fsu web design certificate
the topics i will discuss are what is pam configuration for pam documentation prepared what is needed to use pam pem configuration files types of authentication module interfaces verse modules and control flags
first it will discuss what ten years to understand you need to know that programs that grant access to a systemuse authentication to verify each other's agony so what this means as those programs inapplications within an operating system that need to get authentication and theyhave to go somewhere to find that authentication what pam does is its use as acentralized authentication mechanism so that the applications
can go to one mechanism ie pam and use it and its easier to program using this one utility and provides a flexible method forsetting authentication methods there's lots of versatility in the types of authentication that youcan use and
you can actually have developers to design their ownimplementations that use pam pam is used for authentication in unix and links distributions for this presentation i'm going to focuson politics' distribution and that is redhat operating system the configuration for pam within redhat enterprise limits useswhat's called clinics dash pam
the configuration files are found withinat /etc pam.d and this is a directory that containsconfiguration files you came get debug output if there's errors or messages that arelogged and that will be in var log messages it could also be in var log securedepending on the type of message
and libraries are stored in security the documentation for pam can be viewed within the operatingsystem by using the command also there's a location user share
pam dash in the version append that you haveinstalled also you can use users shared doc pam the version number then go into the html directory bring up one of the files and theirinnate actually presents and webpage that you can navigate the has veryvaluable documentation another
additional website location that i found when searching was kernel dot org and they have some in debt maintenance in tracking of the pammodule lot of the documentation relates to thered operating system to give you an idea let me bring you up i have virtual box installed
and this is a red hat virtualized system so we can do is we can change directory into the pan dot dean into an ls to list you can see all the configuration files inthere so these are all different files areused by pam
and we have different applications thatwall address different ones for example wehave a login one is used for system login i can open up and them and view the file you'll see the firstlines comment it out then we have under information here which i'll discuss in a later slide and this is an actual pam file
a put out of this then we can go to the user share directory them and and docs ham and tab complete the final version change and then
and here we can see additional use a docinformation that stored within the operating system and this comes default we can change to the html directory in list based in our files here i can open a web browser to lead us insummary teaser as fox can actually open this issue no this is a really good documentation where you can review
module information an additional pen configuration that's we want to know what is hand needed for pma uses rpms as other packages usethem and pam also needs pam aware applications so as you can see there's a displayright here in that shows rpm q a and
that i grep for pam in this shows the pam files and i can dothat right here we close out there rpm -qa piped to grep and then this will showed up and filesthat are installed on this redhat six operating system and these are hereby default haven't done anything uh... i
i may have run a yum update so i may have newer files for example you can see thisone's pam underscore krb and that's for kerberos here's the main pam file and what we can do is rpm she line clear information and then you have to
copy the full package name too easy to do it that way and then paste we can get information and this tells you that this packages rpm assistant security toolthat allows system administrators to set offindication
policy without having to recompile programsthat handoff indication and we can see other version information listed here another valuable information that's watching go into the templatefiguration switch i showed amenity down and that is back here /etc list all those files selasa new login
there is also password so if you do passwd if you wanna run password change it's going to reference that file and you can see what's inside of thatfile and here's another example just showingthe redid file that's used and rushing to get into what this faultis and what this dot as so is
in just a minute here there's different types ofauthentication you can have a password sequence which is just ifyou're setting the you know password your password and their it will takethat pass for files and showed him you can have a retinal scanner which doesn't come before mostsystems that would be an additional application i would be installed
you can have boys authentication you canalso fingerprint scanners which are becoming somewhat comment on laptops and these can all use depend on your so we're talk about now is the actualfiles that we're looking at the module interfaces verses the modules so here's the interface examples when wesee alter
is this requesting verifies the validityof the password the accounts interface verifies that axis is allowed the password interface is used for changing passwords the session configures manages usersessions so that is back here we open up
login as an example we see auth includes and then system off let's go to this one and we have account required and then here's the module name down here
the modules end with .so and we can actually do a man page foreach module for example manner pam on the square units and essentially what does module boils down to is it will not permit blank user passwords so
if you have aligning that says pam unix .so and it's required that you cannot have a blank userpassword for example if this is the login file what fordshutdown file what for the password change file and we can actually take a look quit out of here and do man pam
underscore unix and then here's the file the man page file and we can find more information aboutit and we can see the options that areavailable that can be used with this module anders even examples are listed in here now control fat flags
which i've just mentioned a little bitabout required means the module result must be successfulend-user is not notified if you have something that is required then it doesn't matter what order thatcomes in in the file if i bring back up the login is listed here is required so this is the login file so wehave pam no login that means if in the /etc/passwdfile
if you have something called no loginsetup that means that user does not have a long n so if you trying to access the pam file then it doesn't make sense if you have anew login defined for that user that it should be able to login so what we say here is the account required is required
and it matches this pam module then we're saying that if there's no log in to find then automatically denied this request and it can be anywhere in the sequenceit doesn't matter on the order for a required requisite this module result must besuccessful
and user is notified sufficient the module result is ignored if it fails and no previous requestedflags failed than the users granted access optional and only becomes necessary it when noother module flags reference to your face include
the flag poles all lines in theconfiguration file which match the given parameter and attends them as an argument to the module now actually implementing these can get a bit more in-depth so i covered the most obvious one which isrequired sufficient you can kind of understand where that one's going inoptional of course
it's not required so those of the control flags that areused in that better listed right here and those are in it each and that's just an overview and thatconcludes my presentation for the basis of help and functions andhow it works and there's several different occasions that developers can design too easily use pam as opposed to someorder methods that were used that were
not centralized like pam is and pam uses well known module syntaxes so they're easy to designmodules ford if if you understand the program behind it and it's fully supported within theredhead operating system and it's compatible in a unix and linux
although i think there may be somedifferences between the units proprietary versions and the linksversions and gives different distributions mayhave certain modifications within their but overall pam does function pretty much the same within all linux andunix distributions
Tidak ada komentar:
Posting Komentar