User Authentication HOWTO

Peter Hernberg

{ / UTi

2000/05/02

̕ł́ALinux XVXeŁA[UƃO[v̕ۑ@
A[UF؂̕@ (PAM)AẴ[UF؂Sɍs@ɂ
܂B

 

Table of Contents
1. ͂߂
   
    1.1. ̕o
    1.2. Vo[Wɂ
    1.3. tB[hobN
    1.4. o[Wj
    1.5. 쌠ƏW
    1.6. ӎ
    1.7. z肷ǎ
   
2. [U񂪃VXeɕۑdg
   
    2.1. /etc/passwd ɂ
    2.2. VhEpX[h
    2.3. /etc/group  /etc/gshadow
    2.4. MD5 ÍpX[h
    2.5. ώG̉
   
3. PAM (Pluggable Authentication Modules)
   
    3.1. Ȃ PAM Ȃ̂
    3.2. PAM Ƃ͉
    3.3. PAM ̐ݒ
    3.4. Ƒ̏肷@
   
4. [UF؂Sɍs@
   
    4.1. ͂ /etc/pam.d/other t@C
    4.2. pX[h[ŨOC֎~
    4.3. svȃT[rX𖳌ɂ
    4.4. pX[hNbLOc[
    4.5. VhEpX[h MD5 pX[h
   
5. p
   
    5.1. Apache + mod_auth_pam
    5.2. ̓e
    5.3. mod_auth_pam ̃CXg[
    5.4. PAM ̐ݒ
    5.5. Apache ̐ݒ
    5.6. ݒ̃eXg
   
6. \[X
   
    6.1. PAM
    6.2. ZLeBS
    6.3. ItC
   
7. 
   
    7.1. {ɂ
   
1. ͂߂

1.1. ̕o

茳̉ƒlbg[Nɂ(قƂǕsKv)lbg[NT[r
Xǉ悤ƂƂA킽͂F؂̖œDɂ͂܂܂
BŁA킽͈ӂāA Linux VXeł̔F؂̎dg݂𗝉
 HOWTO ƍl܂BāǍv킽̃VjAvWF
NgƌĂԂƂɂ̂łBՎꂪłɏdvȁAF؂Ƃ
VXeǗ̖_ɂāA̕ǎ҂̗̈ꏕƂȂ΂
킢łB

 

1.2. Vo[Wɂ

킽̃hCɗオ΁A̍̕ŐVo[W͂
ł܂B܂ł́Ahttp://www.linuxdoc.org ŉ䖝łB

 

1.3. tB[hobN

RgAAāAΎAUFO ̖ڌḱA܂ł肢܂B
petehern@yahoo.com

 

1.4. o[Wj

v0.1 (May 13, 2000) ŏ̃o[W ([Xꂸ)

v0.3 (May 14, 2000)  ([Xꂸ)

v0.5 (May 15, 2000) u[UF؂Sɍs@vƁu\[Xvǉ
([Xꂸ)

v0.7 (May 15, 2000) : [X

 

1.5. 쌠ƏW

(c) 2000 Peter Hernberg

̃}jÁAȉ̏ɏ]AŁAŜ͕𕡐
邱Ƃł܂B

 E Ŝ͕𕡐ꍇAL쌠\Ƃ̎gp
    A̕ɊSȌ^ŋLڂĂ邱ƁB
   
 E |͓񎟓I앨쐬ꍇA̔zzɐ悾āA̕
    ̒҂̏F𓾂邱ƁB
   
 E ̈̕ꕔ̂ݔzzꍇAS̓肪\ł邱Ƃ̍
    ̓@邱ƁB
   
 E ̋͂̕ȕA]̍ޗƂđ̒앨ɓ]ڂ
    ۂ́ÄpȂ̂łꍇɌA̋̕\L
    ł܂B܂AwpړI̗pɂẮA̋K̓KpO
    ƂȂꍇ̂ŁA҂܂ŘAĐq˂ĂB
    ͒҂ƂĂ̂邽߂łAwK҂⋳҂ɐ
    ƂӐ}̂ł͂܂B̃̕\[XR[hɂ(
    ̎M`ł SGML )A GNU General Public License Kp
    ܂BCZXɂẮAGNU A[JCu瓽 FTP g
    ē肪\łB
   
 

1.6. ӎ

킽̂Ƃ 18 Nԉ䖝ĂĂƑɊӂ܂BfGȗVѓ
ꂽ Debian ̘AɊӂ܂B킽uI^Nvɂ邽߂ɋ
𕥂Ă CGR <http://www.cgr.org/> Ɋӂ܂BSandy Harris
̗LvȒĂɊӂ܂BŌɁACX^g[̐ЂɊ
Ǝv܂B킽͂Ȃɂ͐ĂȂłB

 

