通过pam.d限制linux登入

想设置一下Linux下系统登录用户密码输错次数的限制。由于知道是/etc/pam.d/system-auth文件来进行控制的,所以就查看了一下这个文件。   system-auth是由以下几个部分组成的 auth,account,password,session。每个部分又都有不同的方法,针对方法的使用也有不同的控制选项,一般有这些控制选项:required,requisite,sufficient,optional,include 这5种   具体内容man pam.d就都能看到,而很明显的,验证登录是通过auth这个部分来的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
account
this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service
based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant
user -- ’root’ login only on the console.

auth
this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by
instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant
group membership or other privileges through its credential granting properties.

password
this module type is required for updating the authentication token associated with the user. Typically, there is one module for
each ’challenge/response’ based authentication (auth) type.

session
this module type is associated with doing things that need to be done for the user before/after they can be given service. Such
things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories,
etc.

The third field, control, indicates the behavior of the PAM-API should the module fail to succeed in its authentication task. There
are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a
square-bracketed selection of value=action pairs.

For the simple (historical) syntax valid control values are:

required
failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this
service and type) have been invoked.

requisite
like required, however, in the case that such a module returns a failure, control is directly returned to the application. The
return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against
the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior
might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns
of exposing a sensitive password in a hostile environment.

sufficient
success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module
has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that
this type has succeeded.

optional
the success or failure of this module is only important if it is the only module in the stack associated with this service+type.

include
include all lines of given type from the configuration file specified as an argument to this control.

而所有的pam的方法都在/lib64/security/ 目录下,查询到登录验证是通过pam_tally2这个来进行的。通过man pam_tally2找到了很多对应的方法。因为之前查了很多网上的方法都是只针对普通用户的,不针对root用户的。root的方法跟普通的是不一样的。从这个来看以后还是得多看man帮助。   下面这个就是修改的system-auth,这是修改了auth部分的第2行而已。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail no_magic_root even_deny_root unlock_time=120 root_unlock_time=120
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so