内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍PAM可插拔认证模块的配置方法。
Part01-PAM基础
1.1 PAM模块类型
1. auth: 认证管理
– 验证用户身份
– 设置用户凭据
2. account: 账户管理
– 验证账户有效性
– 检查访问权限
3. password: 密码管理
– 更新密码
– 密码策略检查
4. session: 会话管理
– 设置会话环境
– 清理会话资源
# PAM控制标志
required: 必须成功,失败继续执行
requisite: 必须成功,失败立即返回
sufficient: 成功立即返回,失败继续
optional: 可选,不影响结果
include: 包含其他配置文件
substack: 包含其他配置文件(子栈)
# PAM配置文件位置
/etc/pam.d/ – 服务配置目录
/etc/pam.d/system-auth – 系统认证配置
/etc/pam.d/password-auth – 密码认证配置
/etc/pam.d/login – 登录服务配置
/etc/pam.d/sshd – SSH服务配置
/etc/security/ – PAM模块配置目录
# 查看PAM配置
$ cat /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
Part02-密码策略
2.1 配置密码策略
$ sudo tee /etc/security/pwquality.conf << 'EOF' minlen = 12 minclass = 4 maxrepeat = 3 maxclassrepeat = 4 lcredit = -1 ucredit = -1 dcredit = -1 ocredit = -1 difok = 4 gecoscheck = 1 dictcheck = 1 usercheck = 1 enforcing = 1 retry = 3 EOF # 配置密码历史 $ sudo tee /etc/pam.d/system-auth << 'EOF' auth required pam_env.so auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
# 配置密码过期
$ sudo tee /etc/login.defs << 'EOF'
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
EOF
# 检查密码策略
$ chage -l user1
Last password change : Apr 04, 2026
Password expires : Jul 03, 2026
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 90
Number of days of warning before password expires : 14
Part03-访问控制
3.1 配置访问控制
$ sudo tee /etc/security/access.conf << 'EOF' + : root : ALL + : admin : ALL + : @wheel : ALL + : @d学习交流加群风哥微信: itpux-comevelopers : 192.168.1.0/24 - : ALL : ALL EOF # 配置PAM访问控制 $ sudo tee -a /etc/pam.d/login << 'EOF' account required pam_access.so EOF # 配置时间限制 $ sudo tee /etc/security/time.conf << 'EOF' login ; * ; !root ; !Al0000-2400 ssh ; * ; !root ; !Al0000-2400 EOF # 配置PAM时间限制 $ sudo tee -a /etc/pam.d/sshd << 'EOF' account required pam_time.so EOF # 配置限制 $ sudo tee /etc/security/limits.conf << 'EOF' * soft nofile 65535 * hard nofile 65535 * soft nproc 65535 * hard nproc 65535 root soft nofile 65535 root hard nofile 65535 EOF # 配置登录延迟 $ sudo tee -a /etc/pam.d/system-auth << 'EOF' auth optional pam_faildelay.so delay=4000000 EOF # 配置账户锁定 $ sudo tee /etc/pam.d/system-auth << 'EOF' auth required pam_env.so auth required pam_faillock.so preauth silent deny=3 unlock_time=900 auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900
auth sufficient pam_faillock.so authsucc deny=3 unlock_time=900
EOF
# 查看锁定状态
$ faillock –user user1
user1:
When Type Source Valid
2026-04-04 10:00:00 TTY pts/0 V
Part04-双因素认证
4.1 配置双因素认证
$ sudo dnf install -y google-authenticator
# 为用户配置
$ google-authenticator
Do you want authentication tokens to be time-based? (y/n) y
Your new secret key is: ABCDEFGHIJKLMNOP
Your verification code is 123456
Your emergency scratch codes are:
12345678
23456789
34567890
45678901
56789012
更多学习教程公众号风哥教程itpux_com
Do you want me to update your “~/.google_authenticator” file? (y/n) y
# 配置SSH双因素认证
$ sudo tee /etc/pam.d/sshd << 'EOF'
auth required pam_google_authenticator.so
auth substack password-auth
auth include postlogin
EOF
# 配置SSH
$ sudo tee /etc/ssh/sshd_config.d/2fa.conf << 'EOF'
AuthenticationMethods publickey,keyboard-interactive
ChallengeResponseAuthentication yes
UsePAM yes
EOF
$ sudo systemctl restart sshd
# 配置PAM双因素认证
$ sudo tee /etc/pam.d/system-auth << 'EOF'
auth required pam_env.so
auth requisite pam_google_authenticator.so
auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
EOF
1. 配置强密码策略
2. 启用账户锁定
3. 配置访问控制
4. 启用双因素认证
5. 定期审计配置
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
