Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
PAM_thing_Else
Search
Kazuhiko Yamashita
May 13, 2017
Programming
2
2.5k
PAM_thing_Else
九州インフラ交流勉強会(Kixs) Vol.004 春の認証祭りにてPAMについてトークしました。
Kazuhiko Yamashita
May 13, 2017
Tweet
Share
More Decks by Kazuhiko Yamashita
See All by Kazuhiko Yamashita
新しい職場の CI が 20 分かかっていたらあなたならどうする?
pyama86
1
1.3k
事業を差別化する技術を生み出す技術
pyama86
4
1.7k
Re:Define 可用性を支える モニタリング、パフォーマンス最適化、そしてセキュリティ
pyama86
9
8.7k
AI時代におけるSRE、 あるいはエンジニアの生存戦略
pyama86
6
1.8k
Tuning GraphQL on Rails
pyama86
2
2.1k
ttlcacheのここがスゴい
pyama86
1
180
クラウドサービスの 利用コストを削減する技術 - 円安の真南風を感じて -
pyama86
3
650
実践ARMアーキテクチャ移行
pyama86
2
2.5k
リモートワーク時代の守護神 PHP開発者のためのセキュリティ強化術
pyama86
3
1.3k
Other Decks in Programming
See All in Programming
サイトを作ったらNFCタグキーホルダーを爆速で作れ!
yuukis
0
660
TDD 実践ミニトーク
contour_gara
1
220
コーディングエージェント時代のNeovim
key60228
1
110
20250808_AIAgent勉強会_ClaudeCodeデータ分析の実運用〜競馬を題材に回収率100%の先を目指すメソッドとは〜
kkakeru
0
210
MCPで実現するAIエージェント駆動のNext.jsアプリデバッグ手法
nyatinte
7
950
STUNMESH-go: Wireguard NAT穿隧工具的源起與介紹
tjjh89017
0
390
ゲームの物理
fadis
5
1.5k
WebAssemblyインタプリタを書く ~Component Modelを添えて~
ruccho
1
920
私の後悔をAWS DMSで解決した話
hiramax
4
160
SOCI Index Manifest v2が出たので調べてみた / Introduction to SOCI Index Manifest v2
tkikuc
1
110
詳解!defer panic recover のしくみ / Understanding defer, panic, and recover
convto
0
150
Constant integer division faster than compiler-generated code
herumi
2
700
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Statistics for Hackers
jakevdp
799
220k
We Have a Design System, Now What?
morganepeng
53
7.8k
Thoughts on Productivity
jonyablonski
69
4.8k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
570
4 Signs Your Business is Dying
shpigford
184
22k
Speed Design
sergeychernyshev
32
1.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
236
140k
The Art of Programming - Codeland 2020
erikaheidi
55
13k
Transcript
ʙޒ݄Ӎɺޒ݄පɺʹΜ͡ΌΓΜΜ൛ʙ !QZBNB(.01FQBCP *OD भΠϯϑϥަྲྀษڧձ ,JYT 7PM 1".UIJOH&MTF
IUUQTUFOTOBQPODPN νʔϑςΫχΧϧϦʔυ ࢁԼ!QZBNB ϗεςΟϯάࣄۀ෦
IUUQTUOTKQ
1MVHHBCMF "VUIFOUJDBUJPO .PEVMF
