欢迎各位兄弟 发布技术文章
这里的技术是共享的
authentication 认证
authorization 授权
上面的都是数据库 (其实上面都可以用文本文件,如逗号,冒号隔开)
上面的都可以称为名称解析库
nis ( network information service ) ( network information system) 网络信息服务,网络信息系统
是 sun 公司的一个服务产品?
ldap 与 mysql差不多,它也是一个数据库,它不是表的形式存放的,是类似于目录结构的方式存放的(倒置的树状结构)(有点类似于dns,但并不一样)
ldap 比 mysql 查询速度快上一个数量级 (10倍左右),一次写入,多次读取的(如用户账号),通常大型公司使用ldap来保存
App: 比如 vsftpd : 将登录的用户的名称转换为id号
App: 比如 login (putty登录是依赖于 login 程序)
/etc/nsswitch.conf 里面定义的某一种名称解析服务(应用程序)是通过哪一种手段来实现的
把名称解析服务独立出来
App ->中间层模块 nsswitch -> resolve_lib
nsswitch 网络服务转换开关 ( network service switch ).它本身也是一堆的库文件,跟pam一样,
/etc/nsswitch.conf
passwd: file 到文件中找名称解析
group: file
hostname: file dns 先到文件中找名称解析,找不到的话,再到dns中找
passwd: file 要有某个实实在在的程序来执行查找,这个程序就是库文件 nsswitch
[root@mail xinetd.d]# cd /usr/lib
[root@mail lib]# ls | grep nss # 这里面都是名称解析库
libgnutls-openssl.a
libgnutls-openssl.so
libgnutls-openssl.so.13
libgnutls-openssl.so.13.0.6
libnfsidmap_nsswitch.so
libnfsidmap_nsswitch.so.0
libnfsidmap_nsswitch.so.0.0.0
libnss3.so
libnssckbi.so
libnss_compat.so
libnssdbm3.chk
libnssdbm3.so
libnss_db.so
libnss_dns.so
libnss_files.so
libnss_hesiod.so
libnss_ldap.so
libnss_nisplus.so
libnss_nis.so
libnssutil3.so
libnss_winbind.so
libnss_wins.so
nss
openssl
[root@mail lib]#
这些 so 称为动态链接库,类似于 windows 上的 dll
这些库文件才真正实现解析的过程
/etc/nsswitch.conf 指定file时,使用libnss_files.so动态链接库
/etc/nsswitch.conf 指定dns时,使用libnss_dns.so动态链接库
应用程序 使用 名称解析服务,要调用这些库文件(libnss_files.so libnss_dns.so 等许多),到底调用哪个库文件,由 /etc/nsswitch.conf 来定义的
[root@mail lib]# vim /etc/nsswitch.conf
......................
#services: nisplus [NOTFOUND=return] files # nisplus 找不到的话 就 return ,就不找后面的files了
passwd: files # passwd 表示命令,也可看作库,也可以看作服务
shadow: files
group: files
hosts: files dns
ethers: files # 网卡,使用 files , 它们对应的 files 是不一样的
protocols: files # 将协议(如httpd)转换为端口号,使用files 它们对应的files是不一样的
rpc: files # rpc 转为端口号,需要用到files 它们对应的files是不一样的
aliases: files nisplus # 可以到files中找别名,也可以到 nisplus 中找别名 ( nis 叫网络信息服务,它是开源的 )( nisplus 叫网络信息服务的升级版 nisplus 通常只为sun的某个软件所独有,它是商业软件,不公开的 )
[root@mail lib]# cat /etc/protocols
# /etc/protocols:
# $Id: protocols,v 1.5 2006/10/11 15:39:11 pknirsch Exp $
#
# Internet (IP) protocols
#
# from: @(#)protocols 5.1 (Berkeley) 4/17/89
#
# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
#
# See also http://www.iana.org/assignments/protocol-numbers
ip 0 IP # internet protocol, pseudo protocol number
hopopt 0 HOPOPT # hop-by-hop options for ipv6
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # internet group management protocol
ggp 3 GGP # gateway-gateway protocol
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
st 5 ST # ST datagram mode
tcp 6 TCP # transmission control protocol
cbt 7 CBT # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk>
egp 8 EGP # exterior gateway protocol
igp 9 IGP # any private interior gateway (Cisco: for IGRP)
bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
pup 12 PUP # PARC universal packet protocol
argus 13 ARGUS # ARGUS
emcon 14 EMCON # EMCON
xnet 15 XNET # Cross Net Debugger
chaos 16 CHAOS # Chaos
udp 17 UDP # user datagram protocol
mux 18 MUX # Multiplexing protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
hmp 20 HMP # host monitoring protocol
prm 21 PRM # packet radio measurement protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
trunk-1 23 TRUNK-1 # Trunk-1
trunk-2 24 TRUNK-2 # Trunk-2
leaf-1 25 LEAF-1 # Leaf-1
leaf-2 26 LEAF-2 # Leaf-2
rdp 27 RDP # "reliable datagram" protocol
irtp 28 IRTP # Internet Reliable Transaction Protocol
iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4
netblt 30 NETBLT # Bulk Data Transfer Protocol
mfe-nsp 31 MFE-NSP # MFE Network Services Protocol
merit-inp 32 MERIT-INP # MERIT Internodal Protocol
dccp 33 DCCP # Datagram Congestion Control Protocol
3pc 34 3PC # Third Party Connect Protocol
idpr 35 IDPR # Inter-Domain Policy Routing Protocol
xtp 36 XTP # Xpress Tranfer Protocol
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto
tp++ 39 TP++ # TP++ Transport Protocol
il 40 IL # IL Transport Protocol
ipv6 41 IPv6 # IPv6
sdrp 42 SDRP # Source Demand Routing Protocol
ipv6-route 43 IPv6-Route # Routing Header for IPv6
ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Resource ReSerVation Protocol
gre 47 GRE # Generic Routing Encapsulation
dsr 48 DSR # Dynamic Source Routing Protocol
bna 49 BNA # BNA
esp 50 ESP # Encap Security Payload
ah 51 AH # Authentication Header
i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
swipe 53 SWIPE # IP with Encryption
narp 54 NARP # NBMA Address Resolution Protocol
mobile 55 MOBILE # IP Mobility
tlsp 56 TLSP # Transport Layer Security Protocol
skip 57 SKIP # SKIP
ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6
ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
# 61 # any host internal protocol
cftp 62 CFTP # CFTP
# 63 # any local network
sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK
kryptolan 65 KRYPTOLAN # Kryptolan
rvd 66 RVD # MIT Remote Virtual Disk Protocol
ippc 67 IPPC # Internet Pluribus Packet Core
# 68 # any distributed file system
sat-mon 69 SAT-MON # SATNET Monitoring
visa 70 VISA # VISA Protocol
ipcv 71 IPCV # Internet Packet Core Utility
cpnx 72 CPNX # Computer Protocol Network Executive
cphb 73 CPHB # Computer Protocol Heart Beat
wsn 74 WSN # Wang Span Network
pvp 75 PVP # Packet Video Protocol
br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring
sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary
wb-mon 78 WB-MON # WIDEBAND Monitoring
wb-expak 79 WB-EXPAK # WIDEBAND EXPAK
iso-ip 80 ISO-IP # ISO Internet Protocol
vmtp 81 VMTP # Versatile Message Transport
secure-vmtp 82 SECURE-VMTP # SECURE-VMTP
vines 83 VINES # VINES
ttp 84 TTP # TTP
nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP
dgp 86 DGP # Dissimilar Gateway Protocol
tcf 87 TCF # TCF
eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)
ospf 89 OSPFIGP # Open Shortest Path First IGP
sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol
larp 91 LARP # Locus Address Resolution Protocol
mtp 92 MTP # Multicast Transport Protocol
ax.25 93 AX.25 # AX.25 Frames
ipip 94 IPIP # Yet Another IP encapsulation
micp 95 MICP # Mobile Internetworking Control Pro.
scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro.
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
encap 98 ENCAP # Yet Another IP encapsulation
# 99 # any private encryption scheme
gmtp 100 GMTP # GMTP
ifmp 101 IFMP # Ipsilon Flow Management Protocol
pnni 102 PNNI # PNNI over IP
pim 103 PIM # Protocol Independent Multicast
aris 104 ARIS # ARIS
scps 105 SCPS # SCPS
qnx 106 QNX # QNX
a/n 107 A/N # Active Networks
ipcomp 108 IPComp # IP Payload Compression Protocol
snp 109 SNP # Sitara Networks Protocol
compaq-peer 110 Compaq-Peer # Compaq Peer Protocol
ipx-in-ip 111 IPX-in-IP # IPX in IP
vrrp 112 VRRP # Virtual Router Redundancy Protocol
pgm 113 PGM # PGM Reliable Transport Protocol
# 114 # any 0-hop protocol
l2tp 115 L2TP # Layer Two Tunneling Protocol #这是协议对应的端口?
ddx 116 DDX # D-II Data Exchange
iatp 117 IATP # Interactive Agent Transfer Protocol
stp 118 STP # Schedule Transfer
srp 119 SRP # SpectraLink Radio Protocol
uti 120 UTI # UTI
smp 121 SMP # Simple Message Protocol
sm 122 SM # SM
ptp 123 PTP # Performance Transparency Protocol
isis 124 ISIS # ISIS over IPv4
fire 125 FIRE
crtp 126 CRTP # Combat Radio Transport Protocol
crdup 127 CRUDP # Combat Radio User Datagram
sscopmce 128 SSCOPMCE
iplt 129 IPLT
sps 130 SPS # Secure Packet Shield
pipe 131 PIPE # Private IP Encapsulation within IP
sctp 132 SCTP # Stream Control Transmission Protocol
fc 133 FC # Fibre Channel
rsvp-e2e-ignore 134 RSVP-E2E-IGNORE
# 135 # Mobility Header
udplite 136 UDPLite
mpls-in-ip 137 MPLS-in-IP
# 138-252 Unassigned [IANA]
# 253 Use for experimentation and testing [RFC3692]
# 254 Use for experimentation and testing [RFC3692]
# 255 Reserved [IANA]
[root@mail lib]#
[root@mail lib]# cat /etc/services # 下面才是真正意义上的某个协议使用的哪个端口 ,
LAN
brf-gw 22951/tcp # Telerate Information Platform WAN
brf-gw 22951/udp # Telerate Information Platform WAN
med-ltp 24000/tcp # med-ltp
med-ltp 24000/udp # med-ltp
med-fsp-rx 24001/tcp # med-fsp-rx
med-fsp-rx 24001/udp # med-fsp-rx
med-fsp-tx 24002/tcp # med-fsp-tx
med-fsp-tx 24002/udp # med-fsp-tx
med-supp 24003/tcp # med-supp
med-supp 24003/udp # med-supp
med-ovw 24004/tcp # med-ovw
med-ovw 24004/udp # med-ovw
med-ci 24005/tcp # med-ci
med-ci 24005/udp # med-ci
med-net-svc 24006/tcp # med-net-svc
med-net-svc 24006/udp # med-net-svc
filesphere 24242/tcp # fileSphere
filesphere 24242/udp # fileSphere
ild 24321/tcp # Isolv Local Directory
ild 24321/udp # Isolv Local Directory
vista-4gl 24249/tcp # Vista 4GL
vista-4gl 24249/udp # Vista 4GL
intel_rci 24386/tcp # Intel RCI
intel_rci 24386/udp # Intel RCI
flashfiler 24677/tcp # FlashFiler
flashfiler 24677/udp # FlashFiler
proactivate 24678/tcp # Turbopower Proactivate
proactivate 24678/udp # Turbopower Proactivate
snip 24922/tcp # Simple Net Ident Protocol
snip 24922/udp # Simple Net Ident Protocol
icl-twobase1 25000/tcp # icl-twobase1
icl-twobase1 25000/udp # icl-twobase1
icl-twobase2 25001/tcp # icl-twobase2
icl-twobase2 25001/udp # icl-twobase2
icl-twobase3 25002/tcp # icl-twobase3
icl-twobase3 25002/udp # icl-twobase3
icl-twobase4 25003/tcp # icl-twobase4
icl-twobase4 25003/udp # icl-twobase4
icl-twobase5 25004/tcp # icl-twobase5
icl-twobase5 25004/udp # icl-twobase5
icl-twobase6 25005/tcp # icl-twobase6
icl-twobase6 25005/udp # icl-twobase6
icl-twobase7 25006/tcp # icl-twobase7
icl-twobase7 25006/udp # icl-twobase7
icl-twobase8 25007/tcp # icl-twobase8
icl-twobase8 25007/udp # icl-twobase8
icl-twobase9 25008/tcp # icl-twobase9
icl-twobase9 25008/udp # icl-twobase9
icl-twobase10 25009/tcp # icl-twobase10
icl-twobase10 25009/udp # icl-twobase10
vocaltec-hos 25793/tcp # Vocaltec Address Server
vocaltec-hos 25793/udp # Vocaltec Address Server
tasp-net 25900/tcp # TASP Network Comm
tasp-net 25900/udp # TASP Network Comm
niobserver 25901/tcp # NIObserver
niobserver 25901/udp # NIObserver
niprobe 25903/tcp # NIProbe
niprobe 25903/udp # NIProbe
ezproxy 26260/tcp # eZproxy
ezproxy 26260/udp # eZproxy
ezmeeting 26261/tcp # eZmeeting
ezmeeting 26261/udp # eZmeeting
k3software-svr 26262/tcp # K3 Software-Server
k3software-svr 26262/udp # K3 Software-Server
k3software-cli 26263/tcp # K3 Software-Client
k3software-cli 26263/udp # K3 Software-Client
gserver 26264/tcp # Gserver
gserver 26264/udp # Gserver
imagepump 27345/tcp # ImagePump
imagepump 27345/udp # ImagePump
kopek-httphead 27504/tcp # Kopek HTTP Head Port
kopek-httphead 27504/udp # Kopek HTTP Head Port
ars-vista 27782/tcp # ARS VISTA Application
ars-vista 27782/udp # ARS VISTA Application
tw-auth-key 27999/tcp # TW Authentication/Key Distribution and
tw-auth-key 27999/udp # Attribute Certificate Services
nxlmd 28000/tcp # NX License Manager
nxlmd 28000/udp # NX License Manager
siemensgsm 28240/tcp # Siemens GSM
siemensgsm 28240/udp # Siemens GSM
pago-services1 30001/tcp # Pago Services 1
pago-services1 30001/udp # Pago Services 1
pago-services2 30002/tcp # Pago Services 2
pago-services2 30002/udp # Pago Services 2
xqosd 31416/tcp # XQoS network monitor
xqosd 31416/udp # XQoS network monitor
tetrinet 31457/tcp # TetriNET Protocol
tetrinet 31457/udp # TetriNET Protocol
lm-mon 31620/tcp # lm mon
lm-mon 31620/udp # lm mon
gamesmith-port 31765/tcp # GameSmith Port
gamesmith-port 31765/udp # GameSmith Port
t1distproc60 32249/tcp # T1 Distributed Processor
t1distproc60 32249/udp # T1 Distributed Processor
apm-link 32483/tcp # Access Point Manager Link
apm-link 32483/udp # Access Point Manager Link
sec-ntb-clnt 32635/tcp # SecureNotebook-CLNT
sec-ntb-clnt 32635/udp # SecureNotebook-CLNT
filenet-tms 32768/tcp # Filenet TMS
filenet-tms 32768/udp # Filenet TMS
filenet-rpc 32769/tcp # Filenet RPC
filenet-rpc 32769/udp # Filenet RPC
filenet-nch 32770/tcp # Filenet NCH
filenet-nch 32770/udp # Filenet NCH
filenet-rmi 32771/tcp # FileNET RMI
filenet-rmi 32771/udp # FileNet RMI
filenet-pa 32772/tcp # FileNET Process Analyzer
filenet-pa 32772/udp # FileNET Process Analyzer
filenet-cm 32773/tcp # FileNET Component Manager
filenet-cm 32773/udp # FileNET Component Manager
filenet-re 32774/tcp # FileNET Rules Engine
filenet-re 32774/udp # FileNET Rules Engine
filenet-pch 32775/tcp # Performance Clearinghouse
filenet-pch 32775/udp # Performance Clearinghouse
idmgratm 32896/tcp # Attachmate ID Manager
idmgratm 32896/udp # Attachmate ID Manager
diamondport 33331/tcp # DiamondCentral Interface
diamondport 33331/udp # DiamondCentral Interface
snip-slave 33656/tcp # SNIP Slave
snip-slave 33656/udp # SNIP Slave
turbonote-2 34249/tcp # TurboNote Relay Server Default Port
turbonote-2 34249/udp # TurboNote Relay Server Default Port
p-net-local 34378/tcp # P-Net on IP local
p-net-local 34378/udp # P-Net on IP local
p-net-remote 34379/tcp # P-Net on IP remote
p-net-remote 34379/udp # P-Net on IP remote
profinet-rt 34962/tcp # PROFInet RT Unicast
profinet-rt 34962/udp # PROFInet RT Unicast
profinet-rtm 34963/tcp # PROFInet RT Multicast
profinet-rtm 34963/udp # PROFInet RT Multicast
profinet-cm 34964/tcp # PROFInet Context Manager
profinet-cm 34964/udp # PROFInet Context Manager
ethercat 34980/tcp # EtherCAT Port
ethercat 34980/udp # EhterCAT Port
kastenxpipe 36865/tcp # KastenX Pipe
kastenxpipe 36865/udp # KastenX Pipe
neckar 37475/tcp # science + computing's Venus Administration Port
neckar 37475/udp # science + computing's Venus Administration Port
galaxy7-data 38201/tcp # Galaxy7 Data Tunnel
galaxy7-data 38201/udp # Galaxy7 Data Tunnel
fairview 38202/tcp # Fairview Message Service
fairview 38202/udp # Fairview Message Service
agpolicy 38203/tcp # AppGate Policy Server
agpolicy 38203/udp # AppGate Policy Server
turbonote-1 39681/tcp # TurboNote Default Port
turbonote-1 39681/udp # TurboNote Default Port
cscp 40841/tcp # CSCP
cscp 40841/udp # CSCP
csccredir 40842/tcp # CSCCREDIR
csccredir 40842/udp # CSCCREDIR
csccfirewall 40843/tcp # CSCCFIREWALL
csccfirewall 40843/udp # CSCCFIREWALL
fs-qos 41111/tcp # Foursticks QoS Protocol
fs-qos 41111/udp # Foursticks QoS Protocol
crestron-cip 41794/tcp # Crestron Control Port
crestron-cip 41794/udp # Crestron Control Port
crestron-ctp 41795/tcp # Crestron Terminal Port
crestron-ctp 41795/udp # Crestron Terminal Port
candp 42508/tcp # Computer Associates network discovery protocol
candp 42508/udp # Computer Associates network discovery protocol
candrp 42509/tcp # CA discovery response
candrp 42509/udp # CA discovery response
caerpc 42510/tcp # CA eTrust RPC
caerpc 42510/udp # CA eTrust RPC
reachout 43188/tcp # REACHOUT
reachout 43188/udp # REACHOUT
ndm-agent-port 43189/tcp # NDM-AGENT-PORT
ndm-agent-port 43189/udp # NDM-AGENT-PORT
ip-provision 43190/tcp # IP-PROVISION
ip-provision 43190/udp # IP-PROVISION
ciscocsdb 43441/tcp # Cisco NetMgmt DB Ports
ciscocsdb 43441/udp # Cisco NetMgmt DB Ports
pmcd 44321/tcp # PCP server (pmcd)
pmcd 44321/udp # PCP server (pmcd)
pmcdproxy 44322/tcp # PCP server (pmcd) proxy
pmcdproxy 44322/udp # PCP server (pmcd) proxy
rbr-debug 44553/tcp # REALbasic Remote Debug
rbr-debug 44553/udp # REALbasic Remote Debug
rockwell-encap 44818/tcp # Rockwell Encapsulation
rockwell-encap 44818/udp # Rockwell Encapsulation
invision-ag 45054/tcp # InVision AG
invision-ag 45054/udp # InVision AG
eba 45678/tcp # EBA PRISE
eba 45678/udp # EBA PRISE
ssr-servermgr 45966/tcp # SSRServerMgr
ssr-servermgr 45966/udp # SSRServerMgr
mediabox 46999/tcp # MediaBox Server
mediabox 46999/udp # MediaBox Server
mbus 47000/tcp # Message Bus
mbus 47000/udp # Message Bus
dbbrowse 47557/tcp # Databeam Corporation
dbbrowse 47557/udp # Databeam Corporation
directplaysrvr 47624/tcp # Direct Play Server
directplaysrvr 47624/udp # Direct Play Server
ap 47806/tcp # ALC Protocol
ap 47806/udp # ALC Protocol
bacnet 47808/tcp # Building Automation and Contro l Networks
bacnet 47808/udp # Building Automation and Contro l Networks
nimcontroller 48000/tcp # Nimbus Controller
nimcontroller 48000/udp # Nimbus Controller
nimspooler 48001/tcp # Nimbus Spooler
nimspooler 48001/udp # Nimbus Spooler
nimhub 48002/tcp # Nimbus Hub
nimhub 48002/udp # Nimbus Hub
nimgtw 48003/tcp # Nimbus Gateway
nimgtw 48003/udp # Nimbus Gateway
com-bardac-dw 48556/tcp # com-bardac-dw
com-bardac-dw 48556/udp # com-bardac-dw
iqobject 48619/tcp # iqobject
iqobject 48619/udp # iqobject
# Local services
[root@mail lib]#
/etc/protocols /etc/services 等这些文件都是为名称解析提供后援的仓库
查找某一种信息库的时候,有下面四种返回机制
SUCCESS 服务正常(或者可以说文件存在),并且找到了值
NOTFOUND 服务正常(或者可以说文件存在),没有找到值
UNAVAIL 服务不正常(或者可以说文件不存在)
TRYAGAIN 服务有临时性的故障,过一会儿可以过来再试试
下面是自己定义的动作
passwd: nis [NOTFOUND=return] files
# nis可用,但找不着的时候,就返回
#其它情况,比如nis不可用的时候,就继续到files中找,所以files是有用的
nis服务用得不多,但是有些企业可能特殊场景下会用到nis
以前做的小linux,让用户登录
mingetty可以打开6个虚拟终端,mingetty只能提供打开虚拟终端的,
虚拟终端的提示符, login 提示输入用户名密码登录,提示符不是由 mingetty 提供的,
由 login 这个程序提供的,
login 到哪里查找用户的账号和密码,靠 nis 来定义的(用到 nsswitch )
login
/etc/nsswitch.conf
passwd:files
group:files
使用的库文件是 /usr/lib/libnss_files.so
getent (get entry): getent - get entries from administrative database 从管理库当中获得相应的条目的
就是到某一个库里面获取所有条目
先改下语言
[root@mail lib]# export LANG=en
[root@mail lib]# man getent
Formatting page, please wait...
GETENT(1) GETENT(1)
NAME
getent - get entries from administrative database
SYNOPSIS
getent database [key ...]
DESCRIPTION
[root@mail lib]# getent passwd #就是从/etc/nsswitch.conf中为passwd所定义的机制里面获取所有条目
#这里就是 /etc/passwd 文件里面的内容
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:159:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
shipingzhong:x:500:500:shipingzhong:/home/shipingzhong:/bin/bash
mysql:x:306:306::/home/mysql:/sbin/login
named:x:25:25:Named:/var/named:/sbin/nologin
postfix:x:2525:2525::/home/postfix:/sbin/nologin
postdrop:x:2526:2526::/home/postdrop:/sbin/nologin
hadoop:x:2527:2527::/home/hadoop:/bin/bash
openstack:x:2528:2528::/home/openstack:/bin/bash
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
vmail:x:1001:1001::/home/vmail:/sbin/nologin
hbase:x:2529:2529::/home/hbase:/bin/bash
redis:x:2530:2530::/home/redis:/bin/bash
vuser:x:2531:2531::/var/ftproot:/sbin/nologin
vsftpd:x:2532:2532::/home/vsftpd:/sbin/nologin
nfstest:x:510:510::/home/nfstest:/bin/bash
eucalyptus:x:2533:2533::/home/eucalyptus:/bin/bash
fedora:x:2534:2534::/home/fedora:/bin/bash
[root@mail lib]#
[root@mail lib]# getent hosts # 看看这里就是 /etc/hosts文件的内容
127.0.0.1 localhost.localdomain localhost
192.168.1.85 www.a.org
192.168.1.45 www.b.net
[root@mail lib]#
[root@mail lib]# getent passwd root # 仅获取 root 条目,只获取某一个特定的条目
root:x:0:0:root:/root:/bin/bash
[root@mail lib]#
[root@mail lib]# getent hosts www.a.org #仅获取 www.org的条目
192.168.1.75 www.a.org
[root@mail lib]#
[root@mail lib]# getent hosts www1.example.org #获取不到条目了
[root@mail lib]#
[root@mail lib]# getent hosts www.baidu.com # /etc/hosts 文件里没有 www.baidu.com 条目,它是从 dns 中获得的
180.101.49.12 www.a.shifen.com www.baidu.com
180.101.49.11 www.a.shifen.com www.baidu.com
[root@mail lib]#
[root@mail lib]# cat /etc/resolv.conf # 本机dns , dns 是可以解析 www.baidu.com 的
nameserver 192.168.1.75
nameserver 114.114.114.114
search localdomain
[root@mail lib]#
名称解析与认证 有关系的
两套各自独立运行的机制
名称解析
libnss 库
认证
名称解析,这是在哪个文件中找 用户名 密码
认证,,,,看用户输入的密码 与 shadow ( /etc/shadow ) 中的密码是否一致,这叫认证
下图是详细讲解
认证本身也可以不用借助名称解析服务去查找用户原来存放的密码
(除了用户登录之外,很多的认证机制并不借助于名称解析服务)
Authentication 认证有多种方式
nsswitch 是不作名称解析的,靠库来进行名称解析
PAM 也是不作认证,也是靠库来进行认证
[root@mail lib]# ls /lib/security/ # 32位系统的 认证的库文件在这个目录下
pam_access.so pam_krb5 pam_permit.so pam_tally2.so
pam_ccreds.so pam_krb5.so pam_pkcs11.so pam_time.so
pam_chroot.so pam_krb5afs.so pam_postgresok.so pam_timestamp.so
pam_console.so pam_lastlog.so pam_pwhistory.so pam_tty_audit.so
pam_cracklib.so pam_ldap.so pam_rhosts.so pam_umask.so
pam_debug.so pam_limits.so pam_rhosts_auth.so pam_unix.so
pam_deny.so pam_listfile.so pam_rootok.so pam_unix_acct.so
pam_echo.so pam_localuser.so pam_rps.so pam_unix_auth.so
pam_env.so pam_loginuid.so pam_securetty.so pam_unix_passwd.so
pam_exec.so pam_mail.so pam_selinux.so pam_unix_session.so
pam_faildelay.so pam_mkhomedir.so pam_shells.so pam_userdb.so
pam_filter pam_motd.so pam_smb_auth.so pam_warn.so
pam_filter.so pam_mysql.la pam_smbpass.so pam_wheel.so
pam_ftp.so pam_mysql.so pam_stack.so pam_winbind.so
pam_group.so pam_namespace.so pam_stress.so pam_xauth.so
pam_issue.so pam_nologin.so pam_succeed_if.so
pam_keyinit.so pam_passwdqc.so pam_tally.so
[root@mail lib]#
/lib64/security/ # 64位系统的 认证的库文件在这个目录下
pam 不仅仅是为了认证,还有其它许多功能
到 ldap 中认证 :pam_ldap.so
到 kerberos5 ( 5是版本号 )中认证 :pam_krb5.so
到 文件 中认证 :pam_unix.so /etc/shadow
到 nis 中认证 : pam_unix.so (与到文件中认证一样)
到 windows 的 AD (active directory)(活动目录) (就是 ldap 服务器?)域当中认证用户: pam_winbind.so
到 mysql 中认证 : pam_mysql.so (马哥说系统自带的pam里面是没有 pam_mysql.so 模块的,是马哥自己装的,但是我的里面有)
login 程序 使用哪种认证,在配置文件中定义 /etc/pam.d/login
[root@mail lib]# ls /etc/pam.d/
atd newrole sudo
authconfig other sudo-i
authconfig-gtk passwd system-auth
authconfig-tui pirut system-auth-ac
chfn pm-hibernate system-cdinstall-helper
chsh pm-powersave system-config-authentication
config-util pm-suspend system-config-date
cpufreq-selector pm-suspend-hybrid system-config-display
crond poweroff system-config-kdump
cups ppp system-config-keyboard
cvs pup system-config-language
dateconfig reboot system-config-lvm
dovecot remote system-config-netboot
eject rhn_register system-config-network
ekshell run_init system-config-network-cmd
gdm runuser system-config-printer
gdm-autologin runuser-l system-config-rootpassword
gdmsetup sabayon system-config-securitylevel
gnome-screensaver samba system-config-selinux
gnome-system-log serviceconf system-config-services
gssftp setup system-config-soundcard
halt squid system-config-time
kbdrate sshd system-config-users
kshell su system-install-packages
ksu su-l vsftpd
login subscription-manager vsftpd.mysql
neat subscription-manager-gui xserver
[root@mail lib]#
[root@mail lib]# cat /etc/pam.d/login # 这个配置文件定义login这个应用程序使用什么认证机制
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include system-auth
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
[root@mail lib]#
PAM: Pluggable Authentication Modules 可插入式的认证模块
pam 认证有四类定义,
每一种叫认证栈 ( stack )
分别完成用户认证过程中的不同的功能 以下四项并非每项都要有
auth: 检查用户所输入的账号密码是否匹配
acct: ( account ) 审核用户账号是否依然有效的 (可能使用 passwd -l username (-l 是lock的意思)锁定了用户,也可能账户过了有效期吧)
password: 跟用户密码相关的,(比如用户改密码后,看用户改完密码后是否符合密码复杂性要求;;或者说要求密码至少要使用两天,改完密码后又要修改,那就不允许了)(用户修改密码,检查修改密码这个动作本身是否被允许)这也是跟认证相关的,因此也是由pam来实现
session: (会话) 认证通过了,账号密码通过了,接下来进行各种操作了,配置会话的相关属性(用户在里面操作的相关属性) ( 比如在 session 里面定义,用户每次登进来,最多使用 20 分钟 )
#auth 多行 表示某一种功能有多种手机 session 也是多行
#account 是一行
[root@mail ~]# cat /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
[root@mail ~]#
pam的配置文件有两段组成, 跟 xinetd 差不多
主配置文件 /etc/pam.conf,事实上没有这个文件,它没有给任务服务提供默认配置
所以它只用 /etc/pam.d/ 下的所有文件,文件名通常与服务名相同,(通常的,但并不绝对)
每一个文件由n行组成,
type control module-path [ module-arguments ]
type : 类型,应有的场景 auth,account,password,session
control: 控制,当某一种类型有多个(多行)的时候,彼此之间是如何互相作用的(建立关系的)
module-path: 要完成这个type功能,要使用的这个模块
module-arguments: 模块的参数(可选的)
我们可以把 /etc/pam.d/service 下的所有文件 的内容合起来,放到 /etc/pam.conf 这个文件里面
在最前面要加个service (给出服务的名称以示区分)
/etc/pam.d/service 里面就不用有service 了,因为文件名就指明了是哪个service
service 通常指的是 某一个服务对应的文件名( /etc/pam.d/下面的文件名 ) 文件名所有字母必须是小写的
通常情况下 文件名就是服务名, 如 /etc/pam.d/vsftpd ( vsftpd 就是文件名 )
(有些情况下可能不同,不同的时候,是在应用程序编译的时候说明白,要用哪个配置文件)
但有个特殊的文件名 /etc/pam.d/other 是定义默认规则的
比如 login 文件 /etc/pam.d/login 认证到最后的时候,没有结果,就找 /etc/pam.d/other
type : 类型,应有的场景;也可以称为组;它们每一个可以出现多行的,一般情况下只有这四种组:
auth account password session
control 种类有很多,一般有几种组合
required: 要求,需求,需要,这一关必须得过,一票否决权,并没有一票肯定权 (如果过了,就要同一组中的其它检查)(如果不过,同一组中也同样要检查);选秀节目,一个评委说不过,还要看看其它评委的意见
requisite: 与required一样,但有真正意义上的一票否决权,也没有一票肯定权 (如果过了,就要同一组中的其它检查)(如果不过,同一组中不要检查);
sufficient: 充分的,足够的,充分条件,OK了,过了,就一定过了,后面不要检查了,这叫一票通过权(没通过的话,没有决定权,如果其它人说过了,它不受影响,没通过的话,不影响最终结果)
optional: 可选的,有它没它都无所谓;通不通过都无所谓,都不受影响
include: 包含,把其它文件包含进来,以其它文件说的为准,投弃权票,让其它人决定,把权利移交给其它文件了
substack: 马哥没讲,也许不重要吧
复杂性的 control
pam 模块的执行结果 有 success(成功), open_err(打开文件失败),symbol_err(查找链接文件失败了),service_err(服务失败),system_err(系统故障),buf_err(缓冲失败),perm_denied(权限被拒绝),auth_err(认证失败),default(定义默认的)..................一大堆
这些东西太复杂,很少用到这种境界的
先看几个动作
六个标准动作
1) ok 这个模块过了,还得继续检查,说明没有一票通过权
2) done 真正的一票通过权 success = done
3) bad 结果失败了,还得继续检查,连一票否决权都没有 (所以 success = ok 失败时=bad 就相当于 required)
4) die 结果失败了,返回最终结果,就是一票否决权
5) ignore 忽略,没有最终决定结果
6) reset 忽略此前的所有结果,从这儿重新开始计算,以前的作为都不算 (但是 done 如果走了 ,reset处理不了了)
下面说模块,模块非常多,它们所表示的意义是不一样的