马哥 30_03 _nss&pam 有大用

星期二, 2020-08-25 02:19 — adminshiping1

authentication 认证

authorization 授权

上面的都是数据库 (其实上面都可以用文本文件,如逗号,冒号隔开)

上面的都可以称为名称解析库

nis ( network information service ) ( network information system) 网络信息服务,网络信息系统

是 sun 公司的一个服务产品?

ldap 与 mysql差不多,它也是一个数据库,它不是表的形式存放的,是类似于目录结构的方式存放的(倒置的树状结构)(有点类似于dns,但并不一样)

ldap 比 mysql 查询速度快上一个数量级 (10倍左右),一次写入,多次读取的(如用户账号),通常大型公司使用ldap来保存

App: 比如 vsftpd : 将登录的用户的名称转换为id号

App: 比如 login (putty登录是依赖于 login 程序)

/etc/nsswitch.conf 里面定义的某一种名称解析服务(应用程序)是通过哪一种手段来实现的

把名称解析服务独立出来

App ->中间层模块 nsswitch -> resolve_lib

nsswitch 网络服务转换开关 ( network service switch ).它本身也是一堆的库文件,跟pam一样,

/etc/nsswitch.conf

passwd: file 到文件中找名称解析

group: file

hostname: file dns 先到文件中找名称解析,找不到的话,再到dns中找

passwd: file 要有某个实实在在的程序来执行查找,这个程序就是库文件 nsswitch

[root@mail xinetd.d]# cd /usr/lib

[root@mail lib]# ls | grep nss # 这里面都是名称解析库

libgnutls-openssl.a

libgnutls-openssl.so

libgnutls-openssl.so.13

libgnutls-openssl.so.13.0.6

libnfsidmap_nsswitch.so

libnfsidmap_nsswitch.so.0

libnfsidmap_nsswitch.so.0.0.0

libnss3.so

libnssckbi.so

libnss_compat.so

libnssdbm3.chk

libnssdbm3.so

libnss_db.so

libnss_dns.so

libnss_files.so

libnss_hesiod.so

libnss_ldap.so

libnss_nisplus.so

libnss_nis.so

libnssutil3.so

libnss_winbind.so

libnss_wins.so

nss

openssl

[root@mail lib]#

这些 so 称为动态链接库,类似于 windows 上的 dll

这些库文件才真正实现解析的过程

/etc/nsswitch.conf 指定file时,使用libnss_files.so动态链接库

/etc/nsswitch.conf 指定dns时,使用libnss_dns.so动态链接库

应用程序使用名称解析服务,要调用这些库文件(libnss_files.so libnss_dns.so 等许多),到底调用哪个库文件,由 /etc/nsswitch.conf 来定义的

[root@mail lib]# vim /etc/nsswitch.conf

......................

#services: nisplus [NOTFOUND=return] files # nisplus 找不到的话就 return ,就不找后面的files了

passwd: files # passwd 表示命令,也可看作库,也可以看作服务

shadow: files

group: files

hosts: files dns

ethers: files # 网卡,使用 files , 它们对应的 files 是不一样的

protocols: files # 将协议(如httpd)转换为端口号,使用files 它们对应的files是不一样的

rpc: files # rpc 转为端口号,需要用到files 它们对应的files是不一样的

aliases: files nisplus # 可以到files中找别名,也可以到 nisplus 中找别名 ( nis 叫网络信息服务,它是开源的 )( nisplus 叫网络信息服务的升级版 nisplus 通常只为sun的某个软件所独有,它是商业软件,不公开的 )

[root@mail lib]# cat /etc/protocols

# /etc/protocols:

# $Id: protocols,v 1.5 2006/10/11 15:39:11 pknirsch Exp $

# Internet (IP) protocols

# from: @(#)protocols 5.1 (Berkeley) 4/17/89

# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).

ip 0 IP # internet protocol, pseudo protocol number

hopopt 0 HOPOPT # hop-by-hop options for ipv6

icmp 1 ICMP # internet control message protocol

igmp 2 IGMP # internet group management protocol

ggp 3 GGP # gateway-gateway protocol

ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')

st 5 ST # ST datagram mode

tcp 6 TCP # transmission control protocol

cbt 7 CBT # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk>

egp 8 EGP # exterior gateway protocol

igp 9 IGP # any private interior gateway (Cisco: for IGRP)

bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring

nvp 11 NVP-II # Network Voice Protocol

pup 12 PUP # PARC universal packet protocol

argus 13 ARGUS # ARGUS

emcon 14 EMCON # EMCON

xnet 15 XNET # Cross Net Debugger

chaos 16 CHAOS # Chaos

udp 17 UDP # user datagram protocol

mux 18 MUX # Multiplexing protocol

dcn 19 DCN-MEAS # DCN Measurement Subsystems

hmp 20 HMP # host monitoring protocol

prm 21 PRM # packet radio measurement protocol

xns-idp 22 XNS-IDP # Xerox NS IDP

trunk-1 23 TRUNK-1 # Trunk-1

trunk-2 24 TRUNK-2 # Trunk-2

leaf-1 25 LEAF-1 # Leaf-1

leaf-2 26 LEAF-2 # Leaf-2

rdp 27 RDP # "reliable datagram" protocol

irtp 28 IRTP # Internet Reliable Transaction Protocol

iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4

netblt 30 NETBLT # Bulk Data Transfer Protocol

mfe-nsp 31 MFE-NSP # MFE Network Services Protocol

merit-inp 32 MERIT-INP # MERIT Internodal Protocol

dccp 33 DCCP # Datagram Congestion Control Protocol

3pc 34 3PC # Third Party Connect Protocol

idpr 35 IDPR # Inter-Domain Policy Routing Protocol

xtp 36 XTP # Xpress Tranfer Protocol

ddp 37 DDP # Datagram Delivery Protocol

idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto

tp++ 39 TP++ # TP++ Transport Protocol

il 40 IL # IL Transport Protocol

ipv6 41 IPv6 # IPv6

sdrp 42 SDRP # Source Demand Routing Protocol

ipv6-route 43 IPv6-Route # Routing Header for IPv6

ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6

idrp 45 IDRP # Inter-Domain Routing Protocol

rsvp 46 RSVP # Resource ReSerVation Protocol

gre 47 GRE # Generic Routing Encapsulation

dsr 48 DSR # Dynamic Source Routing Protocol

bna 49 BNA # BNA

esp 50 ESP # Encap Security Payload

ah 51 AH # Authentication Header

i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA

swipe 53 SWIPE # IP with Encryption

narp 54 NARP # NBMA Address Resolution Protocol

mobile 55 MOBILE # IP Mobility

tlsp 56 TLSP # Transport Layer Security Protocol

skip 57 SKIP # SKIP

ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6

ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6

ipv6-opts 60 IPv6-Opts # Destination Options for IPv6

# 61 # any host internal protocol

cftp 62 CFTP # CFTP

# 63 # any local network

sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK

kryptolan 65 KRYPTOLAN # Kryptolan

rvd 66 RVD # MIT Remote Virtual Disk Protocol

ippc 67 IPPC # Internet Pluribus Packet Core

# 68 # any distributed file system

sat-mon 69 SAT-MON # SATNET Monitoring

visa 70 VISA # VISA Protocol

ipcv 71 IPCV # Internet Packet Core Utility

cpnx 72 CPNX # Computer Protocol Network Executive

cphb 73 CPHB # Computer Protocol Heart Beat

wsn 74 WSN # Wang Span Network

pvp 75 PVP # Packet Video Protocol

br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring

sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary

wb-mon 78 WB-MON # WIDEBAND Monitoring

wb-expak 79 WB-EXPAK # WIDEBAND EXPAK

iso-ip 80 ISO-IP # ISO Internet Protocol

vmtp 81 VMTP # Versatile Message Transport

secure-vmtp 82 SECURE-VMTP # SECURE-VMTP

vines 83 VINES # VINES

ttp 84 TTP # TTP

nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP

dgp 86 DGP # Dissimilar Gateway Protocol

tcf 87 TCF # TCF

eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)

ospf 89 OSPFIGP # Open Shortest Path First IGP

sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol

larp 91 LARP # Locus Address Resolution Protocol

mtp 92 MTP # Multicast Transport Protocol

ax.25 93 AX.25 # AX.25 Frames

ipip 94 IPIP # Yet Another IP encapsulation

micp 95 MICP # Mobile Internetworking Control Pro.

scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro.

etherip 97 ETHERIP # Ethernet-within-IP Encapsulation

encap 98 ENCAP # Yet Another IP encapsulation

# 99 # any private encryption scheme

gmtp 100 GMTP # GMTP

ifmp 101 IFMP # Ipsilon Flow Management Protocol

pnni 102 PNNI # PNNI over IP

pim 103 PIM # Protocol Independent Multicast

aris 104 ARIS # ARIS

scps 105 SCPS # SCPS

qnx 106 QNX # QNX

a/n 107 A/N # Active Networks

ipcomp 108 IPComp # IP Payload Compression Protocol

snp 109 SNP # Sitara Networks Protocol

compaq-peer 110 Compaq-Peer # Compaq Peer Protocol

ipx-in-ip 111 IPX-in-IP # IPX in IP

vrrp 112 VRRP # Virtual Router Redundancy Protocol

pgm 113 PGM # PGM Reliable Transport Protocol

# 114 # any 0-hop protocol

l2tp 115 L2TP # Layer Two Tunneling Protocol #这是协议对应的端口?

ddx 116 DDX # D-II Data Exchange

iatp 117 IATP # Interactive Agent Transfer Protocol

stp 118 STP # Schedule Transfer

srp 119 SRP # SpectraLink Radio Protocol

uti 120 UTI # UTI

smp 121 SMP # Simple Message Protocol

sm 122 SM # SM

ptp 123 PTP # Performance Transparency Protocol

isis 124 ISIS # ISIS over IPv4

fire 125 FIRE

crtp 126 CRTP # Combat Radio Transport Protocol

crdup 127 CRUDP # Combat Radio User Datagram

sscopmce 128 SSCOPMCE

iplt 129 IPLT

sps 130 SPS # Secure Packet Shield

pipe 131 PIPE # Private IP Encapsulation within IP

sctp 132 SCTP # Stream Control Transmission Protocol

fc 133 FC # Fibre Channel

rsvp-e2e-ignore 134 RSVP-E2E-IGNORE

# 135 # Mobility Header

udplite 136 UDPLite

mpls-in-ip 137 MPLS-in-IP

# 138-252 Unassigned [IANA]

# 253 Use for experimentation and testing [RFC3692]

# 254 Use for experimentation and testing [RFC3692]

# 255 Reserved [IANA]

[root@mail lib]#

[root@mail lib]# cat /etc/services # 下面才是真正意义上的某个协议使用的哪个端口 ,

LAN

brf-gw 22951/tcp # Telerate Information Platform WAN

brf-gw 22951/udp # Telerate Information Platform WAN

med-ltp 24000/tcp # med-ltp

med-ltp 24000/udp # med-ltp

med-fsp-rx 24001/tcp # med-fsp-rx

med-fsp-rx 24001/udp # med-fsp-rx

med-fsp-tx 24002/tcp # med-fsp-tx

med-fsp-tx 24002/udp # med-fsp-tx

med-supp 24003/tcp # med-supp

med-supp 24003/udp # med-supp

med-ovw 24004/tcp # med-ovw

med-ovw 24004/udp # med-ovw

med-ci 24005/tcp # med-ci

med-ci 24005/udp # med-ci

med-net-svc 24006/tcp # med-net-svc

med-net-svc 24006/udp # med-net-svc

filesphere 24242/tcp # fileSphere

filesphere 24242/udp # fileSphere

ild 24321/tcp # Isolv Local Directory

ild 24321/udp # Isolv Local Directory

vista-4gl 24249/tcp # Vista 4GL

vista-4gl 24249/udp # Vista 4GL

intel_rci 24386/tcp # Intel RCI

intel_rci 24386/udp # Intel RCI

flashfiler 24677/tcp # FlashFiler

flashfiler 24677/udp # FlashFiler

proactivate 24678/tcp # Turbopower Proactivate

proactivate 24678/udp # Turbopower Proactivate

snip 24922/tcp # Simple Net Ident Protocol

snip 24922/udp # Simple Net Ident Protocol

icl-twobase1 25000/tcp # icl-twobase1

icl-twobase1 25000/udp # icl-twobase1

icl-twobase2 25001/tcp # icl-twobase2

icl-twobase2 25001/udp # icl-twobase2

icl-twobase3 25002/tcp # icl-twobase3

icl-twobase3 25002/udp # icl-twobase3

icl-twobase4 25003/tcp # icl-twobase4

icl-twobase4 25003/udp # icl-twobase4

icl-twobase5 25004/tcp # icl-twobase5

icl-twobase5 25004/udp # icl-twobase5

icl-twobase6 25005/tcp # icl-twobase6

icl-twobase6 25005/udp # icl-twobase6

icl-twobase7 25006/tcp # icl-twobase7

icl-twobase7 25006/udp # icl-twobase7

icl-twobase8 25007/tcp # icl-twobase8

icl-twobase8 25007/udp # icl-twobase8

icl-twobase9 25008/tcp # icl-twobase9

icl-twobase9 25008/udp # icl-twobase9

icl-twobase10 25009/tcp # icl-twobase10

icl-twobase10 25009/udp # icl-twobase10

vocaltec-hos 25793/tcp # Vocaltec Address Server

vocaltec-hos 25793/udp # Vocaltec Address Server

tasp-net 25900/tcp # TASP Network Comm

tasp-net 25900/udp # TASP Network Comm

niobserver 25901/tcp # NIObserver

niobserver 25901/udp # NIObserver

niprobe 25903/tcp # NIProbe

niprobe 25903/udp # NIProbe

ezproxy 26260/tcp # eZproxy

ezproxy 26260/udp # eZproxy

ezmeeting 26261/tcp # eZmeeting

ezmeeting 26261/udp # eZmeeting

k3software-svr 26262/tcp # K3 Software-Server

k3software-svr 26262/udp # K3 Software-Server

k3software-cli 26263/tcp # K3 Software-Client

k3software-cli 26263/udp # K3 Software-Client

gserver 26264/tcp # Gserver

gserver 26264/udp # Gserver

imagepump 27345/tcp # ImagePump

imagepump 27345/udp # ImagePump

kopek-httphead 27504/tcp # Kopek HTTP Head Port

kopek-httphead 27504/udp # Kopek HTTP Head Port

ars-vista 27782/tcp # ARS VISTA Application

ars-vista 27782/udp # ARS VISTA Application

tw-auth-key 27999/tcp # TW Authentication/Key Distribution and

tw-auth-key 27999/udp # Attribute Certificate Services

nxlmd 28000/tcp # NX License Manager

nxlmd 28000/udp # NX License Manager

siemensgsm 28240/tcp # Siemens GSM

siemensgsm 28240/udp # Siemens GSM

pago-services1 30001/tcp # Pago Services 1

pago-services1 30001/udp # Pago Services 1

pago-services2 30002/tcp # Pago Services 2

pago-services2 30002/udp # Pago Services 2

xqosd 31416/tcp # XQoS network monitor

xqosd 31416/udp # XQoS network monitor

tetrinet 31457/tcp # TetriNET Protocol

tetrinet 31457/udp # TetriNET Protocol

lm-mon 31620/tcp # lm mon

lm-mon 31620/udp # lm mon

gamesmith-port 31765/tcp # GameSmith Port

gamesmith-port 31765/udp # GameSmith Port

t1distproc60 32249/tcp # T1 Distributed Processor

t1distproc60 32249/udp # T1 Distributed Processor

apm-link 32483/tcp # Access Point Manager Link

apm-link 32483/udp # Access Point Manager Link

sec-ntb-clnt 32635/tcp # SecureNotebook-CLNT

sec-ntb-clnt 32635/udp # SecureNotebook-CLNT

filenet-tms 32768/tcp # Filenet TMS

filenet-tms 32768/udp # Filenet TMS

filenet-rpc 32769/tcp # Filenet RPC

filenet-rpc 32769/udp # Filenet RPC

filenet-nch 32770/tcp # Filenet NCH

filenet-nch 32770/udp # Filenet NCH

filenet-rmi 32771/tcp # FileNET RMI

filenet-rmi 32771/udp # FileNet RMI

filenet-pa 32772/tcp # FileNET Process Analyzer

filenet-pa 32772/udp # FileNET Process Analyzer

filenet-cm 32773/tcp # FileNET Component Manager

filenet-cm 32773/udp # FileNET Component Manager

filenet-re 32774/tcp # FileNET Rules Engine

filenet-re 32774/udp # FileNET Rules Engine

filenet-pch 32775/tcp # Performance Clearinghouse

filenet-pch 32775/udp # Performance Clearinghouse

idmgratm 32896/tcp # Attachmate ID Manager

idmgratm 32896/udp # Attachmate ID Manager

diamondport 33331/tcp # DiamondCentral Interface

diamondport 33331/udp # DiamondCentral Interface

snip-slave 33656/tcp # SNIP Slave

snip-slave 33656/udp # SNIP Slave

turbonote-2 34249/tcp # TurboNote Relay Server Default Port

turbonote-2 34249/udp # TurboNote Relay Server Default Port

p-net-local 34378/tcp # P-Net on IP local

p-net-local 34378/udp # P-Net on IP local

p-net-remote 34379/tcp # P-Net on IP remote

p-net-remote 34379/udp # P-Net on IP remote

profinet-rt 34962/tcp # PROFInet RT Unicast

profinet-rt 34962/udp # PROFInet RT Unicast

profinet-rtm 34963/tcp # PROFInet RT Multicast

profinet-rtm 34963/udp # PROFInet RT Multicast

profinet-cm 34964/tcp # PROFInet Context Manager

profinet-cm 34964/udp # PROFInet Context Manager

ethercat 34980/tcp # EtherCAT Port

ethercat 34980/udp # EhterCAT Port

kastenxpipe 36865/tcp # KastenX Pipe

kastenxpipe 36865/udp # KastenX Pipe

neckar 37475/tcp # science + computing's Venus Administration Port

neckar 37475/udp # science + computing's Venus Administration Port

galaxy7-data 38201/tcp # Galaxy7 Data Tunnel

galaxy7-data 38201/udp # Galaxy7 Data Tunnel

fairview 38202/tcp # Fairview Message Service

fairview 38202/udp # Fairview Message Service

agpolicy 38203/tcp # AppGate Policy Server

agpolicy 38203/udp # AppGate Policy Server

turbonote-1 39681/tcp # TurboNote Default Port

turbonote-1 39681/udp # TurboNote Default Port

cscp 40841/tcp # CSCP

cscp 40841/udp # CSCP

csccredir 40842/tcp # CSCCREDIR

csccredir 40842/udp # CSCCREDIR

csccfirewall 40843/tcp # CSCCFIREWALL

csccfirewall 40843/udp # CSCCFIREWALL

fs-qos 41111/tcp # Foursticks QoS Protocol

fs-qos 41111/udp # Foursticks QoS Protocol

crestron-cip 41794/tcp # Crestron Control Port

crestron-cip 41794/udp # Crestron Control Port

crestron-ctp 41795/tcp # Crestron Terminal Port

crestron-ctp 41795/udp # Crestron Terminal Port

candp 42508/tcp # Computer Associates network discovery protocol

candp 42508/udp # Computer Associates network discovery protocol

candrp 42509/tcp # CA discovery response

candrp 42509/udp # CA discovery response

caerpc 42510/tcp # CA eTrust RPC

caerpc 42510/udp # CA eTrust RPC

reachout 43188/tcp # REACHOUT

reachout 43188/udp # REACHOUT

ndm-agent-port 43189/tcp # NDM-AGENT-PORT

ndm-agent-port 43189/udp # NDM-AGENT-PORT

ip-provision 43190/tcp # IP-PROVISION

ip-provision 43190/udp # IP-PROVISION

ciscocsdb 43441/tcp # Cisco NetMgmt DB Ports

ciscocsdb 43441/udp # Cisco NetMgmt DB Ports

pmcd 44321/tcp # PCP server (pmcd)

pmcd 44321/udp # PCP server (pmcd)

pmcdproxy 44322/tcp # PCP server (pmcd) proxy

pmcdproxy 44322/udp # PCP server (pmcd) proxy

rbr-debug 44553/tcp # REALbasic Remote Debug

rbr-debug 44553/udp # REALbasic Remote Debug

rockwell-encap 44818/tcp # Rockwell Encapsulation

rockwell-encap 44818/udp # Rockwell Encapsulation

invision-ag 45054/tcp # InVision AG

invision-ag 45054/udp # InVision AG

eba 45678/tcp # EBA PRISE

eba 45678/udp # EBA PRISE

ssr-servermgr 45966/tcp # SSRServerMgr

ssr-servermgr 45966/udp # SSRServerMgr

mediabox 46999/tcp # MediaBox Server

mediabox 46999/udp # MediaBox Server

mbus 47000/tcp # Message Bus

mbus 47000/udp # Message Bus

dbbrowse 47557/tcp # Databeam Corporation

dbbrowse 47557/udp # Databeam Corporation

directplaysrvr 47624/tcp # Direct Play Server

directplaysrvr 47624/udp # Direct Play Server

ap 47806/tcp # ALC Protocol

ap 47806/udp # ALC Protocol

bacnet 47808/tcp # Building Automation and Contro l Networks

bacnet 47808/udp # Building Automation and Contro l Networks

nimcontroller 48000/tcp # Nimbus Controller

nimcontroller 48000/udp # Nimbus Controller

nimspooler 48001/tcp # Nimbus Spooler

nimspooler 48001/udp # Nimbus Spooler

nimhub 48002/tcp # Nimbus Hub

nimhub 48002/udp # Nimbus Hub

nimgtw 48003/tcp # Nimbus Gateway

nimgtw 48003/udp # Nimbus Gateway

com-bardac-dw 48556/tcp # com-bardac-dw

com-bardac-dw 48556/udp # com-bardac-dw

iqobject 48619/tcp # iqobject

iqobject 48619/udp # iqobject

# Local services

[root@mail lib]#

/etc/protocols /etc/services 等这些文件都是为名称解析提供后援的仓库

查找某一种信息库的时候,有下面四种返回机制

SUCCESS 服务正常(或者可以说文件存在),并且找到了值

NOTFOUND 服务正常(或者可以说文件存在),没有找到值

UNAVAIL 服务不正常(或者可以说文件不存在)

TRYAGAIN 服务有临时性的故障,过一会儿可以过来再试试

下面是自己定义的动作

passwd: nis [NOTFOUND=return] files

# nis可用,但找不着的时候,就返回

#其它情况,比如nis不可用的时候,就继续到files中找,所以files是有用的

nis服务用得不多,但是有些企业可能特殊场景下会用到nis

以前做的小linux,让用户登录

mingetty可以打开6个虚拟终端,mingetty只能提供打开虚拟终端的,

虚拟终端的提示符, login 提示输入用户名密码登录,提示符不是由 mingetty 提供的,

由 login 这个程序提供的,

/etc/nsswitch.conf

passwd:files

group:files

使用的库文件是 /usr/lib/libnss_files.so

getent (get entry): getent - get entries from administrative database 从管理库当中获得相应的条目的

就是到某一个库里面获取所有条目

先改下语言

[root@mail lib]# export LANG=en

[root@mail lib]# man getent

Formatting page, please wait...

GETENT(1) GETENT(1)

NAME

getent - get entries from administrative database

SYNOPSIS

getent database [key ...]

DESCRIPTION

[root@mail lib]# getent passwd #就是从/etc/nsswitch.conf中为passwd所定义的机制里面获取所有条目

#这里就是 /etc/passwd 文件里面的内容

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

distcache:x:94:94:Distcache:/:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

apache:x:48:48:Apache:/var/www:/sbin/nologin

avahi:x:70:70:Avahi daemon:/:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin

oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin

squid:x:23:23::/var/spool/squid:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

avahi-autoipd:x:100:159:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin

gdm:x:42:42::/var/gdm:/sbin/nologin

sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin

shipingzhong:x:500:500:shipingzhong:/home/shipingzhong:/bin/bash

mysql:x:306:306::/home/mysql:/sbin/login

named:x:25:25:Named:/var/named:/sbin/nologin

postfix:x:2525:2525::/home/postfix:/sbin/nologin

postdrop:x:2526:2526::/home/postdrop:/sbin/nologin

hadoop:x:2527:2527::/home/hadoop:/bin/bash

openstack:x:2528:2528::/home/openstack:/bin/bash

dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin

vmail:x:1001:1001::/home/vmail:/sbin/nologin

hbase:x:2529:2529::/home/hbase:/bin/bash

redis:x:2530:2530::/home/redis:/bin/bash

vuser:x:2531:2531::/var/ftproot:/sbin/nologin

vsftpd:x:2532:2532::/home/vsftpd:/sbin/nologin

nfstest:x:510:510::/home/nfstest:/bin/bash

eucalyptus:x:2533:2533::/home/eucalyptus:/bin/bash

fedora:x:2534:2534::/home/fedora:/bin/bash

[root@mail lib]#

[root@mail lib]# getent hosts # 看看这里就是 /etc/hosts文件的内容

127.0.0.1 localhost.localdomain localhost

192.168.1.85 www.a.org

192.168.1.45 www.b.net

[root@mail lib]#

[root@mail lib]# getent passwd root # 仅获取 root 条目,只获取某一个特定的条目

root:x:0:0:root:/root:/bin/bash

[root@mail lib]#

[root@mail lib]# getent hosts www.a.org #仅获取 www.org的条目

192.168.1.75 www.a.org

[root@mail lib]#

[root@mail lib]# getent hosts www1.example.org #获取不到条目了

[root@mail lib]#

[root@mail lib]# getent hosts www.baidu.com # /etc/hosts 文件里没有 www.baidu.com 条目,它是从 dns 中获得的

180.101.49.12 www.a.shifen.com www.baidu.com

180.101.49.11 www.a.shifen.com www.baidu.com

[root@mail lib]#

[root@mail lib]# cat /etc/resolv.conf # 本机dns , dns 是可以解析 www.baidu.com 的

nameserver 192.168.1.75

nameserver 114.114.114.114

search localdomain

[root@mail lib]#

名称解析与认证有关系的

两套各自独立运行的机制

名称解析

libnss 库

认证

名称解析,这是在哪个文件中找用户名密码

认证,,,,看用户输入的密码与 shadow ( /etc/shadow ) 中的密码是否一致,这叫认证

下图是详细讲解

认证本身也可以不用借助名称解析服务去查找用户原来存放的密码

(除了用户登录之外,很多的认证机制并不借助于名称解析服务)

Authentication 认证有多种方式

nsswitch 是不作名称解析的,靠库来进行名称解析

PAM 也是不作认证,也是靠库来进行认证

[root@mail lib]# ls /lib/security/ # 32位系统的认证的库文件在这个目录下

pam_access.so pam_krb5 pam_permit.so pam_tally2.so

pam_ccreds.so pam_krb5.so pam_pkcs11.so pam_time.so

pam_chroot.so pam_krb5afs.so pam_postgresok.so pam_timestamp.so

pam_console.so pam_lastlog.so pam_pwhistory.so pam_tty_audit.so

pam_cracklib.so pam_ldap.so pam_rhosts.so pam_umask.so

pam_debug.so pam_limits.so pam_rhosts_auth.so pam_unix.so

pam_deny.so pam_listfile.so pam_rootok.so pam_unix_acct.so

pam_echo.so pam_localuser.so pam_rps.so pam_unix_auth.so

pam_env.so pam_loginuid.so pam_securetty.so pam_unix_passwd.so

pam_exec.so pam_mail.so pam_selinux.so pam_unix_session.so

pam_faildelay.so pam_mkhomedir.so pam_shells.so pam_userdb.so

pam_filter pam_motd.so pam_smb_auth.so pam_warn.so

pam_filter.so pam_mysql.la pam_smbpass.so pam_wheel.so

pam_ftp.so pam_mysql.so pam_stack.so pam_winbind.so

pam_group.so pam_namespace.so pam_stress.so pam_xauth.so

pam_issue.so pam_nologin.so pam_succeed_if.so

pam_keyinit.so pam_passwdqc.so pam_tally.so

[root@mail lib]#

/lib64/security/ # 64位系统的认证的库文件在这个目录下

pam 不仅仅是为了认证,还有其它许多功能

到 ldap 中认证 :pam_ldap.so

到 kerberos5 ( 5是版本号 )中认证 :pam_krb5.so

到文件中认证 :pam_unix.so /etc/shadow

到 nis 中认证 : pam_unix.so (与到文件中认证一样)

到 windows 的 AD (active directory)(活动目录) (就是 ldap 服务器?)域当中认证用户: pam_winbind.so

到 mysql 中认证 : pam_mysql.so (马哥说系统自带的pam里面是没有 pam_mysql.so 模块的,是马哥自己装的,但是我的里面有)

[root@mail lib]# ls /etc/pam.d/

atd newrole sudo

authconfig other sudo-i

authconfig-gtk passwd system-auth

authconfig-tui pirut system-auth-ac

chfn pm-hibernate system-cdinstall-helper

chsh pm-powersave system-config-authentication

config-util pm-suspend system-config-date

cpufreq-selector pm-suspend-hybrid system-config-display

crond poweroff system-config-kdump

cups ppp system-config-keyboard

cvs pup system-config-language

dateconfig reboot system-config-lvm

dovecot remote system-config-netboot

eject rhn_register system-config-network

ekshell run_init system-config-network-cmd

gdm runuser system-config-printer

gdm-autologin runuser-l system-config-rootpassword

gdmsetup sabayon system-config-securitylevel

gnome-screensaver samba system-config-selinux

gnome-system-log serviceconf system-config-services

gssftp setup system-config-soundcard

halt squid system-config-time

kbdrate sshd system-config-users

kshell su system-install-packages

ksu su-l vsftpd

neat subscription-manager-gui xserver

[root@mail lib]#

[root@mail lib]# cat /etc/pam.d/login # 这个配置文件定义login这个应用程序使用什么认证机制

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth include system-auth

account required pam_nologin.so

account include system-auth

password include system-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session optional pam_keyinit.so force revoke

session required pam_loginuid.so

session include system-auth

session optional pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open

[root@mail lib]#

PAM: Pluggable Authentication Modules 可插入式的认证模块

pam 认证有四类定义,

每一种叫认证栈 ( stack )

分别完成用户认证过程中的不同的功能以下四项并非每项都要有

auth: 检查用户所输入的账号密码是否匹配

acct: ( account ) 审核用户账号是否依然有效的 (可能使用 passwd -l username (-l 是lock的意思)锁定了用户,也可能账户过了有效期吧)

password: 跟用户密码相关的,(比如用户改密码后,看用户改完密码后是否符合密码复杂性要求;;或者说要求密码至少要使用两天,改完密码后又要修改,那就不允许了)(用户修改密码,检查修改密码这个动作本身是否被允许)这也是跟认证相关的,因此也是由pam来实现

session: (会话) 认证通过了,账号密码通过了,接下来进行各种操作了,配置会话的相关属性(用户在里面操作的相关属性) ( 比如在 session 里面定义,用户每次登进来,最多使用 20 分钟 )

#auth 多行表示某一种功能有多种手机 session 也是多行

#account 是一行

[root@mail ~]# cat /etc/pam.d/vsftpd

#%PAM-1.0

session optional pam_keyinit.so force revoke

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

auth required pam_shells.so

auth include system-auth

account include system-auth

session include system-auth

session required pam_loginuid.so

[root@mail ~]#

pam的配置文件有两段组成, 跟 xinetd 差不多

主配置文件 /etc/pam.conf,事实上没有这个文件,它没有给任务服务提供默认配置

所以它只用 /etc/pam.d/ 下的所有文件,文件名通常与服务名相同,(通常的,但并不绝对)

每一个文件由n行组成,

type control module-path [ module-arguments ]

type : 类型,应有的场景 auth,account,password,session

control: 控制,当某一种类型有多个(多行)的时候,彼此之间是如何互相作用的(建立关系的)

module-path: 要完成这个type功能,要使用的这个模块

module-arguments: 模块的参数(可选的)

我们可以把 /etc/pam.d/service 下的所有文件的内容合起来,放到 /etc/pam.conf 这个文件里面

在最前面要加个service (给出服务的名称以示区分)

/etc/pam.d/service 里面就不用有service 了,因为文件名就指明了是哪个service

service 通常指的是某一个服务对应的文件名( /etc/pam.d/下面的文件名 ) 文件名所有字母必须是小写的

通常情况下文件名就是服务名, 如 /etc/pam.d/vsftpd ( vsftpd 就是文件名 )

(有些情况下可能不同,不同的时候,是在应用程序编译的时候说明白,要用哪个配置文件)

但有个特殊的文件名 /etc/pam.d/other 是定义默认规则的

比如 login 文件 /etc/pam.d/login 认证到最后的时候,没有结果,就找 /etc/pam.d/other

type : 类型,应有的场景;也可以称为组;它们每一个可以出现多行的,一般情况下只有这四种组:

auth account password session

control 种类有很多,一般有几种组合

required: 要求,需求,需要,这一关必须得过,一票否决权,并没有一票肯定权 (如果过了,就要同一组中的其它检查)(如果不过,同一组中也同样要检查);选秀节目,一个评委说不过,还要看看其它评委的意见

requisite: 与required一样,但有真正意义上的一票否决权,也没有一票肯定权 (如果过了,就要同一组中的其它检查)(如果不过,同一组中不要检查);

sufficient: 充分的,足够的,充分条件,OK了,过了,就一定过了,后面不要检查了,这叫一票通过权(没通过的话,没有决定权,如果其它人说过了,它不受影响,没通过的话,不影响最终结果)

optional: 可选的,有它没它都无所谓;通不通过都无所谓,都不受影响

include: 包含,把其它文件包含进来,以其它文件说的为准,投弃权票,让其它人决定,把权利移交给其它文件了

substack: 马哥没讲,也许不重要吧

复杂性的 control

pam 模块的执行结果有 success(成功), open_err(打开文件失败),symbol_err(查找链接文件失败了),service_err(服务失败),system_err(系统故障),buf_err(缓冲失败),perm_denied(权限被拒绝),auth_err(认证失败),default(定义默认的)..................一大堆

这些东西太复杂,很少用到这种境界的