,11࠷ߴʂ͍݁ࠗͨ͠ʂ 1".֓ཁ ϓϥΨϒϧͳΠϯλʔϑΣʔε ࣗ༝ɺͦͯ͠ɺͦͷઌʹ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
1". TTI 1". -%"1 45/4 FUDTIBEPX TVEP MPHJO ΞϓϦέʔγϣϯ͔ΒݟͨೝূͷநԽ "QQMJDBUJPO
#BDLFOE
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so 1".ͷઃఆύʔτͰߏ͞ΕΔ
λΠϓ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
λΠϓ λΠϓ ར༻έʔε BVUI Ϣʔβʔೝূ࣌ʹར༻ɻ-%"145/4ͷར༻ͳͲ BDDPVOU ΞΧϯτͷ༗ޮظؒͱ͔ɺύεϫʔυͷมߋظؒͷϚωδϝϯτͳͲ QBTTXE ύεϫʔυͷมߋ࣌ͳͲʹɺύεϫʔυͷจࣈɺେจࣈখจࣈͷ ϙϦγʔΛཧͨ͠Γ͢Δ
TFTTJPO ϩάΠϯޙʹσΟϨΫτϦΛ࡞5FSNJOBMϩάͷ։࢝ͳͲ
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so ੍ޚϑϥάఆٛॱʹ্͔ΒԼධՁ͞ΕΔ
੍ޚϑϥά ϑϥά ༰ SFRVJSFE ඞͣޭ͢Δඞཁ͕͋Δ͕ɺࣦഊͯ͠ॲཧܧଓ͞ΕΔɻ ࣦഊͨ͠߹ͷΓɺ࠷ॳʹࣦഊͨ͠ϞδϡʔϧͷΓ͕࠾༻͞ΕΔ SFRVJTJUF ඞͣޭ͢Δඞཁ͕͋ΔɻSFRVSFEͱҟͳΓɺࣦഊ͢Δͱॲཧͦͷ࣌Ͱɺதஅ͢Δ TV⒏DJFOU SFRVJSFE͕ࣦഊ͍ͯ͠ͳ͍߹ʹɺޭ͢Δͱͦͷ࣌ͰޭͱΈͳ͠ɺॲཧΛதஅ͢Δ
PQUJPOBM ௨ৗ൱Λແࢹ͢Δ͕ɺଞͷϑϥά͕ͳ͍߹ɺPQUJPOBMͷ݁Ռ͕ར༻͞ΕΔ
੍ޚϑϥά ϑϥά ࣦഊͨ͠߹ͷ ޙଓॲཧ ޭͨ͠߹ͷ ޙଓॲཧ ޭ݅ ࣦഊ݅ SFRVJSFE ܧଓ
ܧଓ શͯޭ ҰͭͰࣦഊ SFRVJTJUF தஅ ܧଓ શͯޭ ҰͭͰࣦഊ TV⒏DJFOU ܧଓ தஅ ҰͭͰޭ શࣦͯഊ PQUJPOBM ܧଓ ܧଓ SFRVJSF SFRVJTJUF͕ଘ ࡏ͠ͳ͍߹Ͱޭ ͳ͠
੍ޚϑϥά $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so QBN@FOWTPͷڥมಡΈࠐΈޭ͢Δඞཁ͕͋Δ QBN@GQSJOUETPʹΑΔࢦೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@VOJYTPʹΑΔFUDTIBEPXͷύεϫʔυೝূʹޭͨ͠Βɺଈ࣌ೝূޭ QBN@TVDDFFE@JGTPʹΑΓɺVJE͕Ҏ্Ͱ͋Δඞཁ͕͋Δ QBN@EFOZTPʹΑΓશͯͷೝূ͕ڋ൱͞ΕΔ
Ϟδϡʔϧ $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so
Ϟδϡʔϧ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ
TP4IBSFE0CKFDU
4IBSFE0CKFDU IBZTP 3VCZIFZ 1)1IFZ (PMBOHIFZ $MBOHIFZ JODMVEFTUEJPI WPJEIBZ
\ QSJOUG )FMMP 5BLBEBz ^ 4IBSFE0CKFDU৭ʑͳݴޠ͔Β#JOEJOHͯ͠ɺ$BMM͢Δ͜ͱ͕ग़དྷΔ
3VCZͷ߹ [ require "ffi" module Fib extend FFI::Library ffi_lib "hey.so"
attach_function :hey end puts Fib.hay # => Hello, Takada!
ઢMEE MEEίϚϯυͰରͷόΠφϦ͕ϦϯΫ͍ͯ͠Δ 4IBSFE0CKFDUΛ֬ೝ͢Δ͜ͱ͕ग़དྷ·͢ɻ Α͘͏έʔεɺύοέʔδϚωʔδϟʔͰೖΕͨ TP͔ΒιʔεΠϯετʔϧ͞ΕͨTPʹ࠶ϦϯΫ͢Δ ߹ͳͲʹར༻͢Δ
͞Βʹઢ&-'ϔομ -JOVYͷඪ४όΠφϦϑΥʔϚοτͰ͋Δ&-'ͷϔομΛݟΔͱɺ Ͳͷϝιου͕ར༻ՄೳͰ͋Δ͔ΛݟΔ͜ͱ͕ग़དྷΔ
QBN@VOJYTPOVMMPLUSZ@pSTU@QBTT Ϟδϡʔϧ Ҿ ݺͼग़͞ΕΔϝιουʁ
ݺͼग़͞ΕΔϝιουλΠϓ͝ͱʹҟͳΔ λΠϓ ϝιου BVUI QBN@TN@BVUIFOUJDBUF BDDPVOU QBN@TN@BDDU@NHNU QBTTXPSE QBN@TN@DIBVUIUPL TFTTJPO
QBN@TN@PQFO@TFTTJPO QBN@TN@DMPTF@TFTTJPO 1".@&95&3/JOU QBN@TN@BVUIFOUJDBUF QBN@IBOEMF@U QBNI JOUqBHT JOUBSHD DPOTUDIBS BSHW<> \ QBN@HFU@VTFS QBNI VTFS /6-- JG VTFSL@OJTIJEB SFUVSO 1".@"65)@&33 ^ OVMMPL USZ@pSTU@QBTTͷΑ͏ͳ Ҿ BSHW͔ΒऔಘՄೳ
1". $ cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so
nullok try_first_pass account required pam_unix.so account sufficient pam_localuser.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass session optional pam_keyinit.so revoke session required pam_limits.so QBN@FOWTPQBN@TN@BVUIFOUJDBUF͕࣮͞Ε͓ͯΓɺ QBN@MPDBMVTFSTPʹQBN@TN@BDDU@NHNU͕࣮͞Ε͍ͯΔ
45/4ͷ߹ QBN@TUOTTP 45/4 MPHJOTVEPFUD <VTFSTFYBNQMF> JE HSPVQ@JE EJSFDUPSZIPNFFYBNQMF QBTTXPSE;CD&6XR-8.D7 45/4ͰMPHJOTVEP͔ΒBVUIλΠϓΛར༻ͯ͠ɺ
ύεϫʔυೝূΛ)5514ͷ௨৴Ͱ࣮ݱ͍ͯ͠Δ HFU SFTQPOTF QBN@TN@BVUIFOUJDBUF
͜ͷੈʹ1".ʹΘΕΔଆͷਓؒͱ 1".Λ͏ଆͷਓ͕͍ؒΔ CZΞϧηʔψɾϐϠϚ
͏ଆʹͳΔʹ wIUUQXXXMJOVYQBNPSH-JOVY1".IUNM-JOVY1".@"%(IUNM wఆٛ͞ΕͨαʔϏε໊ʹج͖ͮɺFUDQBNEαʔϏε໊͕ࢀর͞ΕΔ QBN@TUBSU lαʔϏε໊z VTFS TUPSF@DPOW TTIQBN@IBOEMF ʜ
QBN@BVUIFOUJDBUF TTIQBN@IBOEMF qBHT ʜ QBN@FOE TTIQBN@IBOEMF TTIQBN@FSS
44)ͷ߹ɺͲͷΑ͏ʹར༻͞Ε͍ͯΔ͔ λΠϓ ϝιου ༻్ BVUI QBN@BVUIFOUJDBUF TTIEͷύεϫʔυೝূʹར༻ɻެ։伴ೝূͳͲͰར༻͍ͯ͠ͳ ͍ɻ BDDPVOU QBN@BDDU@NHNU
TTIEͷೝূޙʹར༻ QBTTXPSE QBN@DIBVUIUPL TTIͰQUZΛ։͘ࡍʹɺBDDPVOUͰύεϫʔυͷ༗ޮظݶ͕Ε͍ͯ ͨ߹ͳͲʹར༻ TFTTJPO QBN@PQFO@TFTTJPO QBN@DMPTF@TFTTJPO TTIEͷηογϣϯ։ด࣌ʹར༻
ͨͩɺ$ݴޠͱ͔ॻ͚ͳ͍ͱɺ ͑ͳ͍͡Όͳ͍Ͱ͔͢ʁ ·͋ॻ͖·͚͢ͲɺͶ
(PMBOH
HPCVJMECVJMENPEFDTIBSFE Go 1.5Ҏ߱ͳΒCGOΛར༻͠ڞ༗ϥΠϒϥϦΛ࡞Մೳ package main /* #include <pwd.h> #include <sys/types.h>
*/ import "C" //export pam_sm_authenticate func pam_sm_authenticate(pamh *C.pam_handle_t, flags C.int, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS }
NSVCZ
NSVCZ wܰྔ3VCZ wόΠφϦπʔϧΛ࡞Ͱ͖ͨΓɺ"QBDIFɺOHJOYͷϞδϡʔϧʹΈࠐΜͩΓ ͢Δ͜ͱ͕ग़དྷΔ w3VCZͱͷߟ͑ํͷҧ͍ͱͯ͠ɺ3VCZ(FNΛར༻ͯ͠ɺݺͼग़͠ઌͷϥΠϒ ϥϦͱ֦ͯ͠ு͍͕ͯ͘͠ɺNSVCZNHFNͱ͍͏ΈͰόΠφϦͦͷͷ Λ֦ு͢Δ 3VCZ IUUQ PQFOTTM
NSVCZ IUUQ PQFOTTM
IUUQRJJUBDPNVE[VSBJUFNTBDDEBBDB
MJCQBNNSVCZ MJCQBNNSVCZTP BVUI EFGBVUIFOUJDBUF VTFSOBNF QBTTXPSE VTFSOBNFbQZBNB` QBTTXPSEQ!TTXPSE FOE
ҙͷ3VCZεΫϦϓτΛ࣮ߦ͢Δࣄ͕Ͱ͖ΔͷͰɺ3VCZͰ࣮ݱग़དྷΔൣ ғͰࣗ༝ʹ֦ு͢Δ͜ͱ͕ग़དྷΔ (JU)VCɺ'BDF#PPLͷΑ͏ͳ֎෦αʔϏεͰೝূɺཁૉೝূFUDʜ
·ͱΊ
FUDQBNE999͘͠ͳ͍
1".ʹ·ͩ·ͩՄೳੑ͕ͨ͘͞Μ
-%"1 45/4 :VCJLFZ
͜͏͍͏ೝূ໘ന͍͔ʁ
ϩάΠϯͨ͠ޙɺ ͜͏͍͏ࣄͰ͖ͨΒศར͔ʁ
8SJUFUIFDPEF$IBOHFUIFXPSME
܅ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU