/etc/pam.d/system-authã§ã®è¨å®š (2009/10/15)
カテゴリー: OSã«ã¤ã„ã¦
投稿者: shinichi
RHEL4ã‹ã‚‰REHL5ã«ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—を考ãˆã¦ã„ã‚‹ã®ã§è¨å®šã‚’確èªã—ã¦ã„ã¾ã™ã€‚
ãƒã‚°ã‚¤ãƒ³ã«ä¸‰å›žå¤±æ•—ã™ã‚‹ã¨ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãƒãƒƒã‚¯ã•ã‚Œã‚‹è¨å®šã§å°‘ã—æ‚©ã¿ã¾ã—ãŸã€‚ã¨ã„ã†ã®ã¯ã€RHEL4ã®pamモジュールã¨RHEL5ã®ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã§ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒç•°ãªã‚Šã€ä½¿ã„æ–¹ãŒå¤‰æ›´ã•ã‚Œã¦ã„ã‚‹ã®ã§ã™ã€‚
ãƒã‚°ã‚¤ãƒ³ã®å¤±æ•—回数を数ãˆã‚‹ã«ã¯pam_tally.soモジュールを使用ã—ã¾ã™ã€‚
RHEL4ã§ã¯å¤±æ•—ã®è¨±å®¹å›žæ•°ã‚’指定ã™ã‚‹"deny="オプションをaccountã§æŒ‡å®šã—ã¦ã„ãŸã®ã§ã™ãŒã€RHEL5ã«ãªã£ã¦ã‹ã‚‰ã¯authã§æŒ‡å®šã™ã‚‹ã‚ˆã†ã«å¤‰æ›´ã«ãªã£ã¦ã„ã¾ã™ï¼ˆ"deny="ã ã‘ã§ãªãã€ã»ã¨ã‚“ã©ãŒauthã«ç§»å‹•ã•ã‚Œã¦ã„ã¾ã™ï¼‰ã€‚
ã¾ãŸã€ä»Šã¾ã§ã‚ã¾ã‚Šæ°—ã«ã—ãªã‹ã£ãŸå„è¡Œã®é †ç•ªã§ã‚‚動作ãŒå¤‰ã‚ã‚‹ã®ã§ã™ï¼ˆã“ã“ã¯å‹‰å¼·ã—ãªã„ã¨ã„ã‘ãªã„ã§ã™ã。モジュール間ã§å€¤ã‚’ã‚„ã‚Šã¨ã‚Šã—ã¦ã„ã‚‹ã®ã§ã—ょã†ï¼‰ã€‚
何気ãªãpam_tally.soã®è¡Œã‚’authã®æœ€å¾Œã«ä»˜ã‘åŠ ãˆã¦ã„ãŸã®ã§ã™ãŒã€ã“ã“ã§ã¯ä½•åº¦ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã—よã†ã¨ã‚‚ã€æ£ã—ã„パスワードを入力ã™ã‚Œã°ãƒã‚°ã‚¤ãƒ³ã§ãã¦ã—ã¾ã„ã¾ã™(失敗カウントã¯å¢—ãˆã¦ã„ãã¾ã™)。
æ£ã—ãã¯pam_unix.soã®å‰ã«è¨˜è¿°ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
"
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
"
RHEL5ã§ç¢ºèª
ã¡ãªã¿ã«RHEL3/4ã§ã®è¨å®šã§ã¯ä¸‹è¨˜ã®é€šã‚Šã«ãªã‚Šã¾ã™ã€‚"deby="オプションã®è¡Œã¯pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ãªãã¦ã‚‚有効ã«ãªã‚Šã¾ã™ï¼ˆã“ã£ã¡ã§ã¯accountã§è¨å®šï¼‰ã€‚
ã¨ã¯ã„ãˆã€RHEL5ã§ã¯pam_unix.soã®å‰ã§ã—ã‹æœ‰åŠ¹ã«ãªã‚‰ãªã‹ã£ãŸã—ã€Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã§ç¤ºã•ã‚Œã¦ã„る例ã§ã‚‚pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ã‚‹ã®ã§ãã®ã‚ˆã†ã«è¨å®šã—ã¦ã„ã¾ã™ã€‚
RHEL3(LDAPãŒå…¥ã£ã¦ã„ã‚‹ã®ã§ã¡ã‚‡ã£ã¨ç•°ãªã‚‹)
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_tally.so deny=2 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
"
RHEL4
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= difok=3 minlen=8 dcredit=-1 lcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
"
RHEL3/4/5ã§ç¢ºèª
P.S.
