插入式验证模块(Pluggable Authentication Module,PAM)API 将公开一组功能,应用程序程序员可以使用这些功能来实现与安全性相关的功能,例如用户验证、数据加密、LDAP 等。

PAM 的主要特征表现为通过 /etc/pam.d目录下面的文件中的设置体现的。系统中可支持的pam模块可以在/lib/security/中找到。

pam_succeed_if 可以对用户登陆做一些限制,如果满足pam_succeed_if所定义的条件,那么接受。这个模块没有配置文件。直接修改需要配置的模块就可以。

此模块的使用方式如下:

1pam_succeed_if.so [flag...] [condition...]

其中flag可以是debug、use_uid、quiet、quiet_fail、quiet_success。condition可以是如下格式:

field 其中field可以是user, uid, gid, shell, home 或者 service,比如 uid 下面是一个详细的例子:

1auth        required      pam_succeed_if.so uid

在/etc/pam.d/system-auth和/etc/pam.d/kde文件中添加如上行,然后使用uid大于等于500的work用户登录系统,系统拒绝,root可以登录系统。从日志/var/log/secure中可以看到如下信息:

Jul 6 17:26:18 DC5 kdm: :0[5382]: pam_succeed_if: requirement “uid

只在/etc/pam.d/system-auth文件中添加如下行,则只拒绝root用户,ssh登录、本地登录和su都是如此:

1auth        required      pam_succeed_if.so user != root

从日志/var/log/secure中可以看到如下信息:

1Jul  6 17:59:14 DC5 su: pam_succeed_if: requirement "user != root" not met by user "root"
2Jul  6 17:59:35 DC5 sshd[5869]: pam_succeed_if: requirement "user != root" not met by user "root"
3Jul  6 18:02:15 DC5 login: pam_succeed_if: requirement "user != root" not met by user "root"

在此可以使用quiet参数,不记录日志到secure之中。更多具体参数见如下man文档:

 1NAME
 2       pam_succeed_if - test account characteristics
 3SYNOPSIS
 4       pam_succeed_if.so [flag...] [condition...]
 5DESCRIPTION
 6       pam_succeed_if.so is designed to succeed or fail authentication based on
 7       characteristics of the account belonging to the user being authenticated. One
 8       use is to select whether to load other modules based on this test.
 9       The module should be given one or more conditions as module arguments, and
10       authentication will succeed only if all of the conditions are met.
11OPTIONS
12       The following flags are supported:
13       debug
14           Turns on debugging messages sent to syslog.
15       use_uid
16           Evaluate conditions using the account of the user whose UID the
17           application is running under instead of the user being authenticated.
18       quiet
19           Don´t log failure or success to the system log.
20       quiet_fail
21              Don't log failure to the system log.
22       quiet_success
23              Don't log success to the system log.
24       Conditions are three words: a field, a test, and a value to test for.
25       Available fields are user, uid, gid, shell, home and service:
26       field = number
27              Field has a value numerically greater than or equal to number.
28       field > number
29              Field has a value numerically greater than number.
30       field ne number
31              Field has a value numerically different from number.
32       field = string
33              Field exactly matches the given string.
34       field != string
35              Field does not match the given string.
36       field =~ glob
37              Field matches the given glob.
38       field !~ glob
39              Field does not match the given glob.
40       field in item:item:...
41              Field is contained in the list of items separated by colons.
42       field notin item:item:...
43              Field is not contained in the list of items separated by colons.
44       user ingroup group
45              User is in given group.
46       user notingroup group
47              User is not in given group.
48       user innetgr netgroup
49              (user,host) is in given netgroup.
50       user notinnetgr group
51              (user,host) is not in given netgroup.