1.7. z肷ǎ

̕ň肩炵āAǎ҂͊ɃR}hCŉKɃR}h
sAeLXg`̐ݒt@C̕ҏWĂ邱ƂOƂ܂B

 

2. [U񂪃VXeɕۑdg

2.1. /etc/passwd ɂ

قƂǑSĂ Linux fBXgr[V(Əp *nix Ȃ)ł
A[U /etc/passwd ɕۑĂ܂B̃t@C̓eLXgt
@CłA[ŨOCAÍꂽpX[hAŗL̃[U
ID ԍ(uid ƌĂ΂܂)AO[v ID ԍ(gid ƌĂ΂܂)ACӂ̃R
g(ʏ́A[U̎AdbԍȂǂĂ܂)Az[fB
NgAčD݂̃VFȂǂ̏܂ł܂B/etc/passwd ̓T
^IȃGg[́Aȉ̂悤Ȃ̂łB

  pete:K3xcO1Qnx8LFN:1000:1000:Peter Hernberg,,,1-800-FOOBAR:/home/pete:/bin/bash

̒ʂAɃXg[gȕ\LɂȂĂ܂BX̃Gg[͏
LɌ悤 6 ̃tB[hAꂼ̃tB[h̓R
ŋ؂܂BꂪA킽Y܂[UF؂̎dg݂Ɠ
炢GłĂꂽȂA HOWTO ͕KvȂł傤B

 

2.2. VhEpX[h

ǎҎg /etc/passwd t@C΁Aۂ͈ȉ̂悤ɂȂĂ
ł傤B

  pete:x:1000:1000:Peter Hernberg,,,1-800-FOOBAR:/home/pete:/bin/bash  

Lł́AÍꂽpX[h͂ǂɍŝł傤Hꂪǂ
sbOɁA኱̐KvłB

/etc/passwd t@Cɂ́AS[ȔƂ̈ÍꂽpX[h
܂܂Ă܂BÃt@Cׂ͂Ẵ[Uɉ{\ƂȂ
܂B܂AVXȇS̈ÍꂽpX[h\Ȃ
łB̓_AmɃpX[h͈ÍĂ͂܂ApX[h
NbLOc[̓͂킯ȂƂłBāÃZL
eB̋Ђ̍܂ɑ΍R邽߂ɁAVh[pX[hJ܂
B

Vh[pX[hLɂVXeł́A/etc/passwd ̃pX[h
ẮAx ŒuAۂ̈Íꂽ[UpX[
h /etc/shadow t@Cɕۑ܂B/etc/shadow ̓[g[U
ǂ߂Ȃ̂ŁAӂ̂郆[ŨpX[hNbN邱
͂ł܂B /etc/shadow ̊eGg[́A[ŨOCAÍ
ꂽpX[hAăpX[h̗LɊ֌W邢̃tB[
hȂĂ܂BT^IȃGg[́Aȉ̂悤Ȃ̂łB

    pete:/3GJllg1o4152:11009:0:99999:7:::                              
                                                                       

 

2.3. /etc/group  /etc/gshadow

O[v /etc/group t@Cɕۑ܂B͑OL /etc/
passwd Ǝ̂ŁAGg[ɂ̓O[vApX[hAid ԍ(gid)
AɃJ}ŋ؂ꂽO[vo[̃tB[h܂܂Ă܂
B /etc/group ̃Gg[͈ȉ̂悤Ȃ̂łB

   pasta:x:103:spagetti,fettucini,linguine,vermicelli                  
                                                                       

pX[htB[h "x" Ă̂悤ɁAO[vpX[h
Vh[ł܂BO[vO[v̂̃pX[hƂ͂ق
ǂȂ̂łAVh[ꂽO[vpX[h̏ /etc/
gshadow t@CɕۑƂƂɒӂĂB

 

2.4. MD5 ÍpX[h

`Iɂ́AUnix ̃pX[h͕WI crypt() ֐ňÍĂ
B( crypt() ֐̏ڍׂɂẮAcrypt(3) ̃}jAy[W
B) ARs[^̍iނɂÅ֐ňÍ
ꂽpX[hNbN邱ƂeՂɂȂ܂BC^[lbg
oꂷƁÃzXgɑ΂ăpX[hNbLOsł悤
ȃc[\ɂȂ܂BŁAVfBXgr[V
ɂ͂苦͂ MD5 nbVASYŃpX[hÍIv
V@\悤ɂȂĂ܂B ( MD5 nbVASY
Ă̏ڂ́ARFC1321 ) MD5 pX[h̓pX[
hNbLŐЂSɎ菜̂ł͂܂񂪁ApX[h
NbLOƓ邱Ƃ͊młB

 

2.5. ώG̉

ȏł̂悤ɁA[UF؂̂߂̏񂪃VXeɕۑ
@ɂ͉ނ܂B(MD5 ňÍȂVhEpX[hAMD5 ň
 /etc/passwd ȂǂȂ) ƂƁAlogin  su Ȃǂ̃vO
́A[ŨpX[hF؂̕@ǂĒm̂ł傤H
ɁAVXẽpX[h̕ۑ@ύXƂ͂ǂ΂
ł傤H[ŨpX[hKvƂvÓÃpX[h
ۑ@ύXꂽƂǂĒm̂ł傤H PAM ̓ɂ
܂B

 

3. PAM (Pluggable Authentication Modules)

PAM (Pluggable Authentication Modules) ͌ݓIȃfBXgr[V
ɂ郆[UF؂̊jƂȂ̂łB

 

3.1. Ȃ PAM Ȃ̂

Âǂ Linux ł΁Asu  passwd  login 邢 xlock 
vÓA[UF؂̕KvɁA/etc/passwd Kv
ȃ[Uǂݍ߂΂łB[UpX[h̕ύXKv
A/etc/passwd t@CҏW邾łBA̒Płt
قȕ@̂߂ɁAVXeǗ҂AvP[VJ҂͐X̖
ʂ邱ƂɂȂ̂łBMD5 ƃVh[pX[h̗p񂾂
LɂāA[UF؂KvƂvÓAނ̈قȂF
ؕ@ۂɂ̔Fؕ@ɓK𓾂iʂɒmĂȂ
΂ȂȂȂłB܂AFؕύXꍇ́A
ׂẴvORpCȂ΂Ȃ܂łBPAM ́A
[U񂪕ۑ@Ƃ͖֌WȓߓI[UFؕvO
ɒ񋟂邱ƂŁA̔ώGȎ葱|̂łB

 

3.2. PAM Ƃ͉

Linux-PAM System Administrator's Guide <http://www.kernel.org/pub/linux
/libs/pam/Linux-PAM-html/pam.html> pƁAuLinux-PAM vWF
Ng̖ړÍA[Uɉ炩̌t^\tgEFÅJAS
K؂ȔFؕ̂̊J番邱ƂłB̖ڕẂA֐̃
Cu񋟂AAvP[Vłgă[UF؂NGX
gdg݂邱ƂŒB܂Bv܂APAM ΁ApX
[h /etc/passwd ɂ邩A`̃T[oɂ邩ƂƂ͖
͂ȂȂ܂BvO[UF؂KvƂƂ́APAM K؂
Fؕ̂߂̊֐܂ރCu񋟂Ă܂B̃Cu
͓IɃ[ĥŁAFؕ̕ύX͐ݒt@C̕ҏWŎ
\ɂȂ̂łB

_ PAM ŋł闝R̂ЂƂłBPAM ̐ݒɂāAv
Õ[UF،̍sg֎~Ã[U̔F؂\
A邢́AvO[UF؂悤Ƃƌx𔭂
AɑSẴ[UOCłȂĂ܂ł悤ɂȂ
BPAM ̃W[݌v́A[UFؕ@̊SȊǗ\ɂ܂B

 

3.2.1. PAM T|[gfBXgr[V

قƂǑSĂ̗LfBXgr[V PAM T|[gł
傤Bȉ͕sSłA PAM T|[gĂfBXgr[V
̈ꗗłB

 E Redhat o[W 5.0 ȍ~
   
 E Mandrake 5.2 ȍ~
   
 E Debian o[W 2.1 ȍ~( 2.1 ł͕IT|[gA2.2 ŊST|
    [g)
   
 E Caldera o[W 1.3 ȍ~
   
 E Turbolinux o[W 3.6 ȍ~
   
 E SuSE o[W 6.2 ȍ~
   
 E () Vine ׂẴo[W
   
 E () Kondara ׂẴo[W
   
LXǵAsSȂ͂łAsmłł傤B̃Xg
̒ǉC𑗂ĂƂꂵłB petehern@yahoo.com

 

3.2.2. PAM ̃CXg[

PAM \[XCXg[邱Ƃ́AԂ̂ƂłA
HOWTO ̔eẑłBVXe PAM CXg[ĂȂ
ȂA炭AAbvO[hׂRɂ낢날Âo[W
̃fBXgr[VgĂ邩ł傤B܂AŃC
Xg[Ȃ΋Cς܂ȂƂlȂA킽̎菕͕svȂ͂
łBɂÁA PAM CXg[Ă邱Ƃ
Oɂ܂B

 

3.3. PAM ̐ݒ

ʓIȘb͂ꂭ炢ɂāA@艺܂傤B

 