複数スペースãŒå…¥ã‚‹å ´åˆã®æ›¸ãæ–¹ãŒé›£ã—ã„ã§ã™ã€‚スペースãŒè¤‡æ•°å€‹ã‚ã‚‹ã¨NucleusãŒè‡ªå‹•çš„ã«ä¸€ã¤ã«é›†ç´„ã—ã¦ãã‚Œã¦ã—ã¾ã„ã¾ã™ãƒ»ãƒ»ãƒ»
ãƒã‚°ã‚¤ãƒ³ã«ä¸‰å›žå¤±æ•—ã™ã‚‹ã¨ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãƒãƒƒã‚¯ã•ã‚Œã‚‹è¨å®šã§å°‘ã—æ‚©ã¿ã¾ã—ãŸã€‚ã¨ã„ã†ã®ã¯ã€RHEL4ã®pamモジュールã¨RHEL5ã®ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã§ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒç•°ãªã‚Šã€ä½¿ã„æ–¹ãŒå¤‰æ›´ã•ã‚Œã¦ã„ã‚‹ã®ã§ã™ã€‚
ãƒã‚°ã‚¤ãƒ³ã®å¤±æ•—回数を数ãˆã‚‹ã«ã¯pam_tally.soモジュールを使用ã—ã¾ã™ã€‚
RHEL4ã§ã¯å¤±æ•—ã®è¨±å®¹å›žæ•°ã‚’指定ã™ã‚‹"deny="オプションをaccountã§æŒ‡å®šã—ã¦ã„ãŸã®ã§ã™ãŒã€RHEL5ã«ãªã£ã¦ã‹ã‚‰ã¯authã§æŒ‡å®šã™ã‚‹ã‚ˆã†ã«å¤‰æ›´ã«ãªã£ã¦ã„ã¾ã™ï¼ˆ"deny="ã ã‘ã§ãªãã€ã»ã¨ã‚“ã©ãŒauthã«ç§»å‹•ã•ã‚Œã¦ã„ã¾ã™ï¼‰ã€‚
ã¾ãŸã€ä»Šã¾ã§ã‚ã¾ã‚Šæ°—ã«ã—ãªã‹ã£ãŸå„è¡Œã®é †ç•ªã§ã‚‚動作ãŒå¤‰ã‚ã‚‹ã®ã§ã™ï¼ˆã“ã“ã¯å‹‰å¼·ã—ãªã„ã¨ã„ã‘ãªã„ã§ã™ã。モジュール間ã§å€¤ã‚’ã‚„ã‚Šã¨ã‚Šã—ã¦ã„ã‚‹ã®ã§ã—ょã†ï¼‰ã€‚
何気ãªãpam_tally.soã®è¡Œã‚’authã®æœ€å¾Œã«ä»˜ã‘åŠ ãˆã¦ã„ãŸã®ã§ã™ãŒã€ã“ã“ã§ã¯ä½•åº¦ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã—よã†ã¨ã‚‚ã€æ£ã—ã„パスワードを入力ã™ã‚Œã°ãƒã‚°ã‚¤ãƒ³ã§ãã¦ã—ã¾ã„ã¾ã™(失敗カウントã¯å¢—ãˆã¦ã„ãã¾ã™)。
æ£ã—ãã¯pam_unix.soã®å‰ã«è¨˜è¿°ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
"
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
"
RHEL5ã§ç¢ºèª
ã¡ãªã¿ã«RHEL3/4ã§ã®è¨å®šã§ã¯ä¸‹è¨˜ã®é€šã‚Šã«ãªã‚Šã¾ã™ã€‚"deby="オプションã®è¡Œã¯pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ãªãã¦ã‚‚有効ã«ãªã‚Šã¾ã™ï¼ˆã“ã£ã¡ã§ã¯accountã§è¨å®šï¼‰ã€‚
ã¨ã¯ã„ãˆã€RHEL5ã§ã¯pam_unix.soã®å‰ã§ã—ã‹æœ‰åŠ¹ã«ãªã‚‰ãªã‹ã£ãŸã—ã€Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã§ç¤ºã•ã‚Œã¦ã„る例ã§ã‚‚pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ã‚‹ã®ã§ãã®ã‚ˆã†ã«è¨å®šã—ã¦ã„ã¾ã™ã€‚
RHEL3(LDAPãŒå…¥ã£ã¦ã„ã‚‹ã®ã§ã¡ã‚‡ã£ã¨ç•°ãªã‚‹)
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_tally.so deny=2 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
"
RHEL4
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= difok=3 minlen=8 dcredit=-1 lcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
"
RHEL3/4/5ã§ç¢ºèª
P.S.
複数スペースãŒå…¥ã‚‹å ´åˆã®æ›¸ãæ–¹ãŒé›£ã—ã„ã§ã™ã€‚スペースãŒè¤‡æ•°å€‹ã‚ã‚‹ã¨NucleusãŒè‡ªå‹•çš„ã«ä¸€ã¤ã«é›†ç´„ã—ã¦ãã‚Œã¦ã—ã¾ã„ã¾ã™ãƒ»ãƒ»ãƒ»
