pam_succeed_if

最後更新: 2017-09-17

 

 


config file location:

i.e.

/etc/pam.d/*

config file format:

<module interface>  <control flag>   <module name>   <module arguments>

module interface:

auth — This module interface authenticates use.
account — This module interface verifies that access is allowed.
password — This module interface is used for changing user passwords.
session — This module interface configures and manages user sessions.

 

control flag:

required — The module result must be successful for authentication to continue.

requisite — The module result must be successful for authentication to continue.

                   However, if a test fails at this point, the user is notified immediately with a message reflecting the first failed

account    required     pam_nologin.so

sufficient — The module result is ignored if it fails.

                    However, if the result of a module flagged sufficient is successful and no previous modules flagged required have failed,

                    then no other results are required and the user is authenticated to the service.

optional — The module result is ignored.

                  A module flagged as optional only becomes necessary for successful authentication when no other modules reference the interface.

 


pam_succeed_if - test account characteristics

 

log:

Jan  2 18:54:36 sshgw sshd[16739]: pam_succeed_if(sshd:auth): requirement "user notingroup root" was met by user "ansible"

module arguments:

quiet - Don't log failure or success to the system log.

fields - user, uid, gid, shell, home and service (field op number) {op: =, >, <, !=}

i.e.

user ingroup group   -    User is in given group.

user notingroup group   -    User is not in given group.

Return Values

PAM_SUCCESS  -  The condition was true.
PAM_AUTH_ERR  -  The condition was false.
PAM_SERVICE_ERR  -  A service error occurred.

 

Stupid Tricks with PAM - [default=1 success=ignore]

control flag:

[value1=action1 value2=action2 ...]

default=integers          number of modules in the stack to jump over next

success=action            Successful function return

action:

    ignore          The module's return status will not influence the final result unless there are no other modules in the stack.

    bad              The module's return status should indicate a module failure.
                       If it is the first failure, this return status will be used for the entire stack.

    die               Idem, except that the stack also terminates and control is immediately returned to the application.

    ok               The return code will override a previous success state of the stack, but not a previous failure state.

    done            Idem, except that the stack also terminates and control is immediately returned to the application.

    reset            Clear the stack's memory and start again with the next stacked module.

e.g.

# google_authenticator needed only for a certain group:

# root 不用 google_authenticator

auth [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group>
auth required pam_google_authenticator.so

log

由於 datahunter 不用 root group, 所以他的入 google_authenticator

Oct 18 22:16:03 sshgw sshd[28835]: pam_succeed_if(sshd:auth): requirement "user notingroup root" was met by user "datahunter"

 


pam_motd.so - Display the motd file

 

Usage

pam_motd.so [motd=/path/filename]

Default: /etc/motd

Debiang / Ubuntu

* run the scripts from /etc/update-motd.d to update the motd on login

會被 RUN 的 Script 放了在 /etc/update-motd.d

i.e.

# dynamically generated part
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
# a static (admin-editable) part
session    optional     pam_motd.so # [1]

module arguments

noupdate     -      Don't run the scripts in /etc/update-motd.d to refresh the motd file.

* The message size is limited to 64KB