Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PAM_thing_Else

 PAM_thing_Else

九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。

Kazuhiko Yamashita

May 13, 2017
Tweet

More Decks by Kazuhiko Yamashita

Other Decks in Programming

Transcript

  1. ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓ͹Μ͹Μ൛ʙ
    !QZBNB(.01FQBCP *OD
    ۝भΠϯϑϥަྲྀษڧձ ,JYT
    7PM
    1".UIJOH&MTF

    View Slide

  2. IUUQTUFOTOBQPODPN
    νʔϑςΫχΧϧϦʔυ
    ࢁԼ࿨඙!QZBNB
    ϗεςΟϯάࣄۀ෦

    View Slide

  3. IUUQTUOTKQ

    View Slide

  4. 1MVHHBCMF
    "VUIFOUJDBUJPO
    .PEVMF

    View Slide

  5. ,11࠷ߴʂ͍݁ࠗͨ͠ʂ
    1".֓ཁ
    ϓϥΨϒϧͳΠϯλʔϑΣʔε
    ࣗ༝ɺͦͯ͠ɺͦͷઌʹ

    View Slide

  6. 1".
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so

    View Slide

  7. 1".
    TTI
    1".
    -%"1 45/4 FUDTIBEPX
    TVEP MPHJO
    ΞϓϦέʔγϣϯ͔Βݟͨೝূͷந৅Խ
    "QQMJDBUJPO
    #BDLFOE

    View Slide

  8. 1".
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    1".ͷઃఆ͸ύʔτͰߏ੒͞ΕΔ

    View Slide

  9. λΠϓ
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so

    View Slide

  10. λΠϓ
    λΠϓ ར༻έʔε
    BVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"1΍45/4ͷར༻ͳͲ
    BDDPVOU ΞΧ΢ϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲ
    QBTTXE
    ύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈ਺΍ɺେจࣈখจࣈͷ
    ϙϦγʔΛ؅ཧͨ͠Γ͢Δ
    TFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞੒΍5FSNJOBMϩάͷ։࢝ͳͲ

    View Slide

  11. ੍ޚϑϥά
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    ੍ޚϑϥά͸ఆٛॱʹ্͔ΒԼ΁ධՁ͞ΕΔ

    View Slide

  12. ੍ޚϑϥά
    ϑϥά ಺༰
    SFRVJSFE
    ඞͣ੒ޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠΋ॲཧ͸ܧଓ͞ΕΔɻ
    ࣦഊͨ͠৔߹ͷ໭Γ஋͸ɺ࠷ॳʹࣦഊͨ͠Ϟδϡʔϧͷ໭Γ஋͕࠾༻͞ΕΔ
    SFRVJTJUF ඞͣ੒ޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧ͸ͦͷ࣌఺Ͱɺதஅ͢Δ
    TV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍৔߹ʹɺ੒ޭ͢Δͱͦͷ࣌఺Ͱ੒ޭͱΈͳ͠ɺॲཧΛதஅ͢Δ
    PQUJPOBM ௨ৗ͸੒൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍৔߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ

    View Slide

  13. ੍ޚϑϥά
    ϑϥά
    ࣦഊͨ͠৔߹ͷ
    ޙଓॲཧ
    ੒ޭͨ͠৔߹ͷ
    ޙଓॲཧ
    ੒ޭ৚݅ ࣦഊ৚݅
    SFRVJSFE ܧଓ ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ
    SFRVJTJUF தஅ ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ
    TV⒏DJFOU ܧଓ தஅ ҰͭͰ΋੒ޭ શࣦͯഊ
    PQUJPOBM ܧଓ ܧଓ
    SFRVJSF SFRVJTJUF͕ଘ
    ࡏ͠ͳ͍৔߹Ͱ੒ޭ
    ͳ͠

    View Slide

  14. ੍ޚϑϥά
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_fprintd.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so
    QBN@FOWTPͷ؀ڥม਺ಡΈࠐΈ͸੒ޭ͢Δඞཁ͕͋Δ
    QBN@GQSJOUETPʹΑΔࢦ໲ೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ
    QBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ
    QBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ
    QBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ

    View Slide

  15. Ϟδϡʔϧ
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so

    View Slide

  16. Ϟδϡʔϧ

    View Slide

  17. QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT

    View Slide

  18. QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
    Ϟδϡʔϧ Ҿ਺

    View Slide

  19. TP4IBSFE0CKFDU

    View Slide

  20. 4IBSFE0CKFDU
    IBZTP
    3VCZIFZ
    1)1IFZ

    (PMBOHIFZ

    $MBOHIFZ

    JODMVEFTUEJPI
    WPJEIBZ
    \
    QSJOUG )FMMP 5BLBEBz

    ^
    4IBSFE0CKFDU͸৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ

    View Slide

  21. 3VCZͷ৔߹
    [
    require "ffi"
    module Fib
    extend FFI::Library
    ffi_lib "hey.so"
    attach_function :hey
    end
    puts Fib.hay
    # => Hello, Takada!

    View Slide

  22. ୤ઢMEE
    MEEίϚϯυͰର৅ͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ
    4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻ
    Α͘࢖͏έʔε͸ɺύοέʔδϚωʔδϟʔͰೖΕͨ
    TP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ
    ৔߹ͳͲʹར༻͢Δ

    View Slide

  23. ͞Βʹ୤ઢ&-'ϔομ
    -JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺ
    Ͳͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ

    View Slide

  24. QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
    Ϟδϡʔϧ Ҿ਺
    ݺͼग़͞ΕΔϝιου͸ʁ

    View Slide

  25. ݺͼग़͞ΕΔϝιου͸λΠϓ͝ͱʹҟͳΔ
    λΠϓ ϝιου
    BVUI QBN@TN@BVUIFOUJDBUF
    BDDPVOU QBN@TN@BDDU@NHNU
    QBTTXPSE QBN@TN@DIBVUIUPL
    TFTTJPO
    QBN@TN@PQFO@TFTTJPO
    QBN@TN@DMPTF@TFTTJPO
    1".@&95&3/JOU
    QBN@TN@BVUIFOUJDBUF QBN@IBOEMF@UQBNI
    JOUqBHT JOUBSHD DPOTUDIBSBSHW<>

    \
    QBN@HFU@VTFS QBNI VTFS /6--


    JG VTFSL@OJTIJEB

    SFUVSO 1".@"65)@&33

    ^
    OVMMPL USZ@pSTU@QBTTͷΑ͏ͳ
    Ҿ਺͸ BSHW͔ΒऔಘՄೳ

    View Slide

  26. 1".
    $ cat /etc/pam.d/system-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    account required pam_unix.so
    account sufficient pam_localuser.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    QBN@FOWTP͸QBN@TN@BVUIFOUJDBUF͕࣮૷͞Ε͓ͯΓɺ
    QBN@MPDBMVTFSTPʹ͸QBN@TN@BDDU@NHNU͕࣮૷͞Ε͍ͯΔ

    View Slide

  27. 45/4ͷ৔߹
    QBN@TUOTTP
    45/4
    MPHJOTVEPFUD

    JE
    HSPVQ@JE
    EJSFDUPSZIPNFFYBNQMF
    QBTTXPSE;CD&6XR-8.D7
    45/4Ͱ͸MPHJO΍TVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺ
    ύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠Δ
    HFU SFTQPOTF
    QBN@TN@BVUIFOUJDBUF

    View Slide

  28. ͜ͷੈʹ͸1".ʹ࢖ΘΕΔଆͷਓؒͱ
    1".Λ࢖͏ଆͷਓ͕͍ؒΔ
    CZΞϧηʔψɾϐϠϚ

    View Slide

  29. ࢖͏ଆʹͳΔʹ͸
    wIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1".@"%(IUNM
    wఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔ
    QBN@TUBSU lαʔϏε໊z VTFS TUPSF@DPOW TTIQBN@IBOEMF

    ʜ
    QBN@BVUIFOUJDBUF TTIQBN@IBOEMF qBHT

    ʜ
    QBN@FOE TTIQBN@IBOEMF TTIQBN@FSS

    View Slide

  30. 44)ͷ৔߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔
    λΠϓ ϝιου ༻్
    BVUI QBN@BVUIFOUJDBUF
    TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰ͸ར༻͍ͯ͠ͳ
    ͍ɻ
    BDDPVOU QBN@BDDU@NHNU TTIEͷೝূޙʹར༻
    QBTTXPSE QBN@DIBVUIUPL
    TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕੾Ε͍ͯ
    ͨ৔߹ͳͲʹར༻
    TFTTJPO
    QBN@PQFO@TFTTJPO
    QBN@DMPTF@TFTTJPO
    TTIEͷηογϣϯ։ด࣌ʹར༻

    View Slide

  31. ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ
    ࢖͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ
    ·͋๻͸ॻ͖·͚͢Ͳɺ๻͸Ͷ

    View Slide

  32. (PMBOH

    View Slide

  33. HPCVJMECVJMENPEFDTIBSFE
    Go 1.5Ҏ߱ͳΒ͹CGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞੒Մೳ
    package main
    /*
    #include
    #include
    */
    import "C"
    //export pam_sm_authenticate
    func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int {
    return C.PAM_SUCCESS
    }

    View Slide

  34. NSVCZ

    View Slide

  35. NSVCZ
    wܰྔ3VCZ
    wόΠφϦπʔϧΛ࡞੒Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹ૊ΈࠐΜͩΓ
    ͢Δ͜ͱ͕ग़དྷΔ
    w3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ͸(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒ
    ϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZ͸NHFNͱ͍͏࢓૊ΈͰόΠφϦͦͷ΋ͷ
    Λ֦ு͢Δ
    3VCZ
    IUUQ
    PQFOTTM NSVCZ
    IUUQ
    PQFOTTM

    View Slide

  36. IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB

    View Slide

  37. MJCQBNNSVCZ
    MJCQBNNSVCZTP
    BVUI
    EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE

    VTFSOBNFbQZBNB`
    QBTTXPSEQ!TTXPSE
    FOE
    ೚ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ
    ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ
    (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ

    View Slide

  38. ·ͱΊ

    View Slide

  39. FUDQBNE999͸೉͘͠ͳ͍

    View Slide

  40. 1".ʹ͸·ͩ·ͩՄೳੑ͕ͨ͘͞Μ

    View Slide

  41. -%"1
    45/4
    :VCJLFZ

    View Slide

  42. ͜͏͍͏ೝূ໘ന͍͔΋ʁ

    View Slide

  43. ϩάΠϯͨ͠ޙɺ
    ͜͏͍͏ࣄͰ͖ͨΒศར͔΋ʁ

    View Slide

  44. 8SJUFUIFDPEF$IBOHFUIFXPSME

    View Slide

  45. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ
    ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

    View Slide