iptables/netfilter
kernel, tcp/ip, framework
stack,
PREROUTING
INPUT
FORWARD
OUTPUT
POSTROUTING
filter
nat
mangle
raw
time
recent
ssh
web, IP
tcp wraper
libwarp.so
tcpd: 库
tcp wraper也是网络资源访问控制器,这种访问控制器跟iptables不同的是它并非工作在网络层,可以理解为工作为tcp层访问控制工具,而且通常情况下它只能对基于tcp协议的访问请求做控制,同时它甚至还不是对所有的tcp协议的相关服务都能实现访问控制,tcp wraper本身是一个库,它对应的是个库文件叫libwarp.so, 也就意味着如果想利用本身来实现访问控制功能的话,那一个特定的服务必须在编译的时候它链接到了,也就意味着它的功能可以在需要的时候加载libwarp这个库之后才能真正实现调用tcp warp实现访问控制功能的,所以它跟iptables不一样,iptables是工作在内核中的一个框架,iptables本身是写规则的,netfilter是在内核中的tcp/ip协议栈上的框架,而tcp wraper可以理解成可以称为一个独立的叫tcpd的服务,但事实上它本身还不是一个服务,它只是相对应的库文件,但是一旦某个应用程序在编译的时候链接到这个库上,那么当我们的用户再通过tcp/ip协议去连接本机访问特定服务的时候,我们的服务工作在用户空间,当来自一个客户端的请求到达本机的时候,尤其是访问这个服务的时候,整个访问过程是用户请求首先到达本地网卡,到内核tcp/ip协议栈路由发现是访问本机的,于是就转移到服务所监听的套接字上,而后这个服务予以响应,再送给内核中的tcp/ip协议栈,最终通过路由再返回给客户端,有了tcp wraper以后就在这个过程当中附加了一层访问控制机制,可以把tcp wraper理解成工作在这个位置的模块,当用户的请求到达本机之后它要首先送给tcp wraper, 由tcp wraper检查一下这个用户的访问请求是否允许,如果允许则直接交给对应的服务,否则在tcp wraper上被拒绝掉了,就无法进入到本机去,因此我们可以把tcp wraper理解成一个工作在用户请求和服务所监听的套接字之间的一种检查过滤机制,这种过滤机制可以实现拦截对应某种特定的服务访问的请求并将其跟据所定义的规则决定是否允许访问的访问控制机制,tcp wraper本身并不是一种服务,它只是一个库文件,这种库文件是我们操作系统一个非常底层的,一般来讲是由glibc提供的,这种库本身是一种运行期库,它本身就工作在类似于工作在内核当中的,至少是工作在内核和应用程序之间的,操作系统最底层的是内核,内核上面的是运行库,库上面才是应用程序,所以无论如何应用程序要跟内核打交道,要通过内核向外发送数据包,必须要经过库这个层次,而这个库就是所谓的中间层次库上的某一个功能模块,这个库是由许许多多的模块共同组成的,libwarp就是其中一个重要的库,但凡某个应用程序在开发的时候,它的开发者在里边提供了一个调用接口能够调用libwarp库的话,它就能够受tcp wraper访问控制,否则是不受控制的,因此使用tcp wraper去控制一个服务的话还得首先检查这个服务是否受tcp wraper控制;
ldd `which app | grep libwraper:查看某个应用程序到底是否能够接受tcp wraper控制;
有些应用程序在编译的时候可以将这个应用程序的库文件直接编译进应用程序里面是通过静态的方式,以.so方式是动态链接库,这种库是在应用程序需要的时候动态加载的;
静态编译: 库成为应用程序的组成部分;
RPC
portmap
tcp wrapper
/etc/hosts.allow: 允许访问的;
/etc/hosts.deny: 拒绝访问的;
tcp wrapper检查顺序,先检查/etc/hosts.allow文件,如果匹配到了就允许访问,如果没有匹配到就检查/etc/hosts.deny文件,如果匹配到就拒绝访问,如果也没有匹配到就按默认规则允许访问;
tcp wrapper访问控制文件/etc/hosts.allow和/etc/hosts.deny语法格式:
daemon_list(进程列表,那个服务,可执行程序二进制文件名字): client_list(客户端列表,那些客户端) [:options]
vsftpd: 192.168.0.
vsftpd, sshd, in.telnetd:
ALL(本机上所有接受tcp wraper访问控制的服务)
daemon@host
172.16.100.1
192.168.0.186
vsftpd@192.168.0.186:1.(当1.0.0.0/8通过192.168.0.186访问vsftpd的时候接受控制)
client_list
IP(单个IP,匹配某个特定IP地址)
network address(网络地址)
network/mask: 不能使用长度格式,1.0.0.0/255.0.0.0
172.16.
HOSTNAME(基于主机名)
fqdn(主机名)
.magedu.com --> www.magedu.com(域名,这个域所有主机都受访问控制)
MACRO(宏)
ALL所有客户端)
LOCAL(本地来宾,跟本地网卡在同一个网段内主机), KNOWN(主机名可以正常被解析的), UNKNOWN(主机名无法解析的), PARANOID(主机名正向解析和反向解析不匹配)
EXCEPT(除了,不包含)
[:options] (选项)
spawn echo "(启动,可以拒绝某个客户端在访问后记录日志)
ALLOW
DENY
in.telnetd
ALL
172.16.
172.16.100.100
/etc/inittab respawn(重新发起启动)
standalone: 独立守护进程,响应用户速度快,流量大;
xinetd
transent: 瞬时守护进程,非独立守护进程,节约资源,流量小;
23/tcp
tcp wraper
sshd仅允许172.16.0.0网段访问:
方法:
1、编辑/etc/hosts.allow
sshd:172.16.
2、编辑/etc/hosts.deny
sshd: ALL
telnet服务不允许172.16.0.0/16网段访问,但是允许172.16.100.200访问,其它客户端不做控制:
方法1:
1、编辑/etc/hosts.allow
in.telnetd: 172.16.100.200
2、编辑/etc/hosts.deny
in.telnetd: 172.16.
方法2:
1、编辑/etc/hosts.deny
in.telnetd: 172.16. EXCEPT 172.16.100.200(除了172.16.100.200外172.16.0.0/255.255.0.0网段地址)
方法3:
1、编辑/etc/hosts.allow
in.telnetd: ALL EXCEPT 172.16. EXCEPT 172.16.100.200(允许所有主机访问,但是不包含172.16.0.0/255.255.0网段,但是还得除了172.16.200.200)
2、编辑/etc/hosts.deny
in.telnetd: ALL
/etc/hosts.allow
in.telnetd: 172.16.
/etc/hosts.deny
in.telnetd: ALL
/etc/hosts.allow
in.telnetd: 172.16. :DENY
tcp wrapper macro:tcp wrapper记录日志宏
%c: client infomation(user@host): 谁访问的,客户端信息;
%s: service info(server@host): 服务器端信息,访问这个主机那个服务;
%h: client hostname: 客户端主机名;
%p: server PID: 访问那个服务;
#man 5 hosts_access: 获取tcp wrapper macro的帮助;
spawn echo "`date`, Login attempt from %c to %s" >> /var/log/tcpwraper.log
[root@Smoke samba]# ldd `which sshd(查看sshd的二进制程序绝对路径再将结果送给ldd查看sshd依赖的共享库列表` `反引号命令替换)
linux-gate.so.1 => (0xb7fff000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7f7c000)
libpam.so.0 => /lib/libpam.so.0 (0xb7f71000)
libdl.so.2 => /lib/libdl.so.2 (0xb7f6c000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7f54000)
libaudit.so.0 => /lib/libaudit.so.0 (0xb7f3a000)
libfipscheck.so.1 => /usr/lib/libfipscheck.so.1 (0xb7f38000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7f23000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0xb7de2000)
libutil.so.1 => /lib/libutil.so.1 (0xb7dde000)
libz.so.1 => /lib/libz.so.1 (0xb7dcb000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7db1000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7d7f000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7d51000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7cba000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7c93000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7c90000)
libnss3.so => /usr/lib/libnss3.so (0xb7b67000)
libc.so.6 => /lib/libc.so.6 (0xb7a0d000)
/lib/ld-linux.so.2 (0x0072c000)
libsepol.so.1 => /lib/libsepol.so.1 (0xb79c7000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb79be000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb79bb000)
libnssutil3.so => /usr/lib/libnssutil3.so (0xb79a1000)
libplc4.so => /usr/lib/libplc4.so (0xb799d000)
libplds4.so => /usr/lib/libplds4.so (0xb7999000)
libnspr4.so => /usr/lib/libnspr4.so (0xb7960000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7946000)
提示:sshd依赖libwarap.so库,sshd链接到了tcp wraper,所以sshd将接受tcp wraper的访问控制;
[root@Smoke samba]# lld `which xinetd`(查看xinetd的二进制程序绝对路径再将结果送给ldd查看xinetd依赖的共享库列表` `反引号命令替换)
linux-gate.so.1 => (0xb8024000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7fd4000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7fcc000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7fb3000)
libm.so.6 => /lib/libm.so.6 (0xb7f8a000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7f57000)
libc.so.6 => /lib/libc.so.6 (0xb7dfd000)
libdl.so.2 => /lib/libdl.so.2 (0xb7df8000)
libsepol.so.1 => /lib/libsepol.so.1 (0xb7db2000)
/lib/ld-linux.so.2 (0x0072c000)
提示:xinetd依赖libwrap.so库,所以xinetd也受tcp wraper访问控制;
[root@Smoke samba]# ldd `which httpd`(查看httpd服务的二进制程序绝对路径将结果送给ldd查看httpd依赖的共享库列表` `反引号命令替换)
linux-gate.so.1 => (0xb8073000)
libm.so.6 => /lib/libm.so.6 (0xb7fea000)
libpcre.so.0 => /lib/libpcre.so.0 (0xb7fca000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7fb2000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb7f98000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7f65000)
libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb7f2b000)
liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f1d000)
libdb-4.3.so => /lib/libdb-4.3.so (0xb7e25000)
libexpat.so.0 => /lib/libexpat.so.0 (0xb7e04000)
libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb7ddc000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7dc1000)
libdl.so.2 => /lib/libdl.so.2 (0xb7dbc000)
libc.so.6 => /lib/libc.so.6 (0xb7c62000)
/lib/ld-linux.so.2 (0x0072c000)
libsepol.so.1 => /lib/libsepol.so.1 (0xb7c1c000)
libuuid.so.1 => /lib/libuuid.so.1 (0xb7c17000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7c01000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7be8000)
libssl.so.6 => /lib/libssl.so.6 (0xb7ba0000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0xb7a5f000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7a31000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7999000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7996000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb796f000)
libz.so.1 => /lib/libz.so.1 (0xb795c000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7953000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb794f000)
提示:httpd没有libwrap.so库,因此httpd不受tcp wraper访问控制;
[root@Smoke samba]# ldd `which portmap`(查看portmap服务的二进制程序绝对路径将结果送给ldd查看httpd依赖的共享库列表,` `反引号命令替换)
linux-gate.so.1 => (0xb807e000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb804d000)
libc.so.6 => /lib/libc.so.6 (0xb7ef3000)
/lib/ld-linux.so.2 (0x0072c000)
提示:portmap服务没有包含libwrap.so库,但事实上portmap是接受libwrap控制的,因为它是静态的,已经将tcp wraper的库文件编译进portmap这个应用程序里面去了,
它里面已经包含了这个功能,不需要通过动态链接的方式再链接了;
[root@Smoke samba]# strings `which portmap` | grep hosts(显示portmap程序绝对路径将结果送给strings打印文件字符串,将结果送给管道只显示hosts相关,
` `反引号命令替换)
hosts_access_verbose
hosts_allow_table
hosts_deny_table
/etc/hosts.allow
/etc/hosts.deny
提示:/etc/hosts.allow、/etc/hosts.deny这两个文件至关重要对于tcp wraper来讲,其实tcp wraper实现对某个服务的访问控制就是依赖这两个配置文件实现的,port
map就连接到这两个文件上,这就说明它是以静态链接方式已经将tcp wraper编译进本应用程序并能够接受tcp wraper访问控制;
[root@Smoke samba]# rpm -q xinetd(查看是否安装xinetd软件)
xinetd-2.3.14-16.el5
[root@Smoke samba]# yum -y install telnet-server(通过yum源安装telnet-server,-y所有询问回答yes)
注意:xinetd跟telnet-server并没有关系,telnet-server仅仅是接受xinetd管理的服务而已,xinetd可以管理N个服务,它是超级守护进程,telnet只是它代为管理的一
个服务而已,所以他俩之间并没有对等关系,之所以安装telnet-server是因为安装时候依赖于xinetd,因此安装上telnet-server它会顺便把xinetd安装;
[root@Smoke samba]# lld `which xinetd`(查看xinetd的二进制程序绝对路径再将结果送给ldd查看xinetd依赖的共享库列表` `反引号命令替换)
linux-gate.so.1 => (0xb8024000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7fd4000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7fcc000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7fb3000)
libm.so.6 => /lib/libm.so.6 (0xb7f8a000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7f57000)
libc.so.6 => /lib/libc.so.6 (0xb7dfd000)
libdl.so.2 => /lib/libdl.so.2 (0xb7df8000)
libsepol.so.1 => /lib/libsepol.so.1 (0xb7db2000)
/lib/ld-linux.so.2 (0x0072c000)
提示:xinetd依赖libwrap.so库,所以xinetd也受tcp wraper访问控制,xinetd是telnet服务的代理人;
[root@Smoke ~]# which sshd(查看sshd命令绝对路径)
/usr/sbin/sshd
[root@Smoke ~]# rpm -q telnet-server(查看是否安装telnet-server软件)
telnet-server-0.17-39.el5
[root@Smoke ~]# rpm -ql telnet-server(查看安装telnet-server生成那些文件)
/etc/xinetd.d/telnet
/usr/sbin/in.telnetd(telnet的二进制程序)
/usr/share/man/man5/issue.net.5.gz
/usr/share/man/man8/in.telnetd.8.gz
/usr/share/man/man8/telnetd.8.gz
[root@Smoke ~]# service xinetd start(启动xinetd服务)
Starting xinetd: [ OK ]
[root@Smoke ~]# iptables -L -n(查看filter表中的规则并以数字显示,-L显示指定表中的规则,-n以数字显示)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Smoke ~]# ifconfig(查看网卡相关信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:116391 errors:0 dropped:0 overruns:0 frame:0
TX packets:172398 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9431564 (8.9 MiB) TX bytes:172806058 (164.8 MiB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3189 errors:0 dropped:0 overruns:0 frame:0
TX packets:3189 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:366258 (357.6 KiB) TX bytes:366258 (357.6 KiB)
练习:定义172.16.100.1的服务仅允许172.16.0.0/16网段访问;
[root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: 172.16. [root@Smoke ~]# vim /etc/hosts.deny(编辑hosts.deny文件) # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: ALL
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,连接失败;
C:\Users\Smoke>telnet 172.16.100.1 正在连接172.16.100.1...无法打开到主机的连接。 在端口 23: 连接失败
[root@Smoke ~]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3669/./hpiod tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:610 0.0.0.0:* LISTEN 3396/rpc.statd tcp 0 0 0.0.0.0:32803 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 21452/xinetd tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 3762/rpc.rquotad tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3356/portmap tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3690/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3702/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3831/sendmail tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 21180/sshd tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN 3787/rpc.mountd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3674/python tcp 0 0 :::139 :::* LISTEN 19041/smbd tcp 0 0 :::22 :::* LISTEN 3690/sshd tcp 0 0 ::1:6010 :::* LISTEN 21180/sshd tcp 0 0 :::445 :::* LISTEN 19041/smbd [root@Smoke ~]# chkconfig telnet on(让telnet服务在响应系统级别开机启动) [root@Smoke ~]# service xinetd restart(重启xinetd服务) Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@Smoke ~]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3669/./hpiod tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:610 0.0.0.0:* LISTEN 3396/rpc.statd tcp 0 0 0.0.0.0:32803 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 21618/xinetd tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 3762/rpc.rquotad tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3356/portmap tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3690/sshd tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 21618/xinetd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3702/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3831/sendmail tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 21180/sshd tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN 3787/rpc.mountd tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3674/python tcp 0 0 :::139 :::* LISTEN 19041/smbd tcp 0 0 :::22 :::* LISTEN 3690/sshd tcp 0 0 ::1:6010 :::* LISTEN 21180/sshd tcp 0 0 :::445 :::* LISTEN 19041/smbd [root@Smoke ~]# useradd fedora(添加fedora用户) [root@Smoke ~]# passwd fedora(为fedora用户添加密码) Changing password for user fedora. New UNIX password: BAD PASSWORD: it is based on a dictionary word Retype new UNIX password: passwd: all authentication tokens updated successfully.
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,登录成功
C:\Users\Smoke>telnet 172.16.100.1 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码redhat) [fedora@Smoke ~]$ logout(退出)
练习:仅允许172.16.0.0/16网段访问,但除了172.16.100.254;
[root@Smoke ~]# vim /etc/host.allow(编辑hosts.allow文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: 172.16. EXCEPT 172.16.100.254 [root@Smoke ~]# vim /etc/hosts.deny(编辑hosts.deny文件) # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: ALL
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,登录失败;
C:\Users\Smoke>telnet 172.16.100.1
[root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # [root@Smoke ~]# vim /etc/hosts.deny(编辑hosts.deny文件) # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # [root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow配置文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: 172.16.
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,登录成功;
Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 14:15:33 from 172.16.100.254 [fedora@Smoke ~]$ logout(退出)
[root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow配置文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: 172.16. :DENY
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,登录失败;
C:\Users\Smoke>telnet 172.16.100.1
[root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: 172.16. :spawn echo "somebody entered, `date`" >> /var/log/tcpwraper.log
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,登录成功;
Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 14:15:33 from 172.16.100.254 [fedora@Smoke ~]$ logout(退出)
[root@Smoke ~]# tail /var/log/tcpwraper.log(查看tcpwraper.log日志文件后1行) somebody entered, Wed Nov 26 14:47:54 CST 2014 somebody entered, Wed Nov 26 14:48:09 CST 2014 [root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: 172.16. :spawn echo "somebody entered, `date`" >> /var/log/tcpwraper.log [root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow文件) in.telnetd: 172.16. :spawn echo "`date`, login attempt from %c to %s." >> /var/log/tcpwrapper.log [root@Smoke ~]# vim /etc/hosts.deny(编辑hosts.deny文件) # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: ALL :spawn echo "`date`, login attempt from %h." >> /var/log/tcpwraper.log
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,登录成功;
Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 14:15:33 from 172.16.100.254 [fedora@Smoke ~]$ logout(退出)
[root@Smoke ~]# tail /var/log/tcpwraper.log(查看tcpwraper.log日志文件后10行) somebody entered, Wed Nov 26 14:47:54 CST 2014 somebody entered, Wed Nov 26 14:48:09 CST 2014 Wed Nov 26 15:09:36 CST 2014, login attempt from 172.16.100.254 to in.telnetd@172.16.100.1. [root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow文件) # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: 172.16. EXCEPT 172.16.100.254 :spawn echo "`date`, login attempt from %c to %s." >> /var/log/tcpwraper.log [root@Smoke ~]# vim /etc/hosts.deny(编辑hosts.deny配置文件) # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.telnetd: ALL :spawn echo "`date`, login attempt from %h." >> /var/log/tcpwraper.log
测试:使用windows主机IP地址为172.16.100.254通过command(命令提示符)访问Linux主机的telnet服务,登录失败;
C:\Users\Smoke>telnet 172.16.100.1
[root@Smoke ~]# tail /var/log/tcpwraper.log(查看tcpwraper.log日志文件后10行) somebody entered, Wed Nov 26 14:47:54 CST 2014 somebody entered, Wed Nov 26 14:48:09 CST 2014 Wed Nov 26 15:09:36 CST 2014, login attempt from 172.16.100.254 to in.telnetd@172.16.100.1. Wed Nov 26 15:12:40 CST 2014, login attempt from 172.16.100.254.
Linux:
standalone: 独立守护进程
transient: 瞬时守护进程
xinetd: 超级守护进程
telnet
xinetd --> (n个非独立进程)
/etc/xinetd.conf: 配置文件;
/etc/xinetd.d/*: 主配置文件片段文件目录;
配置文件主要有了两部分:
1、全局配置(服务的默认配置)
2、服务配置
service <service_name>(服务名称)
{
<attribute> <assign_op>(赋值操作符) <value> <value> ...(服务工作属性)
...
}
SYSLOG: 专门用于记录日志的服务(syslogd系统日志, klogd内核日志)
logype FILE /var/log/xinetd.log
tcp/udp/rpc:套接字类型;
portmap --> rpc
nfs <-- rpc
访问控制:
only_from = (仅允许来自那些客户机请求访问)
IP: 172.16.100.254
NETWORK: 172.16.0.0/16, 172.16.0.0/255.255.0.0
HOSTNAME: FQDN www.magedu.com
DOMAIN: *.magedu.com
no_access = (不允许那些客户端请求访问)
时间控制:
access_times = hh:mm-hh:mm(那个时间内可以被访问)
hh: 0-23
mm: 0-59
监听的地址 (提供服务的地址):
bind = (绑定在那个IP地址,只允许服务监听那个地址)
interface = (使用那个地址监听服务)
资源访问控制:
cps =
控制每秒钟入站连接个数:
两个参数:
每秒入站连接书的最大值,默认每秒50个连接
临时禁用的时长,默认关闭10秒
per_source = (同一个IP地址最多允许几次请求)
instances = (用于定义这个服务最多允许多少用户同时连进来)
向启动的server传递参数:
server_args =
port = (定义某个服务所监听端口)
练习: 设定本地的rsync服务(非独立守护进程),满足如下需求;
1、仅监听在本地172.16.x.1的地址上提供服务;
2、仅允许172.16.0.0/16网络内的主机访问,但不允许172.16.0.1访问
3、仅允许同时运行最多3个实例,而且每隔IP最多只允许发起两个连接请求;
[root@Smoke ~]# ll /etc/xinetd.conf(查看xinetd.conf配置文件详细信息)
-rw-r--r-- 1 root root 1001 Jan 6 2012 /etc/xinetd.conf
[root@Smoke ~]# ll /etc/xinetd.d/(查看/etc/xinetd.d目录文件及子目录详细信息)
total 176
-rw-r--r-- 1 root root 1157 Jan 6 2012 chargen-dgram
-rw-r--r-- 1 root root 1159 Jan 6 2012 chargen-stream
-rw-r--r-- 1 root root 1157 Jan 6 2012 daytime-dgram
-rw-r--r-- 1 root root 1159 Jan 6 2012 daytime-stream
-rw-r--r-- 1 root root 1157 Jan 6 2012 discard-dgram
-rw-r--r-- 1 root root 1159 Jan 6 2012 discard-stream
-rw-r--r-- 1 root root 1148 Jan 6 2012 echo-dgram
-rw-r--r-- 1 root root 1150 Jan 6 2012 echo-stream
-rw-r--r-- 1 root root 323 Sep 9 2004 eklogin
-rw-r--r-- 1 root root 347 Sep 6 2005 ekrb5-telnet
-rw-r--r-- 1 root root 326 Sep 9 2004 gssftp
-rw-r--r-- 1 root root 310 Sep 9 2004 klogin
-rw-r--r-- 1 root root 323 Sep 9 2004 krb5-telnet
-rw-r--r-- 1 root root 308 Sep 9 2004 kshell
-rw-r--r-- 1 root root 722 Sep 13 2011 rmcp
-rw-r--r-- 1 root root 317 Sep 9 2004 rsync
-rw-r--r-- 1 root root 367 Nov 26 06:57 swat
-rw-r--r-- 1 root root 1212 Jan 6 2012 tcpmux-server
-rw-r--r-- 1 root root 302 Nov 26 14:11 telnet
-rw-r--r-- 1 root root 510 May 19 2009 tftp
-rw-r--r-- 1 root root 1149 Jan 6 2012 time-dgram
-rw-r--r-- 1 root root 1150 Jan 6 2012 time-stream
[root@Smoke ~]# vim /etc/xinetd.conf(编辑xinetd.conf配置文件)
#
# This is the master xinetd configuration file. Settings in the
# default section will be inherited by all service configurations
# unless explicitly overridden in the service configuration. See
# xinetd.conf in the man pages for a more detailed explanation of
# these attributes.
defaults(默认配置)
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
#
# enabled =(服务启用)
# disabled =(服务禁用)
# Define general logging characteristics.
log_type = SYSLOG daemon info(日志类型,日志类型有两种SYSLOG和FILE,日志都是由daemon日志服务专门记录的,日志级别info)
log_on_failure = HOST(当登录失败,记录日志格式为HOST,主机信息)
log_on_success = PID HOST DURATION EXIT(当登录成功,记录日志格式为PID HOST DURATION持续时间 EXIT退出)
# Define access restriction defaults
#
# no_access =
# only_from =
# max_load = 0
cps = 50 10
instances = 50
per_source = 10
# Address and networking defaults
#
# bind =
# mdns = yes
v6only = no
# setup environmental attributes
#
# passenv =
groups = yes
umask = 002
# Generally, banners are not used. This sets up their global defaults
#
# banner =
# banner_fail =
# banner_success =
}
includedir /etc/xinetd.d(包含/etc/xinetd.d目录所有文件)
[root@Smoke ~]# service syslog status(查看系统日志服务状态)
syslogd (pid 3283) is running...
klogd (pid 3286) is running...
[root@Smoke ~]# man xinetd.conf(查看xinetd.conf配置文件man帮助手册)
log_type determines where the service log output is sent. There are two formats:
SYSLOG syslog_facility [syslog_level](以那个设施来记录,日志级别)
The log output is sent to syslog at the specified facility. Possible
facility names include: daemon, auth, authpriv, user, mail, lpr, news,
uucp, ftp local0-7. Possible level names include: emerg, alert, crit,
err, warning, notice, info, debug. If a level is not present, the mes-
sages will be recorded at the info level.
FILE file [soft_limit [hard_limit]](卸载那个文件里面,软限制大小,和硬限制大小)
The log output is appended to file which will be created if it does not
exist. Two limits on the size of the log file can be optionally specified.
The first limit is a soft one; xinetd will log a message the first time
this limit is exceeded (if xinetd logs to syslog, the message will be sent
at the alert priority level). The second limit is a hard limit; xinetd
will stop logging for the affected service (if the log file is a common
log file, then more than one service may be affected) and will log a mes-
sage about this (if xinetd logs to syslog, the message will be sent at the
alert priority level). If a hard limit is not specified, it defaults to
the soft limit increased by 1% but the extra size must be within the
parameters LOG_EXTRA_MIN and LOG_EXTRA_MAX which default to 5K and 20K
respectively (these constants are defined in xconfig.h).
log_on_success determines what information is logged when a server is started and when that
server exits (the service id is always included in the log entry). Any combina-
tion of the following values may be specified:
PID logs the server process id (if the service is implemented by xinetd
without forking another process the logged process id will be 0)(服务器端ID号)
HOST logs the remote host address(客户端主机地址)
USERID logs the user id of the remote user using the RFC 1413 identification
protocol. This option is available only for multi-threaded stream
services.(记录用户ID号)
EXIT logs the fact that a server exited along with the exit status or the
termination signal (the process id is also logged if the PID option
is used)(服务器退出信息)
DURATION logs the duration of a service session(在服务器整个会话期间产生的信息)
TRAFFIC logs the total bytes in and out for a redirected service.(流量)
log_on_failure determines what information is logged when a server cannot be started (either
because of a lack of resources or because of access control restrictions). The
service id is always included in the log entry along with the reason for failure.
Any combination of the following values may be specified:
HOST logs the remote host address.(客户端地址)
USERID logs the user id of the remote user using the RFC 1413 identification
protocol. This option is available only for multi-threaded stream
services.(用户ID)
ATTEMPT logs the fact that a failed attempt was made (this option is implied
by all others).(登录尝试)
[root@Smoke ~]# cd /etc/xinetd.d/(切换到/etc/xinetd.d目录)
[root@Smoke xinetd.d]# ls(查看当前目录文件及子目录)
chargen-dgram daytime-stream echo-dgram ekrb5-telnet krb5-telnet rsync telnet time-stream
chargen-stream discard-dgram echo-stream gssftp kshell swat tftp
daytime-dgram discard-stream eklogin klogin rmcp tcpmux-server time-dgram
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
~
[root@Smoke xinetd.d]# vim rsync(编辑rsync文件)
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = yes(属性,赋值操作符,值;关闭服务)
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
[root@Smoke xinetd.d]# service xinetd reload(重新载入xinetd服务)
Reloading configuration: [ OK ]
[root@Smoke xinetd.d]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3669/./hpiod
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:610 0.0.0.0:* LISTEN 3396/rpc.statd
tcp 0 0 0.0.0.0:32803 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 21618/xinetd
tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 3762/rpc.rquotad
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3356/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3690/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3702/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3831/sendmail
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 21716/sshd
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 22261/sshd
tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN 3787/rpc.mountd
tcp 0 0 127.0.0.1:6013 0.0.0.0:* LISTEN 22415/sshd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3674/python
tcp 0 0 :::139 :::* LISTEN 19041/smbd
tcp 0 0 :::22 :::* LISTEN 3690/sshd
tcp 0 0 ::1:6010 :::* LISTEN 21716/sshd
tcp 0 0 ::1:6011 :::* LISTEN 22261/sshd
tcp 0 0 ::1:6013 :::* LISTEN 22415/sshd
tcp 0 0 :::445 :::* LISTEN 19041/smbd
提示:tcp协议23号端口没有了;
[root@Smoke xinetd.d]# chkconfig telnet on(启动telnet服务)
提示:使用chkconfig telnet on其实就是修改/etc/xinetd.d/telnet文件中的disable = no的属性;
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = no(属性,赋值操作符,值;启用服务)
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
[root@Smoke xinetd.d]# chkconfig telnet off(关闭telnet服务)
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = yes(属性,赋值操作符,值;关闭服务)
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
[root@Smoke xinetd.d]# chkconfig --level 2345 telnet on(启用telnet服务)
提示:对于非独立守护进程再使用chkconfig SERVER on/off的时候是不能指定级别的,就算指定也没用;
[root@Smoke xinetd.d]# chkconfig --list(查看系统服务在响应级别启动情况)
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avahi-dnsconfd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bluetooth 0:off 1:off 2:on 3:on 4:on 5:on 6:off
capi 0:off 1:off 2:off 3:off 4:off 5:off 6:off
conman 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dnsmasq 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dund 0:off 1:off 2:off 3:off 4:off 5:off 6:off
firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
hidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
hplip 0:off 1:off 2:on 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ipmi 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off
irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mdmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off
multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nmb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off
readahead_later 0:off 1:off 2:off 3:off 4:off 5:on 6:off
restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rhsmcertd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
svnserve 0:off 1:off 2:off 3:off 4:off 5:off 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vncserver 0:off 1:off 2:off 3:off 4:off 5:off 6:off
vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
wdaemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off(xinetd本身有级别)
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
yum-updatesd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd based services:
chargen-dgram: off
chargen-stream: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
discard-stream: off
echo-dgram: off
echo-stream: off
eklogin: off
ekrb5-telnet: off
gssftp: off
klogin: off
krb5-telnet: off
kshell: off
rmcp: off
rsync: off
swat: on
tcpmux-server: off
telnet: on
tftp: off
time-dgram: off
time-stream: off
提示:瞬时守护进程的服务要么on/off,没有级别概念,只有xinetd本身有级别的意义,所以xinetd在某个服务下是on的,然后把这个服务on起来,它在对应级别下就能够被访问到;
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能
等待,因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
log_on_failure += USERID(失败记录日志格式,=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# man xinetd.conf(查看xinetd.conf配置文件的man帮助)
flags Any combination of the following flags may be used:
INTERCEPT Intercept packets or accepted connections in order to verify
that they are coming from acceptable locations (internal or
multi-threaded services cannot be intercepted).
NORETRY Avoid retry attempts in case of fork failure.
IDONLY Accept connections only when the remote end identifies the
remote user (i.e. the remote host must run an identification
server). This flag applies only to connection-based services.
This flag is ineffective if the USERID log option is not used.
NAMEINARGS This will cause the first argument in "server_args" to be
argv[0] when executing the server, as specified in "server".
This allows you to use tcpd by putting tcpd in "server" and the
name of the server in "server_args" like in normal inetd.
NODELAY If the service is a tcp service and the NODELAY flag is set,
then the TCP_NODELAY flag will be set on the socket. If the
service is not a tcp service, this option has no effect.
KEEPALIVE If the service is a tcp service and the KEEPALIVE flag is set,
then the SO_KEEPALIVE socket flag will be set on the socket. If
the service is not a tcp service, this option has no effect.