3.3.1. PAM ̐ݒt@C

PAM ̐ݒt@ĆA/etc/pam.d ɕۑĂ܂B ( /etc/pam.d
ƂfBNgȂƂĂSz܂B͂Ŏグ܂B)
̃fBNgɍsāA`Ă݂܂傤B

  ~$ cd /etc/pam.d                                                     
  /etc/pam.d/$ ls                                                      
  chfn  chsh    login   other   passwd  su      xlock                  
  /etc/pam.d/$                                                         
                                                                       

VXeɉCXg[Ă邩ɂāÃfBNgɂt
@C͑邩܂Bڍׂ͂ǂłAVXeŃ[
U̔F؂ɊւvOƂɂЂƂ̃t@C݂邱Ƃ
Ǝv܂BɋCt܂񂪁Aǂ̃t@C PAM ɂF
̐ݒt@CȂ̂łAꂼYvOƓ̖Ot
Ă܂B ( other OłA͂Řb܂B) 
̓pX[hɊ֘A PAM ̐ݒt@CĂ݂܂傤B(̃t@C
͕Ղ邽߂ɒPĂ܂B)

  /etc/pam.d/$ cat login                                               
  # PAM ݒt@C( login vOp )                             
  auth       requisite  pam_securetty.so                               
  auth       required   pam_nologin.so                                 
  auth       required   pam_env.so                                     
  auth       required   pam_unix.so nulok                              
  account    required   pam_unix.so                                    
  session    required   pam_unix.so                                    
  session    optional   pam_lastlog.so                                 
  password   required   pam_unix.so nullok obscure min=4 max=8         
                                                                       

̃t@C@艺OɁAׂƂ܂B

 

3.3.2. ׂ

͂̕lĂ邩܂BuI /etc/pam.d fBNg
ȂĂȂBfBXgr[V̎^vOXg PAM ͊܂
Ă̂ɁAfBNgȂBPAM ȂlȂāA
ŖӖIǂ΂񂾂낤HvSzpłBȂ̂ł͂
܂BfBXgr[V PAM ܂܂Ă̂ɁA /etc/pam.d
ȂƂ́APAM ̐ݒt@C /etc/pam.conf ɕۑĂ̂ł
B̃t@CɕU邩ɁAPAM ̐ݒt@C܂Ƃ߂
ЂƂ̃t@CɕۑĂ̂łB̏ꍇAPAM ̐ݒ͂
قȂ\ɂȂ܂Ał̐ݒɂĂ͂̏͂ Section 3.3.4
u pam.conf t@C̐ݒvŐ܂B

 

3.3.3. ݒt@C̍\

PAM ̐ݒt@C͈ȉ̂悤ȍ\ɂȂĂ܂B

  type  control  module-path  module-arguments                         
                                                                       

login vO(قǂ̋LqĂ)̐ݒt@CQlɂ
APAM ݒt@C̍\Ă݂܂傤B

PAM ̐ݒ莚

type
   
    type Ƃł́A̍s̃W[łǂF؂̌^gp
    ׂ PAM ɒm点܂BF؂̍ۂɕ̗v[Uɉۂꍇ
    ́A^̃W[dĎgp邱Ƃł܂BPAM ͎
    4 ̌^F܂B
   
    account
       
        [UT[rXւ̃ANZXĂ邩ǂApX[
        h؂ɂȂĂȂȂǂ(pX[hƂ͖֌W)mF
        ܂B
       
    auth
       
        [Ûʂ̖{̃[Uǂm߂܂Bʏ
        pX[hŊmF܂AoCIgNX(biometrics)Ȃǂ̂
        Ɛꂽ@Ŋm߂ꍇ邩܂B
       
    password
       
        [UɎ̔Fؕ@ύX郁JjY񋟂܂B
        ʏ̓pX[h̕ύXɂĂȂ܂B
       
    session
       
        [U̔FؑO܂͔F،A邢̗͂ŎsƂ
        w肵܂Bɂ́A[UfBNg̃}EgA}E
        gAOC⃍OAEg̃OL^A[UpłT[r
        X𐧌A̐OƂƂȂǂ܂܂
        ł傤B
       
    L login ̐ݒt@Cł́Atype ̊eX̌^ŒłЂƂ̃G
    g[`Ă̂Ǝv܂B login vÓA
    ̖O̒ʂ胆[ÚuOCv̂̂vOȂ̂
    AF؂̉ߒłׂĂ̈قȂ^ɃANZXKv邱Ƃ͔[
    łƎv܂B
   
control
   
    control 傪ʂ́AF؂sƂɉׂ PAM
    ɓ`邱ƂłBPAM ͎̂ 4  control ^łB
   
    requisite
       
        ̃W[oRĔF؂ɎsꍇɁAɔF؂
        ܂B
       
    required
       
        F؂ɎsꍇɁAF؂ۂ܂BAPAM ́AF؋
        ۂ[Uɒm点OɁÃT[rX̂߂ɃXgAbv
        ( type )SẴW[s܂B
       
    sufficient
       
        ̃W[ɂF؂ꍇȂO required ^
        W[F؂ɎsĂƂĂAPAM ͂̃[UɔF
        ^܂B
       
        (󒍁FL "sufficient" ̐͌łB"sufficient" ́A
        ܂ł "required" ^W[ׂĐĂꍇ݈̂
        ܂BɂẮAߓɌ҂̒\
        Bڂ́ALinux-PAM System Administrators' Guide (http://
        www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html) 
        B̊ԈႢwEĂ^ĂA肪
        Ƃ܂B)
       
    optional
       
        ̃W[F؂̐ۂɊւĈӖ̂́ÃT[rX
        ɊւāAꂪ(F؂̐ۂ߂ׂ)B̃W[^ł
        ꍇłB
       
    login vO̐ݒt@Cł́AقȂ control ^̂قڑSĂ
    邱Ƃł܂Brequired ^̃W[̑啔 pam_unix.so (
    C̔F؃W[)łBāAЂƂ requisite ^̃W[
     pam_securetty.so ([USȃR\[ŃOCĂ邩
    m߂)łAЂƂ optional ^̃W[
    pam_lastlog.so (O񃍃OCƂ̃[ȔĂ郂W
    [)ƂȂĂ܂B
   
    (: control ɂẮAV\JĂ܂Bڍׂ́A
    The Linux-PAM System Administrators' Guide )
   
module-path
   
    module-path ̖́Aǂ̃W[gp邩A(IvVƂ
    )ꂪǂɂ邩 PAM ɓ`邱ƂłBlogin ̐ݒt@C
    Ɍ悤ɁA啔̐ݒt@Cł̓W[܂܂
    Ă܂B̏ꍇAPAM ́APAM p̃ftHgfBNgAʏ
    /usr/lib/security/ T܂BAgĂfBXgr
    [V Linux t@CVXe̕WKiɏ]ĂȂAPAM 
    W[ /lib/security fBNgɂł傤B
   
module-arguments
   
    module-arguments ́AW[ɓnw肷̂łBꂼ
    ̃W[g̈Ă܂BႦ΁Alogin ̐ݒ
    t@Cł΁A"nullok" ("null ok" Ӗ܂)Ƃ́A
    pam_unix.so W[ɓn܂ÄӖ́ApX[hƂ
    ͂ȂĂ(null)F؂ƂƂłB
   
 

3.3.4. pam.conf t@C̐ݒ

 PAM ̐ݒ肪 /etc/pam.d/ fBNgł͂ȂA/etc/pam.conf t@
CɕۑĂȂA PAM ̐ݒ͎̏኱قȂ̂ɂȂ܂
BT[rXƂɐݒt@C̂ł͂ȂASĂ̐ݒ肪 /etc/
pam.conf t@C̒ōsAT[rXes̐擪̎ʏƂȂ
BႦ΁A/etc/pam.d/login t@C̎̍śA

    auth       required   pam_unix.so                                  
                                                                       

/etc/pam.conf t@Cł́Aȉ̂悤ɂȂł傤B

    login       auth       required   pam_unix.so                      
                                                                       

L̂ƂႢ΁Ac̑SĂ PAM ̍\̂܂ܓĂ
܂܂B

 

3.4. Ƒ̏肷@

PAM ̐ݒ PAM ̑SW[̃t@XȂǁAڍׂȏ񂪕Kv
ȂƂ́ALinux-PAM System Administrator's Guide <http://www.kernel.org
/pub/linux/libs/pam/Linux-PAM-html/pam.html> QlɂĂB
KCh́APAM ̐ݒɊւ邠邱Ƃ̂ŁAŐṼt@
Xł܂B

 

4. [UF؂Sɍs@

̃fBXgr[Vł́A[UF؂ɂď[SȐݒ肪
Ȃ܂܏oׂĂ܂B̏͂ł́AVXeł̃[UF؂
Sɂ@グ܂BAs΃VXe
SȂ̂ɂȂ܂AŃZLeBɂȂȂǂƂ͌
ĎvȂłB

 

4.1. ͂ /etc/pam.d/other t@C

/etc/pam.d ɂt@C͑SāÃT[rXɊւݒ邽߂
̂łB̃[ɑ΂钍ڂׂOA /etc/pam.d/other t@C
łB̃t@ĆAg̐ݒt@CȂT[rXS
ݒ̂łBႦ΁A(ۂ݂͑܂) xyz ƂT[rX
[UF؂悤ƂꍇAPAM  /etc/pam.d/xyz Ƃt@CT
܂BꂪȂƁAF؂ /etc/pam.d/other t@Cɏ]
Ȃ܂B/etc/pam.d/other t@C PAM T[rX̍Ō̋菊Ƃ
Ă̂ŁÄS͏dvȈӖ܂Bł /etc/pam.d/
other t@CSɐݒ肷ނ̕@ɂďqׂ܂BЂƂ́A
قƂǕΎIȂ̂ŁAЂƂ͂ƈʓIȂ̂łB

 

4.1.1. Ύ̐ݒ

/etc/pam.d/other ̕ΎIȐݒ͈ȉ̂悤ɂȂ܂B

    auth        required        pam_deny.so                            
    auth        required        pam_warn.so                            
    account     required        pam_deny.so                            
    account     required        pam_warn.so                            
    password    required        pam_deny.so                            
    password    required        pam_warn.so                            
    session     required        pam_deny.so                            
    session     required        pam_warn.so                            
                                                                       

L̐ݒɂĂ΁AsȃT[rXݒt@C 4 ̌^̂
ɃANZX悤ƂꍇłAPAM (pam_deny.so W[)
F؂₵A(pam_warn.so W[)VXeOɌxc
܂B PAM ɂ̓oOقƂǂȂ̂ŁA̐ݒ͗⍓ƂS
܂B̗⍓̖_́A܂ܑ̃T[rX̐ݒ폜
Ă܂ꍇɖ肪N邩ȂƂƂłB/etc/pam.d/
login t@CԈč폜Ă܂ƁANOCłȂȂĂ
܂܂B

 

4.1.2. e؂Ȑݒ

ȉ̐ݒ́A炩Ȃ̂łB

    auth        required        pam_unix.so                            
    auth        required        pam_warn.so                            
    account     required        pam_unix.so                            
    account     required        pam_warn.so                            
    password    required        pam_deny.so                            
    password    required        pam_warn.so                            
    session     required        pam_unix.so                            
    session     required        pam_warn.so                            
                                                                       

̐ݒł́AsȃT[rXɑ΂Ă(pam_unix.so W[)
F؂܂A[UpX[hύX邱Ƃ͋܂B̔F
؂͋킯łAT[rXF؂悤ƂۂɕKVXe
OɌxc܂B

 

4.1.3. /etc/pam.d/other ̏dv

ʂȗRȂA/etc/pam.d/other ͑SĂɐ旧Ď邱Ƃ
E߂܂BuftHgňSɐUvƂ́Aǂȏꍇł
ƂłBVȃT[rXɔF؂̌^KvłƂĂA
̃T[rXɂ PAM ̐ݒt@CVɍ΂łB

 

4.2. pX[h[ŨOC֎~

啔 Linux VXeł́Aftp  webserver, mail Q[gEFCȂǂ
̃VXeT[rXɌ^邽߂ɁAu_~[ṽ[UAJE
g݂܂BmɁAAJEgĂAA^bJ[
̓[gŎsĂT[rXł͂Ȃ_~[AJEgɕt^
IȌłȂ̂łAAJEgƃV
Xe͂SɂȂƌȂ܂BA_~[A
JEg̓pX[hȂ(null)ŃOCłĂ܂ꍇʂȂ̂ŁA
OČ^邱Ƃ́AЂƂ̃ZLeB[XNƂ
܂BpX[hȂŃOCݒIvV́A"nullok" Ƃ
W[(module-argument)łBOCT[rXɂ
́A "auth" ^Cv̑SẴW[炱̈폜悤ɂ
ׂł傤BT[rXƂ́Aʏ login T[rX̂ƂłA 
rlogin  ssh Ȃǂ܂܂邩܂BƁA/etc/pam.d/
login ̎̍śA

   auth         required        pam_unix.so     nullok                 
                                                                       

ȉ̂悤ɕύXׂłB

   auth         required        pam_unix.so                            
                                                                       

 

4.3. svȃT[rX𖳌ɂ

/etc/pam.d ɂt@CƁA̎gȂvOp̐ݒ
t@CA邢͕ƂȂvOp̃t@CȂǂ
v܂BT[rXւ̔F؂ƂĂ炭傫ȃZL
eBz[ɂ͂ȂȂł傤A͂肻͋֎~ق
傤BvOɑ΂ PAM F؂łȂ悤ɂŗǂ̕
@́At@C̃t@CύX邱ƂłBF؂vv
OƓt@C̐ݒt@CȂ̂ŁAPAM  /etc/
pam.d/other Ƃ (炭)ɈSȐݒt@CŏIIɎgp
BقǂvOKvɂȂꍇ́At@Cɖ߂
łׂĂӐ}ʂɓ킯łB

 

4.4. pX[hNbLOc[

pX[hNbLOc[́AA^bJ[ɂƂĂ̓VXẻ
ړIŎgp܂AVXeǗ҂ɂƂẮAVXẽpX[
h̋mF邽߂̐ϋɖړI̓Ƃėp邱Ƃ\łB
LgpĂpX[hNbLOc[͂ӂAꂼ
"crack"  "John the Ripper" łB crack ͂炭ǎ҂̍DȃfBX
gr[VɂłɓĂł傤BJohn the Ripper ́A
http://www.false.com/security/john/index.htmlœł܂B̃c[
pX[hf[^x[Xɑ΂Ďs΁A\ꂽʂĂ
Ă܂ł傤B

āA[UpX[hύX邽тɂ̋x crack ̃Cu
gČ؂ PAM ̃W[܂B̃W[CXg[
ƁA[ÚAŒx̋xpX[hւ̕ύXłȂ
̃pX[hύXłȂȂ܂B

 

4.5. VhEpX[h MD5 pX[h

̑͂̕Ŏグ悤ɁAVhEpX[h MD5 pX[h
gƃVXeƈSɂ邱Ƃł܂Bŋ߂̃fBXgr
[Vł́ACXg[̉ߒ MD5 VhEpX[hCXg[
邩ǂq˂悤ɂȂĂ܂Bۂׂʂ̗RȂ
ALɂׂłBVhE MD5 gȂpX[h炻
ւ̕ϊ̎葱͔ɍݓĂ̂ŁA̔̕ez
B͐̕V͂ȂłA͖ɗ܂B Shadow
Password HOWTO <http://www.linuxdoc.org/HOWTO/
Shadow-Password-HOWTO.html>({ <http://www.linux.or.jp/JF/JFdocs/
Shadow-Password-HOWTO.html>)

 

5. p

̏͂ł́AȒPȎ܂BO͂̓e܂Ƃ߂̂ɖ𗧂Ǝv
܂B

 

5.1. Apache + mod_auth_pam

ł́AƂāAmod_auth_pam Ƃ Apache ̃W[̃CXg[
Ɛݒs܂B́APAM găEFuT[õ[UF؂
̂ɗp̂łB̗̎| PAM ɂ̂ŁA Apache ɂ
Ă͊ɃCXg[Ă̂Ƃ܂B܂CXg[Ă
ȂApĂ Linux ̔zzŁACXg[ppbP[W
͂łB

 

5.2. ̓e

̗̖ڕẂAEFuT[oɁÂ family ƂfB
Ng쐬A PAM [UF؂̗̈ɐݒ肷邱ƂłB
̃fBNgɂ family ̃o[̌lûŁA[UO[
v family ̈łȂƃANZXłȂ悤ɂ܂B

 

5.3. mod_auth_pam ̃CXg[

ŏɁAmod_auth_pam  http://blank.pages.de/pam/mod_auth_pam _E
[hĂBāÃR}h mod_auth_pam RpC
܂B ( root ŃOC邱ƂKvł)

   ~# tar xzf mod_auth_pam.tar.gz                                      
   ~# cd mod_auth_pam-1.0a                                             
   ~/mod_auth_pam-1.0a# make                                           
   ~/mod_auth_pam-1.0a# make install                                   
                                                                       

 mod_auth_pam CXg[Ƃɖ肪AfBXgr
[VɕtĂ apache-dev ƂpbP[WCXg[
邩ǂmFĂB mod_auth_pam ̃CXg[I
AApache ċNKv܂BApache ͒ʏ펟̃R}hōċN
ł܂B(łAroot łȂƂ܂)

   ~# /etc/init.d/apache restart                                       
                                                                       

 

5.4. PAM ̐ݒ

Apache ̂߂ PAM ̐ݒt@C /etc/pam.d/httpd ɂ܂Bft
Hg̐ݒ( mod_auth_pam CXg[ƂɓɃCXg
[Ă܂)́ASł͂܂A pam_pwdb.so ƂW[
gĂāÃW[͑̃VXeł͓łȂ
B(ɂݒ肵ĂقyłB) āA/
etc/pam.d/httpd Ƃt@C͍폜āAŏX^[g܂傤B

 

5.4.1. PAM ̐ݒ@߂

Apache ̔Fؗv PAM @߂OɁAPAM KvȂ͉̂
`FbN邽߂Ȃ̂𐳊mɗȂ΂Ȃ܂B܂APAM 
ĝ́AWI Unix pX[hf[^x[XɂpX[hƃ[U
̃pX[hv邩ǂmF邽߂łBƂƁA"auth "
^ "pam_unix.so" W[Ƃ̂głBpX[h
͂ȂƔF؂s悤ɂ邽߂ɁAW[ control ^
"required" ɃZbĝł傤Bȉ́Ȁꍇ /etc/pam.d/
httpd t@C̍ŏ̍sǂȂ邩̂łB

     auth       required        pam_unix.so                            
                                                                       

ɁA[ŨAJEgLɂȂĂ邩ǂmFȂ΂Ȃ
B (܂A[ŨpX[h̗L؂ĂȂǂ̖肪
ǂƂƂłB)  "account" ^Cv̖ŁA̋@\
Ă pam_unix.so W[Œ񋟂Ă܂BēxÃW[
 "control" ^Cv " required" ɐݒ肵܂B̍sǉI
A/etc/pam.d/httpd ̐ݒ͈ȉ̂悤ɂȂ܂B

     auth       required        pam_unix.so                            
     account    required        pam_unix.so                            
                                                                       

L̐ݒ͔ɐĂƂ͌łA@\܂
B PAM ̃T[rX̐ݒ@wԃX^[gƂĂ͈Ȃ͂łB

 

5.5. Apache ̐ݒ

PAM  Apache ̔Fؗvł悤ɐݒ肳ꂽ̂ŁAx
Apache  PAM ̔F؂K؂ɗp family fBNgւ̃ANZX
ł悤ɐݒ肵܂傤Bɂ́A̐s httpd.conf
t@CɕtĂB ( httpd.conf t@C͒ʏ /etc/apache
 /etc/httpd fBNgɂ܂)

    <Directory /var/www/family>                                        
    AuthPAM_Enabled on                                                 
    AllowOverride None                                                 
    AuthName "Family Secrets"                                          
    AuthType "basic"                                                   
    require group family                                               
    </Directory>                                                       
                                                                       

ƁAL /var/www ́̕AEFu֌W̕ftHg
uĂ /home/httpd ƂꏊɕύXȂ΂ȂȂ
B̏ꏊǂł낤ƂA family ƂfBNg
Kv܂B

̐ݒeXgOɁAҏW Apache ̐ݒɂĊȒPɐ
Ǝv܂B<Directory> fBNeBu(directive)́ÃfBN
gɊւݒf[^JvZ邽߂Ɏgp܂BāA
fBNeBu̓ł́A܂APAM ̔F؋@\Lɂ
("AuthPAM_enabled on")A̐ݒ̏㏑֎~(" AllowOverride none")
A̔F̖ؗ̈O "Family Secrets " ƂĂ܂("AuthName "Family
Secrets"")BāAhttpd ̔F؃^Cv(PAM ɂF؂ł͂܂)
ftHgɃZbg("AuthType "basic"")A[UO[vƂ
family ̐ڑݒ("require group family")ɂ܂B

 

5.6. ݒ̃eXg

őSĂ̐ݒ肪ȂÎŁAj܂傤B
Cɓ̃uEUNāAhttp://your-domain/family/ ɓːi܂
傤B (your-domain ̕ɂ́A[ƁAȂ̃hC
(your-domain)Ă) łȂ͊SȔF؂󂯂
(uber-authenticator)ɂȂ킯łB

 

6. \[X

ICAItCƂɑ̃\[X܂A[UF؂
ւ葽̏ŎWł܂B̃Xgɕt
\[X䑶mȂA킽܂ŏĂB
petehern@yahoo.com

 

6.1. PAM

 E Linux-PAM System Administrator's Guide <http://www.kernel.org/pub/
    linux/libs/pam/Linux-PAM-html/pam.html>
   
 E  Linux-PAM Module Writer's Manual <http://www.kernel.org/pub/linux/
    libs/pam/Linux-PAM-html/ pam_modules.html>
   
 E  Linux-PAM Application Developer's Manual <http://www.kernel.org/
    pub/linux/libs/pam/Linux-PAM-html/ pam_modules.html>
   
 

6.2. ZLeBS

 E linuxsecurity.com <http://www.linuxsecurity.com/>
   
 E securitywatch.com <http://www.securitywatch.com>
   
 E Security HOWTO <http://www.linuxdoc.org/HOWTO/Security-HOWTO.html>
    ({ <http://www.linux.or.jp/JF/JFdocs/Security-HOWTO.html>)
   
 E Packetstorm <http://packetstorm.securify.com>
   
 

6.3. ItC

VXẽ}jAy[Wg΁AȂ̏񂪏W߂܂Bȉ
[UF؂Ɋ֌W}jAy[WłBۃJbR̒̐̓}jA
y[W̃ZNVԍłBpasswd(5) ̃}jAy[Wɂ́A
man 5 passwd ƑłłB

 E passwd(5)
   
 E crypt(3)
   
 E pam.d(5)
   
 E group(5)
   
 E shadow(5)
   
 

7. 

 HOWTO ɗƂĂ܂BARgAĂȂǂ
΁A[炦Ƃւv܂B[̈͂ł
B petehern@yahoo.com

 

7.1. {ɂ

|F UTi       
ZF L       
       ^         
       Katsunori Aoki 

ÁAJF@linux.or.jp A ysenda@pop01.odn.ne.jp ܂ł肢
B

