PAM_thing_Else

 PAM_thing_Else

九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。

1b838da2065660793d5b26f2cdc32de7?s=128

Kazuhiko Yamashita

May 13, 2017
Tweet

Transcript

  1. 6.

    1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
  2. 8.

    1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so 1".ͷઃఆ͸ύʔτͰߏ੒͞ΕΔ
  3. 9.

    λΠϓ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
  4. 11.

    ੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so ੍ޚϑϥά͸ఆٛॱʹ্͔ΒԼ΁ධՁ͞ΕΔ
  5. 13.

    ੍ޚϑϥά ϑϥά ࣦഊͨ͠৔߹ͷ ޙଓॲཧ ੒ޭͨ͠৔߹ͷ ޙଓॲཧ ੒ޭ৚݅ ࣦഊ৚݅ SFRVJSFE ܧଓ

    ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ SFRVJTJUF தஅ ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ TV⒏DJFOU ܧଓ தஅ ҰͭͰ΋੒ޭ શࣦͯഊ PQUJPOBM ܧଓ ܧଓ SFRVJSF SFRVJTJUF͕ଘ ࡏ͠ͳ͍৔߹Ͱ੒ޭ ͳ͠
  6. 14.

    ੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_fprintd.so

    auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so QBN@FOWTPͷ؀ڥม਺ಡΈࠐΈ͸੒ޭ͢Δඞཁ͕͋Δ QBN@GQSJOUETPʹΑΔࢦ໲ೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ QBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ QBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ QBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ
  7. 15.

    Ϟδϡʔϧ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
  8. 20.

    4IBSFE0CKFDU IBZTP 3VCZIFZ 1)1IFZ  (PMBOHIFZ $MBOHIFZ  JODMVEFTUEJPI WPJEIBZ

    \ QSJOUG )FMMP 5BLBEBz  ^ 4IBSFE0CKFDU͸৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ
  9. 21.

    3VCZͷ৔߹ [ require "ffi" module Fib extend FFI::Library ffi_lib "hey.so"

    attach_function :hey end puts Fib.hay # => Hello, Takada!
  10. 25.

    ݺͼग़͞ΕΔϝιου͸λΠϓ͝ͱʹҟͳΔ λΠϓ ϝιου BVUI QBN@TN@BVUIFOUJDBUF BDDPVOU QBN@TN@BDDU@NHNU QBTTXPSE QBN@TN@DIBVUIUPL TFTTJPO

    QBN@TN@PQFO@TFTTJPO QBN@TN@DMPTF@TFTTJPO 1".@&95&3/JOU QBN@TN@BVUIFOUJDBUF QBN@IBOEMF@U QBNI  JOUqBHT JOUBSHD DPOTUDIBS BSHW<>  \ QBN@HFU@VTFS QBNI VTFS /6--  JG VTFSL@OJTIJEB  SFUVSO 1".@"65)@&33  ^ OVMMPL USZ@pSTU@QBTTͷΑ͏ͳ Ҿ਺͸ BSHW͔ΒऔಘՄೳ
  11. 26.

    1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so QBN@FOWTP͸QBN@TN@BVUIFOUJDBUF͕࣮૷͞Ε͓ͯΓɺ QBN@MPDBMVTFSTPʹ͸QBN@TN@BDDU@NHNU͕࣮૷͞Ε͍ͯΔ
  12. 30.

    44)ͷ৔߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔ λΠϓ ϝιου ༻్ BVUI QBN@BVUIFOUJDBUF TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰ͸ར༻͍ͯ͠ͳ ͍ɻ BDDPVOU QBN@BDDU@NHNU

    TTIEͷೝূޙʹར༻ QBTTXPSE QBN@DIBVUIUPL TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕੾Ε͍ͯ ͨ৔߹ͳͲʹར༻ TFTTJPO QBN@PQFO@TFTTJPO QBN@DMPTF@TFTTJPO TTIEͷηογϣϯ։ด࣌ʹར༻
  13. 32.
  14. 33.

    HPCVJMECVJMENPEFDTIBSFE Go 1.5Ҏ߱ͳΒ͹CGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞੒Մೳ package main /* #include <pwd.h> #include <sys/types.h>

    */ import "C" //export pam_sm_authenticate func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS }
  15. 34.
  16. 37.

    MJCQBNNSVCZ MJCQBNNSVCZTP BVUI EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE  VTFSOBNFbQZBNB` QBTTXPSEQ!TTXPSE FOE

    ೚ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ
  17. 38.