Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PAM_thing_Else

Kazuhiko Yamashita
May 13, 2017
Programming
2
2k

 PAM_thing_Else

九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。

Kazuhiko Yamashita

May 13, 2017
Tweet

More Decks by Kazuhiko Yamashita

See All by Kazuhiko Yamashita
Goで実装された高速な
仮想待合室サーバの実装と詳解
pyama86
13
5.6k
CNDF2023前夜祭 - 玄界灘のクラウドネイティブなデータ基盤運用の実践
pyama86
0
350
若者とGPTのすべて
pyama86
0
330
Dynamic VM Scheduling
 in OpenStack
pyama86
1
880
GMOペパボにおける大規模インフラのセキュリティ管理
pyama86
1
110
Is Kubernetes On-premises Hardway?
pyama86
2
430
突然のグループ一斉在宅勤務開始!!1に
おける働き方を変革する技術や仕組み
pyama86
4
1.1k
企業に必要とされている インフラ技術とこれから
pyama86
12
8.4k
「ペパボっぽい」
エンジニアカルチャーを創る
言葉と仕組み
pyama86
20
5.2k

Other Decks in Programming

See All in Programming
祝 Ver.3リリース Fluent UI Blazorのすすめ
tomokusaba
0
110
第3回 AWSとGitHub勉強会 - GitHub Actionsを使ったCI環境の構築 -
ogiwarat
0
130
理解して導入するWebフレームワーク ~解決すべき課題に着目する~ / Understanding and implementing web frameworks ~focusing on the problems to be solved~
seike460
PRO
3
490
外部APIとズブズブな開発どうしてますか?
kin29
1
330
Google Cloud Next '23 Recap AI 時代のデータベース関連のイケてるアップデートをお届け
maroon1st
0
410
EbitengineでGUIツール作ってみた
aethiopicuschan
0
250
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
360
どうするLeSS - スクラムフェス三河2023.9.16
stanby_inc
1
120
Construindo APIs resilientes: práticas de versionamento e documentação
monicaribeiro
0
110
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
410
タイミーiOSアプリへの Swift Concurrency 導入までの軌跡
_tanako
4
690
マイクロサービス環境におけるToilを削減するTerraformの活用 in DMMプラットフォーム
pospome
1
210

Featured

See All Featured
YesSQL, Process and Tooling at Scale
rocio
159
13k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k
Infographics Made Easy
chrislema
236
17k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
880
[RailsConf 2023] Rails as a piece of cake
palkan
15
2.7k
GitHub's CSS Performance
jonrohan
1021
440k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Agile that works and the tools we love
rasmusluckow
323
20k
Typedesign – Prime Four
hannesfritz
35
1.8k

Transcript

  1. ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓ͹Μ͹Μ൛ʙ
    !QZBNB(.01FQBCP *OD
    ۝भΠϯϑϥަྲྀษڧձ ,JYT
    7PM
    1".UIJOH&MTF

    View Slide

  2. IUUQTUFOTOBQPODPN
    νʔϑςΫχΧϧϦʔυ
    ࢁԼ࿨඙!QZBNB
    ϗεςΟϯάࣄۀ෦

    View Slide

  3. IUUQTUOTKQ

    View Slide

  4. 1MVHHBCMF
    "VUIFOUJDBUJPO
    .PEVMF

    View Slide

  5. ,11࠷ߴʂ͍݁ࠗͨ͠ʂ
    1".֓ཁ
    ϓϥΨϒϧͳΠϯλʔϑΣʔε
    ࣗ༝ɺͦͯ͠ɺͦͷઌʹ

    View Slide

  6. 1".
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so

    View Slide

  7. 1".
    TTI
    1".
    -%"1 45/4 FUDTIBEPX
    TVEP MPHJO
    ΞϓϦέʔγϣϯ͔Βݟͨೝূͷந৅Խ
    "QQMJDBUJPO
    #BDLFOE

    View Slide

  8. 1".
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    1".ͷઃఆ͸ύʔτͰߏ੒͞ΕΔ

    View Slide

  9. λΠϓ
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so

    View Slide

  10. λΠϓ
    λΠϓ ར༻έʔε
    BVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"1΍45/4ͷར༻ͳͲ
    BDDPVOU ΞΧ΢ϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲ
    QBTTXE
    ύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈ਺΍ɺେจࣈখจࣈͷ
    ϙϦγʔΛ؅ཧͨ͠Γ͢Δ
    TFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞੒΍5FSNJOBMϩάͷ։࢝ͳͲ

    View Slide

  11. ੍ޚϑϥά
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    ੍ޚϑϥά͸ఆٛॱʹ্͔ΒԼ΁ධՁ͞ΕΔ

    View Slide

  12. ੍ޚϑϥά
    ϑϥά ಺༰
    SFRVJSFE
    ඞͣ੒ޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠΋ॲཧ͸ܧଓ͞ΕΔɻ
    ࣦഊͨ͠৔߹ͷ໭Γ஋͸ɺ࠷ॳʹࣦഊͨ͠Ϟδϡʔϧͷ໭Γ஋͕࠾༻͞ΕΔ
    SFRVJTJUF ඞͣ੒ޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧ͸ͦͷ࣌఺Ͱɺதஅ͢Δ
    TV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍৔߹ʹɺ੒ޭ͢Δͱͦͷ࣌఺Ͱ੒ޭͱΈͳ͠ɺॲཧΛதஅ͢Δ
    PQUJPOBM ௨ৗ͸੒൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍৔߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ

    View Slide

  13. ੍ޚϑϥά
    ϑϥά
    ࣦഊͨ͠৔߹ͷ
    ޙଓॲཧ
    ੒ޭͨ͠৔߹ͷ
    ޙଓॲཧ
    ੒ޭ৚݅ ࣦഊ৚݅
    SFRVJSFE ܧଓ ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ
    SFRVJTJUF தஅ ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ
    TV⒏DJFOU ܧଓ தஅ ҰͭͰ΋੒ޭ શࣦͯഊ
    PQUJPOBM ܧଓ ܧଓ
    SFRVJSF SFRVJTJUF͕ଘ
    ࡏ͠ͳ͍৔߹Ͱ੒ޭ
    ͳ͠

    View Slide

  14. ੍ޚϑϥά
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_fprintd.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so
    QBN@FOWTPͷ؀ڥม਺ಡΈࠐΈ͸੒ޭ͢Δඞཁ͕͋Δ
    QBN@GQSJOUETPʹΑΔࢦ໲ೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ
    QBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ
    QBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ
    QBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ

    View Slide

  15. Ϟδϡʔϧ
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so

    View Slide

  16. Ϟδϡʔϧ

    View Slide

  17. QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT

    View Slide

  18. QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
    Ϟδϡʔϧ Ҿ਺

    View Slide

  19. TP4IBSFE0CKFDU

    View Slide

  20. 4IBSFE0CKFDU
    IBZTP
    3VCZIFZ
    1)1IFZ

    (PMBOHIFZ

    $MBOHIFZ

    JODMVEFTUEJPI
    WPJEIBZ
    \
    QSJOUG )FMMP 5BLBEBz

    ^
    4IBSFE0CKFDU͸৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ

    View Slide

  21. 3VCZͷ৔߹
    [
    require "ffi"
    module Fib
    extend FFI::Library
    ffi_lib "hey.so"
    attach_function :hey
    end
    puts Fib.hay
    # => Hello, Takada!

    View Slide

  22. ୤ઢMEE
    MEEίϚϯυͰର৅ͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ
    4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻ
    Α͘࢖͏έʔε͸ɺύοέʔδϚωʔδϟʔͰೖΕͨ
    TP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ
    ৔߹ͳͲʹར༻͢Δ

    View Slide

  23. ͞Βʹ୤ઢ&-'ϔομ
    -JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺ
    Ͳͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ

    View Slide

  24. QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
    Ϟδϡʔϧ Ҿ਺
    ݺͼग़͞ΕΔϝιου͸ʁ

    View Slide

  25. ݺͼग़͞ΕΔϝιου͸λΠϓ͝ͱʹҟͳΔ
    λΠϓ ϝιου
    BVUI QBN@TN@BVUIFOUJDBUF
    BDDPVOU QBN@TN@BDDU@NHNU
    QBTTXPSE QBN@TN@DIBVUIUPL
    TFTTJPO
    QBN@TN@PQFO@TFTTJPO
    QBN@TN@DMPTF@TFTTJPO
    1".@&95&3/JOU
    QBN@TN@BVUIFOUJDBUF QBN@IBOEMF@UQBNI
    JOUqBHT JOUBSHD DPOTUDIBSBSHW<>

    \
    QBN@HFU@VTFS QBNI VTFS /6--


    JG VTFSL@OJTIJEB

    SFUVSO 1".@"65)@&33

    ^
    OVMMPL USZ@pSTU@QBTTͷΑ͏ͳ
    Ҿ਺͸ BSHW͔ΒऔಘՄೳ

    View Slide

  26. 1".
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    QBN@FOWTP͸QBN@TN@BVUIFOUJDBUF͕࣮૷͞Ε͓ͯΓɺ
    QBN@MPDBMVTFSTPʹ͸QBN@TN@BDDU@NHNU͕࣮૷͞Ε͍ͯΔ

    View Slide

  27. 45/4ͷ৔߹
    QBN@TUOTTP
    45/4
    MPHJOTVEPFUD

    JE
    HSPVQ@JE
    EJSFDUPSZIPNFFYBNQMF
    QBTTXPSE;CD&6XR-8.D7
    45/4Ͱ͸MPHJO΍TVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺ
    ύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠Δ
    HFU SFTQPOTF
    QBN@TN@BVUIFOUJDBUF

    View Slide

  28. ͜ͷੈʹ͸1".ʹ࢖ΘΕΔଆͷਓؒͱ
    1".Λ࢖͏ଆͷਓ͕͍ؒΔ
    CZΞϧηʔψɾϐϠϚ

    View Slide

  29. ࢖͏ଆʹͳΔʹ͸
    wIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1".@"%(IUNM
    wఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔ
    QBN@TUBSU lαʔϏε໊z VTFS TUPSF@DPOW TTIQBN@IBOEMF

    ʜ
    QBN@BVUIFOUJDBUF TTIQBN@IBOEMF qBHT

    ʜ
    QBN@FOE TTIQBN@IBOEMF TTIQBN@FSS

    View Slide

  30. 44)ͷ৔߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔
    λΠϓ ϝιου ༻్
    BVUI QBN@BVUIFOUJDBUF
    TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰ͸ར༻͍ͯ͠ͳ
    ͍ɻ
    BDDPVOU QBN@BDDU@NHNU TTIEͷೝূޙʹར༻
    QBTTXPSE QBN@DIBVUIUPL
    TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕੾Ε͍ͯ
    ͨ৔߹ͳͲʹར༻
    TFTTJPO
    QBN@PQFO@TFTTJPO
    QBN@DMPTF@TFTTJPO
    TTIEͷηογϣϯ։ด࣌ʹར༻

    View Slide

  31. ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ
    ࢖͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ
    ·͋๻͸ॻ͖·͚͢Ͳɺ๻͸Ͷ

    View Slide

  32. (PMBOH

    View Slide

  33. HPCVJMECVJMENPEFDTIBSFE
    Go 1.5Ҏ߱ͳΒ͹CGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞੒Մೳ
    package main
    /*
    #include
    #include
    */
    import "C"
    //export pam_sm_authenticate
    func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int {
    return C.PAM_SUCCESS
    }

    View Slide

  34. NSVCZ

    View Slide

  35. NSVCZ
    wܰྔ3VCZ
    wόΠφϦπʔϧΛ࡞੒Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹ૊ΈࠐΜͩΓ
    ͢Δ͜ͱ͕ग़དྷΔ
    w3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ͸(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒ
    ϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZ͸NHFNͱ͍͏࢓૊ΈͰόΠφϦͦͷ΋ͷ
    Λ֦ு͢Δ
    3VCZ
    IUUQ
    PQFOTTM NSVCZ
    IUUQ
    PQFOTTM

    View Slide

  36. IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB

    View Slide

  37. MJCQBNNSVCZ
    MJCQBNNSVCZTP
    BVUI
    EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE

    VTFSOBNFbQZBNB`
    QBTTXPSEQ!TTXPSE
    FOE
    ೚ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ
    ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ
    (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ

    View Slide

  38. ·ͱΊ

    View Slide

  39. FUDQBNE999͸೉͘͠ͳ͍

    View Slide

  40. 1".ʹ͸·ͩ·ͩՄೳੑ͕ͨ͘͞Μ

    View Slide

  41. -%"1
    45/4
    :VCJLFZ

    View Slide

  42. ͜͏͍͏ೝূ໘ന͍͔΋ʁ

    View Slide

  43. ϩάΠϯͨ͠ޙɺ
    ͜͏͍͏ࣄͰ͖ͨΒศར͔΋ʁ

    View Slide

  44. 8SJUFUIFDPEF$IBOHFUIFXPSME

    View Slide

  45. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ
    ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

    View Slide