Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
PAM_thing_Else
Kazuhiko Yamashita
May 13, 2017
Programming
2
1.6k
PAM_thing_Else
九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。
Kazuhiko Yamashita
May 13, 2017
Tweet
Share
More Decks by Kazuhiko Yamashita
See All by Kazuhiko Yamashita
pyama86
4
420
pyama86
11
7.5k
pyama86
18
4.1k
pyama86
9
10k
pyama86
2
1.9k
pyama86
3
1.2k
pyama86
1
1.9k
pyama86
0
130
pyama86
0
150
Other Decks in Programming
See All in Programming
aftiopk
0
110
larsrh
0
110
legalforce
PRO
0
640
rarous
0
170
ryosukes
0
1.4k
alperhankendi
1
150
mizotake
2
310
grapecity_dev
0
180
watilde
5
1.4k
williln
0
220
manfredsteyer
PRO
0
150
doyaaaaaken
0
820
Featured
See All Featured
brianwarren
82
4.7k
rocio
155
11k
vanstee
117
4.9k
chriscoyier
145
20k
shpigford
165
19k
holman
288
130k
lara
172
9.6k
geeforr
332
29k
jakevdp
775
200k
nonsquared
81
3.4k
ammeep
655
54k
kneath
219
15k
Transcript
ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓΜΜ൛ʙ !QZBNB(.01FQBCP *OD भΠϯϑϥަྲྀษڧձ ,JYT 7PM 1".UIJOH&MTF
IUUQTUFOTOBQPODPN νʔϑςΫχΧϧϦʔυ ࢁԼ!QZBNB ϗεςΟϯάࣄۀ෦
IUUQTUOTKQ
1MVHHBCMF "VUIFOUJDBUJPO .PEVMF
,11࠷ߴʂ͍݁ࠗͨ͠ʂ 1".֓ཁ ϓϥΨϒϧͳΠϯλʔϑΣʔε ࣗ༝ɺͦͯ͠ɺͦͷઌʹ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
1". TTI 1". -%"1 45/4 FUDTIBEPX TVEP MPHJO ΞϓϦέʔγϣϯ͔ΒݟͨೝূͷநԽ "QQMJDBUJPO
#BDLFOE
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so 1".ͷઃఆύʔτͰߏ͞ΕΔ
λΠϓ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
λΠϓ λΠϓ ར༻έʔε BVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"145/4ͷར༻ͳͲ BDDPVOU ΞΧϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲ QBTTXE ύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈɺେจࣈখจࣈͷ ϙϦγʔΛཧͨ͠Γ͢Δ
TFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞5FSNJOBMϩάͷ։࢝ͳͲ
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so ੍ޚϑϥάఆٛॱʹ্͔ΒԼධՁ͞ΕΔ
੍ޚϑϥά ϑϥά ༰ SFRVJSFE ඞͣޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠ॲཧܧଓ͞ΕΔɻ ࣦഊͨ͠߹ͷΓɺ࠷ॳʹࣦഊͨ͠ϞδϡʔϧͷΓ͕࠾༻͞ΕΔ SFRVJTJUF ඞͣޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧͦͷ࣌Ͱɺதஅ͢Δ TV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍߹ʹɺޭ͢Δͱͦͷ࣌ͰޭͱΈͳ͠ɺॲཧΛதஅ͢Δ
PQUJPOBM ௨ৗ൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ
੍ޚϑϥά ϑϥά ࣦഊͨ͠߹ͷ ޙଓॲཧ ޭͨ͠߹ͷ ޙଓॲཧ ޭ݅ ࣦഊ݅ SFRVJSFE ܧଓ
ܧଓ શͯޭ ҰͭͰࣦഊ SFRVJTJUF தஅ ܧଓ શͯޭ ҰͭͰࣦഊ TV⒏DJFOU ܧଓ தஅ ҰͭͰޭ શࣦͯഊ PQUJPOBM ܧଓ ܧଓ SFRVJSF SFRVJTJUF͕ଘ ࡏ͠ͳ͍߹Ͱޭ ͳ͠
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so QBN@FOWTPͷڥมಡΈࠐΈޭ͢Δඞཁ͕͋Δ QBN@GQSJOUETPʹΑΔࢦೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ QBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ
Ϟδϡʔϧ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
Ϟδϡʔϧ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ
TP4IBSFE0CKFDU
4IBSFE0CKFDU IBZTP 3VCZIFZ 1)1IFZ (PMBOHIFZ $MBOHIFZ JODMVEFTUEJPI WPJEIBZ
\ QSJOUG )FMMP 5BLBEBz ^ 4IBSFE0CKFDU৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ
3VCZͷ߹ [ require "ffi" module Fib extend FFI::Library ffi_lib "hey.so"
attach_function :hey end puts Fib.hay # => Hello, Takada!
ઢMEE MEEίϚϯυͰରͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ 4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻ Α͘͏έʔεɺύοέʔδϚωʔδϟʔͰೖΕͨ TP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ ߹ͳͲʹར༻͢Δ
͞Βʹઢ&-'ϔομ -JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺ Ͳͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ ݺͼग़͞ΕΔϝιουʁ
ݺͼग़͞ΕΔϝιουλΠϓ͝ͱʹҟͳΔ λΠϓ ϝιου BVUI QBN@TN@BVUIFOUJDBUF BDDPVOU QBN@TN@BDDU@NHNU QBTTXPSE QBN@TN@DIBVUIUPL TFTTJPO
QBN@TN@PQFO@TFTTJPO QBN@TN@DMPTF@TFTTJPO 1".@&95&3/JOU QBN@TN@BVUIFOUJDBUF QBN@IBOEMF@U QBNI JOUqBHT JOUBSHD DPOTUDIBS BSHW<> \ QBN@HFU@VTFS QBNI VTFS /6-- JG VTFSL@OJTIJEB SFUVSO 1".@"65)@&33 ^ OVMMPL USZ@pSTU@QBTTͷΑ͏ͳ Ҿ BSHW͔ΒऔಘՄೳ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so QBN@FOWTPQBN@TN@BVUIFOUJDBUF͕࣮͞Ε͓ͯΓɺ QBN@MPDBMVTFSTPʹQBN@TN@BDDU@NHNU͕࣮͞Ε͍ͯΔ
45/4ͷ߹ QBN@TUOTTP 45/4 MPHJOTVEPFUD <VTFSTFYBNQMF> JE HSPVQ@JE EJSFDUPSZIPNFFYBNQMF QBTTXPSE;CD&6XR-8.D7 45/4ͰMPHJOTVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺ
ύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠Δ HFU SFTQPOTF QBN@TN@BVUIFOUJDBUF
͜ͷੈʹ1".ʹΘΕΔଆͷਓؒͱ 1".Λ͏ଆͷਓ͕͍ؒΔ CZΞϧηʔψɾϐϠϚ
͏ଆʹͳΔʹ wIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1".@"%(IUNM wఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔ QBN@TUBSU lαʔϏε໊z VTFS TUPSF@DPOW TTIQBN@IBOEMF ʜ
QBN@BVUIFOUJDBUF TTIQBN@IBOEMF qBHT ʜ QBN@FOE TTIQBN@IBOEMF TTIQBN@FSS
44)ͷ߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔ λΠϓ ϝιου ༻్ BVUI QBN@BVUIFOUJDBUF TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰར༻͍ͯ͠ͳ ͍ɻ BDDPVOU QBN@BDDU@NHNU
TTIEͷೝূޙʹར༻ QBTTXPSE QBN@DIBVUIUPL TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕Ε͍ͯ ͨ߹ͳͲʹར༻ TFTTJPO QBN@PQFO@TFTTJPO QBN@DMPTF@TFTTJPO TTIEͷηογϣϯ։ด࣌ʹར༻
ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ ͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ ·͋ॻ͖·͚͢ͲɺͶ
(PMBOH
HPCVJMECVJMENPEFDTIBSFE Go 1.5Ҏ߱ͳΒCGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞Մೳ package main /* #include <pwd.h> #include <sys/types.h>
*/ import "C" //export pam_sm_authenticate func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS }
NSVCZ
NSVCZ wܰྔ3VCZ wόΠφϦπʔϧΛ࡞Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹΈࠐΜͩΓ ͢Δ͜ͱ͕ग़དྷΔ w3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒ ϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZNHFNͱ͍͏ΈͰόΠφϦͦͷͷ Λ֦ு͢Δ 3VCZ IUUQ PQFOTTM
NSVCZ IUUQ PQFOTTM
IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB
MJCQBNNSVCZ MJCQBNNSVCZTP BVUI EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE VTFSOBNFbQZBNB` QBTTXPSEQ!TTXPSE FOE
ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ
·ͱΊ
FUDQBNE999͘͠ͳ͍
1".ʹ·ͩ·ͩՄೳੑ͕ͨ͘͞Μ
-%"1 45/4 :VCJLFZ
͜͏͍͏ೝূ໘ന͍͔ʁ
ϩάΠϯͨ͠ޙɺ ͜͏͍͏ࣄͰ͖ͨΒศར͔ʁ
8SJUFUIFDPEF$IBOHFUIFXPSME
܅ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU