九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。
ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓΜΜ൛ʙ!QZBNB(.01FQBCP *ODभΠϯϑϥަྲྀษڧձ ,JYT7PM1".UIJOH&MTF
View Slide
IUUQTUFOTOBQPODPNνʔϑςΫχΧϧϦʔυࢁԼ!QZBNBϗεςΟϯάࣄۀ෦
IUUQTUOTKQ
1MVHHBCMF"VUIFOUJDBUJPO.PEVMF
,11࠷ߴʂ͍݁ࠗͨ͠ʂ 1".֓ཁ ϓϥΨϒϧͳΠϯλʔϑΣʔε ࣗ༝ɺͦͯ͠ɺͦͷઌʹ
1".$ cat /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passaccount required pam_unix.soaccount sufficient pam_localuser.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_passsession optional pam_keyinit.so revokesession required pam_limits.so
1".TTI1".-%"1 45/4 FUDTIBEPXTVEP MPHJOΞϓϦέʔγϣϯ͔ΒݟͨೝূͷநԽ"QQMJDBUJPO#BDLFOE
1".$ cat /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passaccount required pam_unix.soaccount sufficient pam_localuser.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_passsession optional pam_keyinit.so revokesession required pam_limits.so1".ͷઃఆύʔτͰߏ͞ΕΔ
λΠϓ$ cat /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passaccount required pam_unix.soaccount sufficient pam_localuser.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_passsession optional pam_keyinit.so revokesession required pam_limits.so
λΠϓλΠϓ ར༻έʔεBVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"145/4ͷར༻ͳͲBDDPVOU ΞΧϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲQBTTXEύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈɺେจࣈখจࣈͷϙϦγʔΛཧͨ͠Γ͢ΔTFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞5FSNJOBMϩάͷ։࢝ͳͲ
੍ޚϑϥά$ cat /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passaccount required pam_unix.soaccount sufficient pam_localuser.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_passsession optional pam_keyinit.so revokesession required pam_limits.so੍ޚϑϥάఆٛॱʹ্͔ΒԼධՁ͞ΕΔ
੍ޚϑϥάϑϥά ༰SFRVJSFEඞͣޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠ॲཧܧଓ͞ΕΔɻࣦഊͨ͠߹ͷΓɺ࠷ॳʹࣦഊͨ͠ϞδϡʔϧͷΓ͕࠾༻͞ΕΔSFRVJTJUF ඞͣޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧͦͷ࣌Ͱɺதஅ͢ΔTV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍߹ʹɺޭ͢Δͱͦͷ࣌ͰޭͱΈͳ͠ɺॲཧΛதஅ͢ΔPQUJPOBM ௨ৗ൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ
੍ޚϑϥάϑϥάࣦഊͨ͠߹ͷޙଓॲཧޭͨ͠߹ͷޙଓॲཧޭ݅ ࣦഊ݅SFRVJSFE ܧଓ ܧଓ શͯޭ ҰͭͰࣦഊSFRVJTJUF தஅ ܧଓ શͯޭ ҰͭͰࣦഊTV⒏DJFOU ܧଓ தஅ ҰͭͰޭ શࣦͯഊPQUJPOBM ܧଓ ܧଓSFRVJSF SFRVJTJUF͕ଘࡏ͠ͳ͍߹Ͱޭͳ͠
੍ޚϑϥά$ cat /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_fprintd.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth required pam_deny.soQBN@FOWTPͷڥมಡΈࠐΈޭ͢Δඞཁ͕͋ΔQBN@GQSJOUETPʹΑΔࢦೝূʹޭͨ͠Βɺଈ࣌ೝূޭQBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹޭͨ͠Βɺଈ࣌ೝূޭQBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋ΔQBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ
Ϟδϡʔϧ$ cat /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passaccount required pam_unix.soaccount sufficient pam_localuser.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_passsession optional pam_keyinit.so revokesession required pam_limits.so
Ϟδϡʔϧ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTTϞδϡʔϧ Ҿ
TP4IBSFE0CKFDU
4IBSFE0CKFDUIBZTP3VCZIFZ1)1IFZ (PMBOHIFZ $MBOHIFZ JODMVEFTUEJPIWPJEIBZ \QSJOUG )FMMP 5BLBEBz^4IBSFE0CKFDU৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ
3VCZͷ߹[require "ffi"module Fibextend FFI::Libraryffi_lib "hey.so"attach_function :heyendputs Fib.hay# => Hello, Takada!
ઢMEEMEEίϚϯυͰରͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻΑ͘͏έʔεɺύοέʔδϚωʔδϟʔͰೖΕͨTP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ߹ͳͲʹར༻͢Δ
͞Βʹઢ&-'ϔομ-JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺͲͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTTϞδϡʔϧ Ҿݺͼग़͞ΕΔϝιουʁ
ݺͼग़͞ΕΔϝιουλΠϓ͝ͱʹҟͳΔλΠϓ ϝιουBVUI QBN@TN@BVUIFOUJDBUFBDDPVOU QBN@TN@BDDU@NHNUQBTTXPSE QBN@TN@DIBVUIUPLTFTTJPOQBN@TN@PQFO@TFTTJPOQBN@TN@DMPTF@TFTTJPO1".@&95&3/JOUQBN@TN@BVUIFOUJDBUF QBN@IBOEMF@UQBNI JOUqBHT JOUBSHD DPOTUDIBSBSHW<>\QBN@HFU@VTFS QBNI VTFS /6--JG VTFSL@OJTIJEBSFUVSO 1".@"65)@&33^OVMMPL USZ@pSTU@QBTTͷΑ͏ͳҾ BSHW͔ΒऔಘՄೳ
1".$ cat /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passaccount required pam_unix.soaccount sufficient pam_localuser.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_passsession optional pam_keyinit.so revokesession required pam_limits.soQBN@FOWTPQBN@TN@BVUIFOUJDBUF͕࣮͞Ε͓ͯΓɺQBN@MPDBMVTFSTPʹQBN@TN@BDDU@NHNU͕࣮͞Ε͍ͯΔ
45/4ͷ߹QBN@TUOTTP45/4MPHJOTVEPFUDJEHSPVQ@JEEJSFDUPSZIPNFFYBNQMFQBTTXPSE;CD&6XR-8.D745/4ͰMPHJOTVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠ΔHFU SFTQPOTFQBN@TN@BVUIFOUJDBUF
͜ͷੈʹ1".ʹΘΕΔଆͷਓؒͱ1".Λ͏ଆͷਓ͕͍ؒΔCZΞϧηʔψɾϐϠϚ
͏ଆʹͳΔʹwIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1".@"%(IUNMwఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔQBN@TUBSU lαʔϏε໊z VTFS TUPSF@DPOW TTIQBN@IBOEMFʜQBN@BVUIFOUJDBUF TTIQBN@IBOEMF qBHTʜQBN@FOE TTIQBN@IBOEMF TTIQBN@FSS
44)ͷ߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔λΠϓ ϝιου ༻్BVUI QBN@BVUIFOUJDBUFTTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰར༻͍ͯ͠ͳ͍ɻBDDPVOU QBN@BDDU@NHNU TTIEͷೝূޙʹར༻QBTTXPSE QBN@DIBVUIUPLTTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕Ε͍ͯͨ߹ͳͲʹར༻TFTTJPOQBN@PQFO@TFTTJPOQBN@DMPTF@TFTTJPOTTIEͷηογϣϯ։ด࣌ʹར༻
ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ·͋ॻ͖·͚͢ͲɺͶ
(PMBOH
HPCVJMECVJMENPEFDTIBSFEGo 1.5Ҏ߱ͳΒCGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞Մೳpackage main/*#include #include */import "C"//export pam_sm_authenticatefunc pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int {return C.PAM_SUCCESS}
NSVCZ
NSVCZwܰྔ3VCZwόΠφϦπʔϧΛ࡞Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹΈࠐΜͩΓ͢Δ͜ͱ͕ग़དྷΔw3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZNHFNͱ͍͏ΈͰόΠφϦͦͷͷΛ֦ு͢Δ3VCZIUUQPQFOTTM NSVCZIUUQPQFOTTM
IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB
MJCQBNNSVCZMJCQBNNSVCZTPBVUIEFGBVUIFOUJDBUF VTFSOBNF QBTTXPSEVTFSOBNFbQZBNB`QBTTXPSEQ!TTXPSEFOEҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ(JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ
·ͱΊ
FUDQBNE999͘͠ͳ͍
1".ʹ·ͩ·ͩՄೳੑ͕ͨ͘͞Μ
-%"145/4:VCJLFZ
͜͏͍͏ೝূ໘ന͍͔ʁ
ϩάΠϯͨ͠ޙɺ͜͏͍͏ࣄͰ͖ͨΒศར͔ʁ
8SJUFUIFDPEF$IBOHFUIFXPSME
܅ϖύϘͰಇ͔ͳ͍͔ʁ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU