Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
PAM_thing_Else
Search
Kazuhiko Yamashita
May 13, 2017
Programming
2
2.4k
PAM_thing_Else
九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。
Kazuhiko Yamashita
May 13, 2017
Tweet
Share
More Decks by Kazuhiko Yamashita
See All by Kazuhiko Yamashita
Re:Define 可用性を支える モニタリング、パフォーマンス最適化、そしてセキュリティ
pyama86
9
6.7k
AI時代におけるSRE、 あるいはエンジニアの生存戦略
pyama86
6
1.5k
Tuning GraphQL on Rails
pyama86
2
1.7k
ttlcacheのここがスゴい
pyama86
1
120
クラウドサービスの 利用コストを削減する技術 - 円安の真南風を感じて -
pyama86
3
570
実践ARMアーキテクチャ移行
pyama86
2
2.4k
リモートワーク時代の守護神 PHP開発者のためのセキュリティ強化術
pyama86
3
1.1k
実践DevSecOps~クラウドネイティブとオンプレミスの間から~
pyama86
1
100
ペパボOpenTelemetry革命
pyama86
2
2.1k
Other Decks in Programming
See All in Programming
Datadog DBMでなにができる? JDDUG Meetup#7
nealle
0
140
kintone開発を効率化するためにチームで試した施策とその結果を大放出!
oguemon
0
120
Formの複雑さに立ち向かう
bmthd
1
930
15分で学ぶDuckDBの可愛い使い方 DuckDBの最近の更新
notrogue
3
490
Djangoアプリケーション 運用のリアル 〜問題発生から可視化、最適化への道〜 #pyconshizu
kashewnuts
1
260
ファインディLT_ポケモン対戦の定量的分析
fufufukakaka
0
920
.NET Frameworkでも汎用ホストが使いたい!
tomokusaba
0
200
苦しいTiDBへの移行を乗り越えて快適な運用を目指す
leveragestech
0
1k
PHPのバージョンアップ時にも役立ったAST
matsuo_atsushi
0
220
sappoRo.R #12 初心者セッション
kosugitti
0
270
Honoをフロントエンドで使う 3つのやり方
yusukebe
7
3.5k
データの整合性を保つ非同期処理アーキテクチャパターン / Async Architecture Patterns
mokuo
54
19k
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Writing Fast Ruby
sferik
628
61k
Into the Great Unknown - MozCon
thekraken
35
1.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
A better future with KSS
kneath
238
17k
Docker and Python
trallard
44
3.3k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Transcript
ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓΜΜ൛ʙ !QZBNB(.01FQBCP *OD भΠϯϑϥަྲྀษڧձ ,JYT 7PM 1".UIJOH&MTF
IUUQTUFOTOBQPODPN νʔϑςΫχΧϧϦʔυ ࢁԼ!QZBNB ϗεςΟϯάࣄۀ෦
IUUQTUOTKQ
1MVHHBCMF "VUIFOUJDBUJPO .PEVMF
,11࠷ߴʂ͍݁ࠗͨ͠ʂ 1".֓ཁ ϓϥΨϒϧͳΠϯλʔϑΣʔε ࣗ༝ɺͦͯ͠ɺͦͷઌʹ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
1". TTI 1". -%"1 45/4 FUDTIBEPX TVEP MPHJO ΞϓϦέʔγϣϯ͔ΒݟͨೝূͷநԽ "QQMJDBUJPO
#BDLFOE
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so 1".ͷઃఆύʔτͰߏ͞ΕΔ
λΠϓ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
λΠϓ λΠϓ ར༻έʔε BVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"145/4ͷར༻ͳͲ BDDPVOU ΞΧϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲ QBTTXE ύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈɺେจࣈখจࣈͷ ϙϦγʔΛཧͨ͠Γ͢Δ
TFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞5FSNJOBMϩάͷ։࢝ͳͲ
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so ੍ޚϑϥάఆٛॱʹ্͔ΒԼධՁ͞ΕΔ
੍ޚϑϥά ϑϥά ༰ SFRVJSFE ඞͣޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠ॲཧܧଓ͞ΕΔɻ ࣦഊͨ͠߹ͷΓɺ࠷ॳʹࣦഊͨ͠ϞδϡʔϧͷΓ͕࠾༻͞ΕΔ SFRVJTJUF ඞͣޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧͦͷ࣌Ͱɺதஅ͢Δ TV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍߹ʹɺޭ͢Δͱͦͷ࣌ͰޭͱΈͳ͠ɺॲཧΛதஅ͢Δ
PQUJPOBM ௨ৗ൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ
੍ޚϑϥά ϑϥά ࣦഊͨ͠߹ͷ ޙଓॲཧ ޭͨ͠߹ͷ ޙଓॲཧ ޭ݅ ࣦഊ݅ SFRVJSFE ܧଓ
ܧଓ શͯޭ ҰͭͰࣦഊ SFRVJTJUF தஅ ܧଓ શͯޭ ҰͭͰࣦഊ TV⒏DJFOU ܧଓ தஅ ҰͭͰޭ શࣦͯഊ PQUJPOBM ܧଓ ܧଓ SFRVJSF SFRVJTJUF͕ଘ ࡏ͠ͳ͍߹Ͱޭ ͳ͠
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so QBN@FOWTPͷڥมಡΈࠐΈޭ͢Δඞཁ͕͋Δ QBN@GQSJOUETPʹΑΔࢦೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ QBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ
Ϟδϡʔϧ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
Ϟδϡʔϧ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ
TP4IBSFE0CKFDU
4IBSFE0CKFDU IBZTP 3VCZIFZ 1)1IFZ (PMBOHIFZ $MBOHIFZ JODMVEFTUEJPI WPJEIBZ
\ QSJOUG )FMMP 5BLBEBz ^ 4IBSFE0CKFDU৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ
3VCZͷ߹ [ require "ffi" module Fib extend FFI::Library ffi_lib "hey.so"
attach_function :hey end puts Fib.hay # => Hello, Takada!
ઢMEE MEEίϚϯυͰରͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ 4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻ Α͘͏έʔεɺύοέʔδϚωʔδϟʔͰೖΕͨ TP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ ߹ͳͲʹར༻͢Δ
͞Βʹઢ&-'ϔομ -JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺ Ͳͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ ݺͼग़͞ΕΔϝιουʁ
ݺͼग़͞ΕΔϝιουλΠϓ͝ͱʹҟͳΔ λΠϓ ϝιου BVUI QBN@TN@BVUIFOUJDBUF BDDPVOU QBN@TN@BDDU@NHNU QBTTXPSE QBN@TN@DIBVUIUPL TFTTJPO
QBN@TN@PQFO@TFTTJPO QBN@TN@DMPTF@TFTTJPO 1".@&95&3/JOU QBN@TN@BVUIFOUJDBUF QBN@IBOEMF@U QBNI JOUqBHT JOUBSHD DPOTUDIBS BSHW<> \ QBN@HFU@VTFS QBNI VTFS /6-- JG VTFSL@OJTIJEB SFUVSO 1".@"65)@&33 ^ OVMMPL USZ@pSTU@QBTTͷΑ͏ͳ Ҿ BSHW͔ΒऔಘՄೳ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so QBN@FOWTPQBN@TN@BVUIFOUJDBUF͕࣮͞Ε͓ͯΓɺ QBN@MPDBMVTFSTPʹQBN@TN@BDDU@NHNU͕࣮͞Ε͍ͯΔ
45/4ͷ߹ QBN@TUOTTP 45/4 MPHJOTVEPFUD <VTFSTFYBNQMF> JE HSPVQ@JE EJSFDUPSZIPNFFYBNQMF QBTTXPSE;CD&6XR-8.D7 45/4ͰMPHJOTVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺ
ύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠Δ HFU SFTQPOTF QBN@TN@BVUIFOUJDBUF
͜ͷੈʹ1".ʹΘΕΔଆͷਓؒͱ 1".Λ͏ଆͷਓ͕͍ؒΔ CZΞϧηʔψɾϐϠϚ
͏ଆʹͳΔʹ wIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1".@"%(IUNM wఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔ QBN@TUBSU lαʔϏε໊z VTFS TUPSF@DPOW TTIQBN@IBOEMF ʜ
QBN@BVUIFOUJDBUF TTIQBN@IBOEMF qBHT ʜ QBN@FOE TTIQBN@IBOEMF TTIQBN@FSS
44)ͷ߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔ λΠϓ ϝιου ༻్ BVUI QBN@BVUIFOUJDBUF TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰར༻͍ͯ͠ͳ ͍ɻ BDDPVOU QBN@BDDU@NHNU
TTIEͷೝূޙʹར༻ QBTTXPSE QBN@DIBVUIUPL TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕Ε͍ͯ ͨ߹ͳͲʹར༻ TFTTJPO QBN@PQFO@TFTTJPO QBN@DMPTF@TFTTJPO TTIEͷηογϣϯ։ด࣌ʹར༻
ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ ͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ ·͋ॻ͖·͚͢ͲɺͶ
(PMBOH
HPCVJMECVJMENPEFDTIBSFE Go 1.5Ҏ߱ͳΒCGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞Մೳ package main /* #include <pwd.h> #include <sys/types.h>
*/ import "C" //export pam_sm_authenticate func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS }
NSVCZ
NSVCZ wܰྔ3VCZ wόΠφϦπʔϧΛ࡞Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹΈࠐΜͩΓ ͢Δ͜ͱ͕ग़དྷΔ w3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒ ϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZNHFNͱ͍͏ΈͰόΠφϦͦͷͷ Λ֦ு͢Δ 3VCZ IUUQ PQFOTTM
NSVCZ IUUQ PQFOTTM
IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB
MJCQBNNSVCZ MJCQBNNSVCZTP BVUI EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE VTFSOBNFbQZBNB` QBTTXPSEQ!TTXPSE FOE
ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ
·ͱΊ
FUDQBNE999͘͠ͳ͍
1".ʹ·ͩ·ͩՄೳੑ͕ͨ͘͞Μ
-%"1 45/4 :VCJLFZ
͜͏͍͏ೝূ໘ന͍͔ʁ
ϩάΠϯͨ͠ޙɺ ͜͏͍͏ࣄͰ͖ͨΒศར͔ʁ
8SJUFUIFDPEF$IBOHFUIFXPSME
܅ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU