Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PAM_thing_Else

 PAM_thing_Else

九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。

Kazuhiko Yamashita

May 13, 2017
Tweet

More Decks by Kazuhiko Yamashita

Other Decks in Programming

Transcript

  1. ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓ͹Μ͹Μ൛ʙ !QZBNB(.01FQBCP *OD ۝भΠϯϑϥަྲྀษڧձ ,JYT 7PM 1".UIJOH&MTF

  2. IUUQTUFOTOBQPODPN νʔϑςΫχΧϧϦʔυ ࢁԼ࿨඙!QZBNB ϗεςΟϯάࣄۀ෦

  3. IUUQTUOTKQ

  4. 1MVHHBCMF "VUIFOUJDBUJPO .PEVMF

  5. ,11࠷ߴʂ͍݁ࠗͨ͠ʂ  1".֓ཁ  ϓϥΨϒϧͳΠϯλʔϑΣʔε  ࣗ༝ɺͦͯ͠ɺͦͷઌʹ

  6. 1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
  7. 1". TTI 1". -%"1 45/4 FUDTIBEPX TVEP MPHJO ΞϓϦέʔγϣϯ͔Βݟͨೝূͷந৅Խ "QQMJDBUJPO

    #BDLFOE
  8. 1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so 1".ͷઃఆ͸ύʔτͰߏ੒͞ΕΔ
  9. λΠϓ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
  10. λΠϓ λΠϓ ར༻έʔε BVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"1΍45/4ͷར༻ͳͲ BDDPVOU ΞΧ΢ϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲ QBTTXE ύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈ਺΍ɺେจࣈখจࣈͷ ϙϦγʔΛ؅ཧͨ͠Γ͢Δ

    TFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞੒΍5FSNJOBMϩάͷ։࢝ͳͲ
  11. ੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so ੍ޚϑϥά͸ఆٛॱʹ্͔ΒԼ΁ධՁ͞ΕΔ
  12. ੍ޚϑϥά ϑϥά ಺༰ SFRVJSFE ඞͣ੒ޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠΋ॲཧ͸ܧଓ͞ΕΔɻ ࣦഊͨ͠৔߹ͷ໭Γ஋͸ɺ࠷ॳʹࣦഊͨ͠Ϟδϡʔϧͷ໭Γ஋͕࠾༻͞ΕΔ SFRVJTJUF ඞͣ੒ޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧ͸ͦͷ࣌఺Ͱɺதஅ͢Δ TV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍৔߹ʹɺ੒ޭ͢Δͱͦͷ࣌఺Ͱ੒ޭͱΈͳ͠ɺॲཧΛதஅ͢Δ

    PQUJPOBM ௨ৗ͸੒൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍৔߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ
  13. ੍ޚϑϥά ϑϥά ࣦഊͨ͠৔߹ͷ ޙଓॲཧ ੒ޭͨ͠৔߹ͷ ޙଓॲཧ ੒ޭ৚݅ ࣦഊ৚݅ SFRVJSFE ܧଓ

    ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ SFRVJTJUF தஅ ܧଓ શͯ੒ޭ ҰͭͰ΋ࣦഊ TV⒏DJFOU ܧଓ தஅ ҰͭͰ΋੒ޭ શࣦͯഊ PQUJPOBM ܧଓ ܧଓ SFRVJSF SFRVJTJUF͕ଘ ࡏ͠ͳ͍৔߹Ͱ੒ޭ ͳ͠
  14. ੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_fprintd.so

    auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so [email protected]TPͷ؀ڥม਺ಡΈࠐΈ͸੒ޭ͢Δඞཁ͕͋Δ [email protected]TPʹΑΔࢦ໲ೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ [email protected]TPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹ੒ޭͨ͠Βɺଈ࣌ೝূ͸੒ޭ [email protected]@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ [email protected]TPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ
  15. Ϟδϡʔϧ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
  16. Ϟδϡʔϧ

  17. [email protected]TPOVMMPL[email protected]@QBTT

  18. [email protected]TPOVMMPL[email protected]@QBTT Ϟδϡʔϧ Ҿ਺

  19. TP4IBSFE0CKFDU

  20. 4IBSFE0CKFDU IBZTP 3VCZIFZ 1)1IFZ  (PMBOHIFZ $MBOHIFZ  JODMVEFTUEJPI WPJEIBZ

    \ QSJOUG )FMMP 5BLBEBz  ^ 4IBSFE0CKFDU͸৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ
  21. 3VCZͷ৔߹ [ require "ffi" module Fib extend FFI::Library ffi_lib "hey.so"

    attach_function :hey end puts Fib.hay # => Hello, Takada!
  22. ୤ઢMEE MEEίϚϯυͰର৅ͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ 4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻ Α͘࢖͏έʔε͸ɺύοέʔδϚωʔδϟʔͰೖΕͨ TP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ ৔߹ͳͲʹར༻͢Δ

  23. ͞Βʹ୤ઢ&-'ϔομ -JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺ Ͳͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ

  24. [email protected]TPOVMMPL[email protected]@QBTT Ϟδϡʔϧ Ҿ਺ ݺͼग़͞ΕΔϝιου͸ʁ

  25. ݺͼग़͞ΕΔϝιου͸λΠϓ͝ͱʹҟͳΔ λΠϓ ϝιου BVUI [email protected]@BVUIFOUJDBUF BDDPVOU [email protected]@[email protected] QBTTXPSE [email protected]@DIBVUIUPL TFTTJPO

    [email protected]@[email protected] [email protected]@[email protected] 1"[email protected]&95&3/JOU [email protected]@BVUIFOUJDBUF [email protected]@U QBNI  JOUqBHT JOUBSHD DPOTUDIBS BSHW<>  \ [email protected]@VTFS QBNI VTFS /6--  JG VTFS[email protected]  SFUVSO 1"[email protected]"65)@&33  ^ OVMMPL [email protected]@QBTTͷΑ͏ͳ Ҿ਺͸ BSHW͔ΒऔಘՄೳ
  26. 1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so

    nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so [email protected]TP͸[email protected]@BVUIFOUJDBUF͕࣮૷͞Ε͓ͯΓɺ [email protected]TPʹ͸[email protected]@[email protected]͕࣮૷͞Ε͍ͯΔ
  27. 45/4ͷ৔߹ [email protected]TP 45/4 MPHJOTVEPFUD <VTFSTFYBNQMF> JE [email protected] EJSFDUPSZIPNFFYBNQMF QBTTXPSE;CD&6XR-8.D7 45/4Ͱ͸MPHJO΍TVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺ

    ύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠Δ HFU SFTQPOTF [email protected]@BVUIFOUJDBUF
  28. ͜ͷੈʹ͸1".ʹ࢖ΘΕΔଆͷਓؒͱ 1".Λ࢖͏ଆͷਓ͕͍ؒΔ CZΞϧηʔψɾϐϠϚ

  29. ࢖͏ଆʹͳΔʹ͸ wIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1"[email protected]"%(IUNM wఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔ [email protected] lαʔϏε໊z VTFS [email protected] [email protected]  ʜ

    [email protected] [email protected] qBHT  ʜ [email protected] [email protected] [email protected] 
  30. 44)ͷ৔߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔ λΠϓ ϝιου ༻్ BVUI [email protected] TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰ͸ར༻͍ͯ͠ͳ ͍ɻ BDDPVOU [email protected]@NHNU

    TTIEͷೝূޙʹར༻ QBTTXPSE [email protected] TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕੾Ε͍ͯ ͨ৔߹ͳͲʹར༻ TFTTJPO [email protected]@TFTTJPO [email protected]@TFTTJPO TTIEͷηογϣϯ։ด࣌ʹར༻
  31. ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ ࢖͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ ·͋๻͸ॻ͖·͚͢Ͳɺ๻͸Ͷ

  32. (PMBOH

  33. HPCVJMECVJMENPEFDTIBSFE Go 1.5Ҏ߱ͳΒ͹CGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞੒Մೳ package main /* #include <pwd.h> #include <sys/types.h>

    */ import "C" //export pam_sm_authenticate func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS }
  34. NSVCZ

  35. NSVCZ wܰྔ3VCZ wόΠφϦπʔϧΛ࡞੒Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹ૊ΈࠐΜͩΓ ͢Δ͜ͱ͕ग़དྷΔ w3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ͸(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒ ϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZ͸NHFNͱ͍͏࢓૊ΈͰόΠφϦͦͷ΋ͷ Λ֦ு͢Δ 3VCZ IUUQ PQFOTTM

    NSVCZ IUUQ PQFOTTM
  36. IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB

  37. MJCQBNNSVCZ MJCQBNNSVCZTP BVUI EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE  VTFSOBNFbQZBNB` QBTTXPSEQ!TTXPSE FOE

    ೚ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ
  38. ·ͱΊ

  39. FUDQBNE999͸೉͘͠ͳ͍

  40. 1".ʹ͸·ͩ·ͩՄೳੑ͕ͨ͘͞Μ

  41. -%"1 45/4 :VCJLFZ

  42. ͜͏͍͏ೝূ໘ന͍͔΋ʁ

  43. ϩάΠϯͨ͠ޙɺ ͜͏͍͏ࣄͰ͖ͨΒศར͔΋ʁ

  44. 8SJUFUIFDPEF$IBOHFUIFXPSME

  45. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ [email protected]