etc/hosts), the Domain Name System (DNS), the Network Information Service (NIS), and LDAP.

A system administrator usually configures the operating system's name services using the file /etc/nsswitch.conf. This lists databases (such as passwd, shadow and group) and one or more sources for obtaining that information. Examples for sources are files for local files, ldap for the Lightweight Directory Access Protocol, nis for the Network Information Service, nisplus for NIS+, and wins for Windows Internet Name Service.

The nsswitch.conf file has line entries for each service consisting of a database name in the first field, terminated by a colon, and a list of possible source databases mechanisms in the second field. A typical file might look like:

passwd: files ldap

shadow: files

group: files ldap

hosts: dns nis files

ethers: files nis

netmasks: files nis

networks: files nis

protocols: files nis

rpc: files nis

services: files nis

automount: files

aliases: files

The order of the services listed determines in which order NSS will attempt to use those services to resolve queries on the specified database.

哈哈,以上的英语应该不是很难,大家查查单词可以看个明白。我稍微解释一下,nsswitch就像一个过滤器接口或者说是分类处理装置,我们需要用到名称解析功能时,nsswitch会根据/etc/nsswitch.conf文件中定义的条目,选择这个名称通过对应的解析方式进行解析,如:文件、nis服务器、dns服务器、ldap数据库(写性能不好,但读性能高)等。

大家看到在我们的库文件目录中/lib64/libnss* /usr/lib64/libnss*,nsswitch就是调用这些库来完成不同功能的解析工作的。其中libnss3.so,是对应数据库接口的驱动。

我们的配置文件中也说明了这些模块的作用是调用哪些服务。

这就是定义的方式,其实很简单的。一个条目:功能名称:解析库类型(可以有多个,自左而右优先级依次降低)。

功能名称:

aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpm, services, shadow

解析库类型:

files, dns, compat, dbm, hesiod, winbind, wins, nis, nisplus

在解析库查询的返回值:

SUCCESS: service ok, found name

NOTFOUND: service ok, name not found

UNAVAIL: service not avaliable

TRYAGAIN: temporary service failure

默认动作:在第一次遇到SUCCESS状态之后,即return,否则,则continue找后面的解析库。

如果要更改这种动作那么定义[NOTFOUND=return]就直接返回不再找后面的解析库

系统passwd功能名称解析的一次过程:

libnss3.so --> (/etc/nsswitch.conf) --> libnss_files.so --> /etc/passwd

Getent用于通过nsswitch框架解析验证的命令:

好了,nsswitch我们告一段落,接下来我们来说PAM,即Linux上的认证框架。大家应该都听说过“3A”认证服务器,即AAA:分别为Authentication(认证)、Authorization(授权)、Accounting(审计)。当众多应用程序都需要用到认证机制时,认证功能可以由共享库来实现,这个共享库就是通过PAM来实现的。

Linux Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and services in a Linux system. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture.

Linux-PAM separates the tasks of authentication into four independent management groups:

account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service.

authentication modules(认证模块) verify the user's identity, for example by requesting and checking a password or other secret. They may also pass authentication information on to other systems like a keyring.

password modules(密码模块) are responsible for updating passwords, and are generally coupled to modules employed in the authentication step. They may also be used to enforce strong passwords.

session modules(会话模块) define actions that are performed at the beginning and end of sessions. A session starts after the user has successfully authenticated.

稍微解释一下:

账户模块:用于验证输入的账号密码是否正确,时间是否在有效期等。

认证模块:用于验证用户的身份是否是他声称的,通过密码或者其他密钥的方式、其他服务器的认证等。

密码模块:用于更新密码和设定密码的使用强度等。

会话模块:用于设定会话建立的权限内容等,在会话建立之前用户认证成功之后和结束时进行。

PAM调用的模块:

PAM的工作流程:

PAM的配置文件:

/etc/pam.conf:主配置文件

Service type control module-path module-arguments

/etc/pam.d/*:拆分成每个应用专用的配置文件片断

type control module-path module-arguments

Type:

Control:在type中的四中验证方式直接进行如何协调共同完成最终的认证

稍微解释一下:

Require:此项认证必须通过,具有一票否决权,不管通过不通过都会检查后续认证。

Requisite:此项不通过,直接一票否决,不会在检查其他认证。通过了检查后续认证。

Sufficient:一票通过全,此项通过不再检查其他认证,不通过检查后续认证。

Optional:可选项,当有其它认证方式时此项通过不通过无关紧要,除非只有此项。

Include:在文件中定义认证方式,包含此文件。

Substack:也是包含文件,和include不同的是它表示一个子认证。

Module-path:模块路径,可以是相对路径也可以是绝对路径。

Module-arguments:模块使用的参数。

登录系统的认证方式:

至于每个模块的作用和使用方法可以参考:

模块:

pam_unix.so:在认证时为了兼容在PAM机制实现之前的类UNIX系统的认证方式,使用pam_unix.so模块来实现。

nullok:允许使用空密码

try_first_pass: 提示用户输入密码之前,首先检查此前栈中已经得到的密码;

pam_env.so:通过配置文件来为用户设定或撤消环境变量

/etc/security/pam_env.conf

pam_shells.so:检查用户使用的是否为合法shell

/etc/shells

下面是个例子:

如果限制远程登录则需要设定pam_sshd配置文件

pam_limits.so:资源限制

/etc/security/limits.conf

/etc/security/limits.d/*

语法格式:

#<domain> <type> <item> <value>

#

#Where:

#<domain> can be:

# - a user name

# - a group name, with @group syntax

# - the wildcard *, for default entry

# - the wildcard %, can be also used with %group syntax,

# for maxlogin limit

#

#<type> can have the two values:

# - "soft" for enforcing the soft limits

# - "hard" for enforcing hard limits

#

#<item> can be one of the following:

# - core - limits the core file size (KB)

# - data - max data size (KB)

# - fsize - maximum filesize (KB)

# - memlock - max locked-in-memory address space (KB)

# - nofile - max number of open file descriptors

# - rss - max resident set size (KB)

# - stack - max stack size (KB)

# - cpu - max CPU time (MIN)

# - nproc - max number of processes

# - as - address space limit (KB)

# - maxlogins - max number of logins for this user

# - maxsyslogins - max number of logins on the system

# - priority - the priority to run user process with

# - locks - max number of file locks the user can hold

# - sigpending - max number of pending signals

# - msgqueue - max memory used by POSIX message queues (bytes)

# - nice - max nice priority allowed to raise to values: [-20, 19]

# - rtprio - max realtime priority

Pam_securetty.so:设置安全的登录控制台,可以把root用户的所有远程登录都给去掉,就只能使用sudo了,这样可以更安全

配置文件:/etc/securetty

Pam_time.so:设置可登录的时间段

语法格式:

# services;ttys;users;times

#

# white space is ignored and lines maybe extended with '\\n' (escaped

# newlines). As should be clear from reading these comments,

# text following a '#' is ignored to the end of the line.

#

# the combination of individual users/terminals etc is a logic list

# namely individual tokens that are optionally prefixed with '!' (logical

# not) and separated with '&' (logical and) and '|' (logical or).

#

# services

# is a logic list of PAM service names that the rule applies to.

#

# ttys

# is a logic list of terminal names that this rule applies to.

#

# users

# is a logic list of users or a netgroup of users to whom this

# rule applies.

#

# NB. For these items the simple wildcard '*' may be used only once.

#

# times

# the format here is a logic list of day/time-range

# entries the days are specified by a sequence of two character

# entries, MoTuSa for example is Monday Tuesday and Saturday. Note

# that repeated days are unset MoMo = no day, and MoWk = all weekdays

# bar Monday. The two character combinations accepted are

#

# Mo Tu We Th Fr Sa Su Wk Wd Al

#

# the last two being week-end days and all 7 days of the week

# respectively. As a final example, AlFr means all days except Friday.

#

# each day/time-range can be prefixed with a '!' to indicate "anything

# but"

#

# The time-range part is two 24-hour times HHMM separated by a hyphen

# indicating the start and finish time (if the finish time is smaller

# than the start time it is deemed to apply on the following day).

Example:

#xsh;ttyp*;root;!WdMo0000-2400

原创声明,本文系作者授权云+社区发表,未经许可,不得转载。

如有侵权,请联系 yunjia_community@tencent.com 删除。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • FTP使用MariaDB完成虚拟用户认证

    文件传输协议(英文:File Transfer Protocol,縮寫:FTP)是用於在網絡上進行文件傳輸的一套標準協議。它属于网络传输协议的应用层。FTP是一...

    用户2645267
  • Linux防火墙iptables/netfilter(一)

    防火墙大家都不陌生,或者说都听说过,现实中的防火墙是将一个区域内的火隔离开来使之不蔓延到另一个区域,计算机领域的防火墙与之功能类似,也是为了隔离危险。在如今广阔...

    用户2645267
  • I/O模型

    目前我们网络所面临的依然是高并发的问题,就像某cat双11时的情况,瞬间的并发量是惊人的,当然我们会有很多种方法去解决这个问题,本文我们谈论的是单台服务器,如何...

    用户2645267
  • 经典Keller- Segel模型的完全离散逼近分析:下界和先验界(CS NA)

    本文研究了经典凯勒-西格尔模型的趋化性问题。它由一个非线性抛物方程系统组成,其中未知数是细胞(或生物体)的平均密度(守恒变量)和化学吸引的平均密度。

    非过度曝光
  • 可压缩的Euler和Navier-Stokes方程的全离散显式局部熵稳定格式(CS NA)

    近年来,为了保证常微分方程解的一个全局泛函的保存,人们发展了各种逐次近似法。我们推广了这种方法来保证有限多凸函数(熵)的局部熵不等式,并将其应用于可压缩Eule...

    非过度曝光
  • 【论文推荐】最新六篇机器翻译相关论文— 自注意力残差解码器、SGNMT、级联方法、神经序列预测、Benchmark、人类水平

    【导读】专知内容组整理了最近六篇机器翻译(Machine Translation)相关文章,为大家进行介绍,欢迎查看! 1.Self-Attentive Res...

    WZEARW
  • 可数加性效应理论中确定性模型和概率模型的二分法(CS AI)

    效应理论是一种相对新的范畴逻辑方法,可以看作是广义概率理论(GPTs)的抽象形式。 虽然GPT的标量总是真实的单位间隔[0,1],但在一个效应中,它们可以形成任...

    时代在召唤
  • Golang memory model

    Introduction The Go memory model specifies the conditions under which reads of a...

    李海彬
  • 【论文推荐】最新6篇视觉问答(VQA)相关论文—目标推理、深度循环模型、可解释性、数据可视化、Triplet学习、基准

    【导读】专知内容组整理了最近六篇视觉问答(Visual Question Answering)相关文章,为大家进行介绍,欢迎查看! 1. Object-base...

    WZEARW
  • Top JavaScript Frameworks for Web Application Development

    JavaScript is a multi-worldview language. It underpins occasion driven, utilitar...

    用户4822892

扫码关注云+社区

领取腾讯云代金券

玩转腾讯云 有奖征文活动