Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
PAM_thing_Else
Search
Kazuhiko Yamashita
May 13, 2017
Programming
2
2.4k
PAM_thing_Else
九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。
Kazuhiko Yamashita
May 13, 2017
Tweet
Share
More Decks by Kazuhiko Yamashita
See All by Kazuhiko Yamashita
AI時代におけるSRE、 あるいはエンジニアの生存戦略
pyama86
6
1.4k
Tuning GraphQL on Rails
pyama86
2
1.4k
ttlcacheのここがスゴい
pyama86
1
84
クラウドサービスの 利用コストを削減する技術 - 円安の真南風を感じて -
pyama86
3
510
実践ARMアーキテクチャ移行
pyama86
2
2.3k
リモートワーク時代の守護神 PHP開発者のためのセキュリティ強化術
pyama86
3
1k
実践DevSecOps~クラウドネイティブとオンプレミスの間から~
pyama86
1
75
ペパボOpenTelemetry革命
pyama86
2
2k
Site Reliability Engineering for GMO
pyama86
10
1.3k
Other Decks in Programming
See All in Programming
「Chatwork」Android版アプリを 支える単体テストの現在
okuzawats
0
180
急成長期の品質とスピードを両立するフロントエンド技術基盤
soarteclab
0
920
Recoilを剥がしている話
kirik
5
6.6k
HTTP compression in PHP and Symfony apps
dunglas
2
1.7k
Zoneless Testing
rainerhahnekamp
0
120
The rollercoaster of releasing an Android, iOS, and macOS app with Kotlin Multiplatform | droidcon Italy
prof18
0
150
数十万行のプロジェクトを Scala 2から3に完全移行した
xuwei_k
0
260
Symfony Mapper Component
soyuka
2
730
CSC305 Lecture 25
javiergs
PRO
0
130
Асинхронность неизбежна: как мы проектировали сервис уведомлений
lamodatech
0
630
Security_for_introducing_eBPF
kentatada
0
110
なまけものオバケたち -PHP 8.4 に入った新機能の紹介-
tanakahisateru
1
120
Featured
See All Featured
Code Reviewing Like a Champion
maltzj
520
39k
How to Ace a Technical Interview
jacobian
276
23k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
94
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Reflections from 52 weeks, 52 projects
jeffersonlam
347
20k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
48
2.2k
Designing for humans not robots
tammielis
250
25k
RailsConf 2023
tenderlove
29
940
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Transcript
ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓΜΜ൛ʙ !QZBNB(.01FQBCP *OD भΠϯϑϥަྲྀษڧձ ,JYT 7PM 1".UIJOH&MTF
IUUQTUFOTOBQPODPN νʔϑςΫχΧϧϦʔυ ࢁԼ!QZBNB ϗεςΟϯάࣄۀ෦
IUUQTUOTKQ
1MVHHBCMF "VUIFOUJDBUJPO .PEVMF
,11࠷ߴʂ͍݁ࠗͨ͠ʂ 1".֓ཁ ϓϥΨϒϧͳΠϯλʔϑΣʔε ࣗ༝ɺͦͯ͠ɺͦͷઌʹ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
1". TTI 1". -%"1 45/4 FUDTIBEPX TVEP MPHJO ΞϓϦέʔγϣϯ͔ΒݟͨೝূͷநԽ "QQMJDBUJPO
#BDLFOE
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so 1".ͷઃఆύʔτͰߏ͞ΕΔ
λΠϓ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
λΠϓ λΠϓ ར༻έʔε BVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"145/4ͷར༻ͳͲ BDDPVOU ΞΧϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲ QBTTXE ύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈɺେจࣈখจࣈͷ ϙϦγʔΛཧͨ͠Γ͢Δ
TFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞5FSNJOBMϩάͷ։࢝ͳͲ
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so ੍ޚϑϥάఆٛॱʹ্͔ΒԼධՁ͞ΕΔ
੍ޚϑϥά ϑϥά ༰ SFRVJSFE ඞͣޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠ॲཧܧଓ͞ΕΔɻ ࣦഊͨ͠߹ͷΓɺ࠷ॳʹࣦഊͨ͠ϞδϡʔϧͷΓ͕࠾༻͞ΕΔ SFRVJTJUF ඞͣޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧͦͷ࣌Ͱɺதஅ͢Δ TV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍߹ʹɺޭ͢Δͱͦͷ࣌ͰޭͱΈͳ͠ɺॲཧΛதஅ͢Δ
PQUJPOBM ௨ৗ൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ
੍ޚϑϥά ϑϥά ࣦഊͨ͠߹ͷ ޙଓॲཧ ޭͨ͠߹ͷ ޙଓॲཧ ޭ݅ ࣦഊ݅ SFRVJSFE ܧଓ
ܧଓ શͯޭ ҰͭͰࣦഊ SFRVJTJUF தஅ ܧଓ શͯޭ ҰͭͰࣦഊ TV⒏DJFOU ܧଓ தஅ ҰͭͰޭ શࣦͯഊ PQUJPOBM ܧଓ ܧଓ SFRVJSF SFRVJTJUF͕ଘ ࡏ͠ͳ͍߹Ͱޭ ͳ͠
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so QBN@FOWTPͷڥมಡΈࠐΈޭ͢Δඞཁ͕͋Δ QBN@GQSJOUETPʹΑΔࢦೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ QBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ
Ϟδϡʔϧ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
Ϟδϡʔϧ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ
TP4IBSFE0CKFDU
4IBSFE0CKFDU IBZTP 3VCZIFZ 1)1IFZ (PMBOHIFZ $MBOHIFZ JODMVEFTUEJPI WPJEIBZ
\ QSJOUG )FMMP 5BLBEBz ^ 4IBSFE0CKFDU৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ
3VCZͷ߹ [ require "ffi" module Fib extend FFI::Library ffi_lib "hey.so"
attach_function :hey end puts Fib.hay # => Hello, Takada!
ઢMEE MEEίϚϯυͰରͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ 4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻ Α͘͏έʔεɺύοέʔδϚωʔδϟʔͰೖΕͨ TP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ ߹ͳͲʹར༻͢Δ
͞Βʹઢ&-'ϔομ -JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺ Ͳͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ ݺͼग़͞ΕΔϝιουʁ
ݺͼग़͞ΕΔϝιουλΠϓ͝ͱʹҟͳΔ λΠϓ ϝιου BVUI QBN@TN@BVUIFOUJDBUF BDDPVOU QBN@TN@BDDU@NHNU QBTTXPSE QBN@TN@DIBVUIUPL TFTTJPO
QBN@TN@PQFO@TFTTJPO QBN@TN@DMPTF@TFTTJPO 1".@&95&3/JOU QBN@TN@BVUIFOUJDBUF QBN@IBOEMF@U QBNI JOUqBHT JOUBSHD DPOTUDIBS BSHW<> \ QBN@HFU@VTFS QBNI VTFS /6-- JG VTFSL@OJTIJEB SFUVSO 1".@"65)@&33 ^ OVMMPL USZ@pSTU@QBTTͷΑ͏ͳ Ҿ BSHW͔ΒऔಘՄೳ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so QBN@FOWTPQBN@TN@BVUIFOUJDBUF͕࣮͞Ε͓ͯΓɺ QBN@MPDBMVTFSTPʹQBN@TN@BDDU@NHNU͕࣮͞Ε͍ͯΔ
45/4ͷ߹ QBN@TUOTTP 45/4 MPHJOTVEPFUD <VTFSTFYBNQMF> JE HSPVQ@JE EJSFDUPSZIPNFFYBNQMF QBTTXPSE;CD&6XR-8.D7 45/4ͰMPHJOTVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺ
ύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠Δ HFU SFTQPOTF QBN@TN@BVUIFOUJDBUF
͜ͷੈʹ1".ʹΘΕΔଆͷਓؒͱ 1".Λ͏ଆͷਓ͕͍ؒΔ CZΞϧηʔψɾϐϠϚ
͏ଆʹͳΔʹ wIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1".@"%(IUNM wఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔ QBN@TUBSU lαʔϏε໊z VTFS TUPSF@DPOW TTIQBN@IBOEMF ʜ
QBN@BVUIFOUJDBUF TTIQBN@IBOEMF qBHT ʜ QBN@FOE TTIQBN@IBOEMF TTIQBN@FSS
44)ͷ߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔ λΠϓ ϝιου ༻్ BVUI QBN@BVUIFOUJDBUF TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰར༻͍ͯ͠ͳ ͍ɻ BDDPVOU QBN@BDDU@NHNU
TTIEͷೝূޙʹར༻ QBTTXPSE QBN@DIBVUIUPL TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕Ε͍ͯ ͨ߹ͳͲʹར༻ TFTTJPO QBN@PQFO@TFTTJPO QBN@DMPTF@TFTTJPO TTIEͷηογϣϯ։ด࣌ʹར༻
ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ ͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ ·͋ॻ͖·͚͢ͲɺͶ
(PMBOH
HPCVJMECVJMENPEFDTIBSFE Go 1.5Ҏ߱ͳΒCGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞Մೳ package main /* #include <pwd.h> #include <sys/types.h>
*/ import "C" //export pam_sm_authenticate func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS }
NSVCZ
NSVCZ wܰྔ3VCZ wόΠφϦπʔϧΛ࡞Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹΈࠐΜͩΓ ͢Δ͜ͱ͕ग़དྷΔ w3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒ ϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZNHFNͱ͍͏ΈͰόΠφϦͦͷͷ Λ֦ு͢Δ 3VCZ IUUQ PQFOTTM
NSVCZ IUUQ PQFOTTM
IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB
MJCQBNNSVCZ MJCQBNNSVCZTP BVUI EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE VTFSOBNFbQZBNB` QBTTXPSEQ!TTXPSE FOE
ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ
·ͱΊ
FUDQBNE999͘͠ͳ͍
1".ʹ·ͩ·ͩՄೳੑ͕ͨ͘͞Μ
-%"1 45/4 :VCJLFZ
͜͏͍͏ೝূ໘ന͍͔ʁ
ϩάΠϯͨ͠ޙɺ ͜͏͍͏ࣄͰ͖ͨΒศར͔ʁ
8SJUFUIFDPEF$IBOHFUIFXPSME
܅ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU