Linux系统内部的名称解析与安全认证（原创）

我们都知道计算机最喜欢的是数字，而人类喜欢的是语言，所以我们在计算机上运行的进程、定义的用户、端口号、协议、ip地址等都需要转换成数字的形式让计算机明白，在Linux上实现这种功能的框架就是nsswitch。

The Name Service Switch (NSS) is a facility in Unix-like operating systems that provides a variety of sources for common configuration databases and name resolution mechanisms. These sources include local operating system files (such as /etc/passwd, /etc/group, and /etc/hosts), the Domain Name System (DNS), the Network Information Service (NIS), and LDAP.

A system administrator usually configures the operating system's name services using the file /etc/nsswitch.conf. This lists databases (such as passwd, shadow and group) and one or more sources for obtaining that information. Examples for sources are files for local files, ldap for the Lightweight Directory Access Protocol, nis for the Network Information Service, nisplus for NIS+, and wins for Windows Internet Name Service.

The nsswitch.conf file has line entries for each service consisting of a database name in the first field, terminated by a colon, and a list of possible source databases mechanisms in the second field. A typical file might look like:

passwd: files ldap

shadow: files

group: files ldap

hosts: dns nis files

ethers: files nis

netmasks: files nis

networks: files nis

protocols: files nis

rpc: files nis

services: files nis

automount: files

aliases: files

The order of the services listed determines in which order NSS will attempt to use those services to resolve queries on the specified database.

哈哈，以上的英语应该不是很难，大家查查单词可以看个明白。我稍微解释一下，nsswitch就像一个过滤器接口或者说是分类处理装置，我们需要用到名称解析功能时，nsswitch会根据/etc/nsswitch.conf文件中定义的条目，选择这个名称通过对应的解析方式进行解析，如：文件、nis服务器、dns服务器、ldap数据库（写性能不好，但读性能高）等。

大家看到在我们的库文件目录中/lib64/libnss* /usr/lib64/libnss*，nsswitch就是调用这些库来完成不同功能的解析工作的。其中libnss3.so,是对应数据库接口的驱动。

我们的配置文件中也说明了这些模块的作用是调用哪些服务。

这就是定义的方式，其实很简单的。一个条目：功能名称：解析库类型（可以有多个，自左而右优先级依次降低）。

功能名称：

aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpm, services, shadow

解析库类型：

files, dns, compat, dbm, hesiod, winbind, wins, nis, nisplus

在解析库查询的返回值：

SUCCESS: service ok, found name

NOTFOUND: service ok, name not found

UNAVAIL: service not avaliable

TRYAGAIN: temporary service failure

默认动作：在第一次遇到SUCCESS状态之后，即return，否则，则continue找后面的解析库。

如果要更改这种动作那么定义[NOTFOUND=return]就直接返回不再找后面的解析库

系统passwd功能名称解析的一次过程：

libnss3.so --> (/etc/nsswitch.conf) --> libnss_files.so --> /etc/passwd

Getent用于通过nsswitch框架解析验证的命令：

好了，nsswitch我们告一段落，接下来我们来说PAM，即Linux上的认证框架。大家应该都听说过“3A”认证服务器，即AAA：分别为Authentication（认证）、Authorization（授权）、Accounting（审计）。当众多应用程序都需要用到认证机制时，认证功能可以由共享库来实现，这个共享库就是通过PAM来实现的。

Linux Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and services in a Linux system. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture.

Linux-PAM separates the tasks of authentication into four independent management groups:

account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service.

authentication modules(认证模块) verify the user's identity, for example by requesting and checking a password or other secret. They may also pass authentication information on to other systems like a keyring.

password modules(密码模块) are responsible for updating passwords, and are generally coupled to modules employed in the authentication step. They may also be used to enforce strong passwords.

session modules(会话模块) define actions that are performed at the beginning and end of sessions. A session starts after the user has successfully authenticated.

稍微解释一下：

账户模块：用于验证输入的账号密码是否正确，时间是否在有效期等。

认证模块：用于验证用户的身份是否是他声称的，通过密码或者其他密钥的方式、其他服务器的认证等。

密码模块：用于更新密码和设定密码的使用强度等。

会话模块：用于设定会话建立的权限内容等，在会话建立之前用户认证成功之后和结束时进行。

PAM调用的模块：

PAM的工作流程：

PAM的配置文件：

/etc/pam.conf：主配置文件

Service type control module-path module-arguments

/etc/pam.d/*：拆分成每个应用专用的配置文件片断

type control module-path module-arguments

Type：

Control：在type中的四中验证方式直接进行如何协调共同完成最终的认证

稍微解释一下：

Require：此项认证必须通过，具有一票否决权，不管通过不通过都会检查后续认证。

Requisite：此项不通过，直接一票否决，不会在检查其他认证。通过了检查后续认证。

Sufficient：一票通过全，此项通过不再检查其他认证，不通过检查后续认证。

Optional：可选项，当有其它认证方式时此项通过不通过无关紧要，除非只有此项。

Include：在文件中定义认证方式，包含此文件。

Substack：也是包含文件，和include不同的是它表示一个子认证。

Module-path：模块路径，可以是相对路径也可以是绝对路径。

Module-arguments：模块使用的参数。

登录系统的认证方式：

至于每个模块的作用和使用方法可以参考：

模块：

pam_unix.so：在认证时为了兼容在PAM机制实现之前的类UNIX系统的认证方式，使用pam_unix.so模块来实现。

nullok：允许使用空密码

try_first_pass: 提示用户输入密码之前，首先检查此前栈中已经得到的密码；

pam_env.so：通过配置文件来为用户设定或撤消环境变量

/etc/security/pam_env.conf

pam_shells.so：检查用户使用的是否为合法shell

/etc/shells

下面是个例子：

如果限制远程登录则需要设定pam_sshd配置文件

pam_limits.so：资源限制

/etc/security/limits.conf

/etc/security/limits.d/*

语法格式：

#<domain> <type> <item> <value>

#

#Where:

#<domain> can be:

# - a user name

# - a group name, with @group syntax

# - the wildcard *, for default entry

# - the wildcard %, can be also used with %group syntax,

# for maxlogin limit

#

#<type> can have the two values:

# - "soft" for enforcing the soft limits

# - "hard" for enforcing hard limits

#

#<item> can be one of the following:

# - core - limits the core file size (KB)

# - data - max data size (KB)

# - fsize - maximum filesize (KB)

# - memlock - max locked-in-memory address space (KB)

# - nofile - max number of open file descriptors

# - rss - max resident set size (KB)

# - stack - max stack size (KB)

# - cpu - max CPU time (MIN)

# - nproc - max number of processes

# - as - address space limit (KB)

# - maxlogins - max number of logins for this user

# - maxsyslogins - max number of logins on the system

# - priority - the priority to run user process with

# - locks - max number of file locks the user can hold

# - sigpending - max number of pending signals

# - msgqueue - max memory used by POSIX message queues (bytes)

# - nice - max nice priority allowed to raise to values: [-20, 19]

# - rtprio - max realtime priority

Pam_securetty.so：设置安全的登录控制台，可以把root用户的所有远程登录都给去掉，就只能使用sudo了，这样可以更安全

配置文件：/etc/securetty

Pam_time.so：设置可登录的时间段

语法格式：

# services;ttys;users;times

#

# white space is ignored and lines maybe extended with '\\n' (escaped

# newlines). As should be clear from reading these comments,

# text following a '#' is ignored to the end of the line.

#

# the combination of individual users/terminals etc is a logic list

# namely individual tokens that are optionally prefixed with '!' (logical

# not) and separated with '&' (logical and) and '|' (logical or).

#

# services

# is a logic list of PAM service names that the rule applies to.

#

# ttys

# is a logic list of terminal names that this rule applies to.

#

# users

# is a logic list of users or a netgroup of users to whom this

# rule applies.

#

# NB. For these items the simple wildcard '*' may be used only once.

#

# times

# the format here is a logic list of day/time-range

# entries the days are specified by a sequence of two character

# entries, MoTuSa for example is Monday Tuesday and Saturday. Note

# that repeated days are unset MoMo = no day, and MoWk = all weekdays

# bar Monday. The two character combinations accepted are

#

# Mo Tu We Th Fr Sa Su Wk Wd Al

#

# the last two being week-end days and all 7 days of the week

# respectively. As a final example, AlFr means all days except Friday.

#

# each day/time-range can be prefixed with a '!' to indicate "anything

# but"

#

# The time-range part is two 24-hour times HHMM separated by a hyphen

# indicating the start and finish time (if the finish time is smaller

# than the start time it is deemed to apply on the following day).

Example：

#xsh;ttyp*;root;!WdMo0000-2400