NOLIBWRAP This disables internal calling of the tcpwrap library to deter-
mine access to the service. This may be needed in order to use
libwrap functionality not available to long-running processes
such as xinetd; in this case, the tcpd program can be called
explicitly (see also the NAMEINARGS flag). For RPC services
using TCP transport, this flag is automatically turned on,
because xinetd cannot get remote host address information for
the rpc port.
SENSOR This replaces the service with a sensor that detects accesses to
the specified port. NOTE: It will NOT detect stealth scans. This
flag should be used only on services that you know you don't
need. When an access is made to this service's port, the IP
Address is added to a global no_access list. This causes all
subsequent accesses from the originating IP address to be denied
access until the deny_time setting expires. The amount of time
spent on this list is configurable as the deny_time attribute.
The SENSOR flag will also cause xinetd to consider the server
attribute to be INTERNAL no matter what is typed on the same
line. Another important thing to remember is that if the
socket_type is set to stream, then the wait attribute should be
set to no.
IPv4 Sets the service to be an IPv4 service (AF_INET).
IPv6 Sets the service to be an IPv6 service (AF_INET6), if IPv6 is
available on the system.
LABELED The LABELED flag will tell xinetd to change the child processes
SE Linux context to match that of the incoming connection as it
starts the service. This only works for external tcp non-waiting
servers and is an error if applied to an internal, udp, or tcp-
wait server.
REUSE The REUSE flag is deprecated. All services now implicitly use
the REUSE flag.(可被重用的,多次访问,基本废弃,现在基本服务就算不定义也使用REUSE标志)
socket_type Possible values for this attribute include:(套接字类型)
stream stream-based service(基于tcp)
dgram datagram-based service(基于udp)
raw service that requires direct access to IP
seqpacket service that requires reliable sequential datagram transmission
[root@Smoke ~]# tail /var/log/messages(查看messages日志文件后10行)
Nov 26 17:36:20 Smoke xinetd[21618]: telnet: svc_release with 0 count
Nov 26 17:36:20 Smoke xinetd[21618]: Reconfigured: new=0 old=1 dropped=1 (services)
Nov 26 17:38:21 Smoke xinetd[21618]: Starting reconfiguration
Nov 26 17:38:21 Smoke xinetd[21618]: Swapping defaults
Nov 26 17:38:21 Smoke xinetd[21618]: readjusting service swat
Nov 26 17:38:21 Smoke xinetd[21618]: Reconfigured: new=1 old=1 dropped=0 (services)
Nov 26 17:48:36 Smoke smbd[19041]: [2014/11/26 17:48:36.794360, 0] smbd/server.c:281(remove_child_pid)
Nov 26 17:48:36 Smoke smbd[19041]: Could not find child 22610 -- ignoring
Nov 26 18:01:37 Smoke smbd[19041]: [2014/11/26 18:01:37.582969, 0] smbd/server.c:281(remove_child_pid)
Nov 26 18:01:37 Smoke smbd[19041]: Could not find child 22735 -- ignoring
提示:syslog日志文件在/var/log/messages文件中;
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不
能等待,因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log)
log_on_failure += USERID(失败记录日志格式,=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@Smoke ~]# vim /etc/hosts.allow(编辑hosts.allow文件)
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
[root@Smoke ~]# vim /etc/hosts.deny(编辑hosts.deny文件)
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,可以访问;
C:\Users\Smoke>telnet 172.16.100.1 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 15:09:43 from 172.16.100.254 [fedora@Smoke ~]$ logout(退出)
[root@Smoke ~]# tail /var/log/telnet.log(查看telnet.log日志文件后10行)
14/11/26@18:10:47: START: telnet pid=22778 from=172.16.100.254
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,可以访问;
C:\Users\Smoke>telnet 172.16.100.1 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 15:09:43 from 172.16.100.254 [fedora@Smoke ~]$ logout(退出)
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
no_access = 172.16.100.254(不允许172.16.100.254访问)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,无法访问;
C:\Users\Smoke>telnet 172.16.100.1
[root@Smoke ~]# date(查看当前系统时间)
Wed Nov 26 18:26:31 CST 2014
[root@Smoke ~]# hwclock -s(从硬件时间同步到系统时间)
[root@Smoke ~]# date
Sat Nov 29 01:38:25 CST 2014
[root@Smoke ~]# date(查看当前系统时间)
Sat Nov 29 01:42:00 CST 2014
[root@Smoke ~]# date 0121220416.30(修改系统时间为2016年1月21日22点04分)
Thu Jan 21 22:04:30 CST 2016
[root@Smoke ~]# hwclock -w(将系统时间同步到硬件时间)
[root@Smoke ~]# date(查看当前系统时间)
Thu Jan 21 22:05:54 CST 2016
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 22:00-23:00(允许22:00到23:00访问)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,可以访问;
C:\Users\Smoke>telnet 172.16.100.1 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 15:09:43 from 172.16.100.254 [fedora@Smoke ~]$ logout(退出)
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 12:00-14:00(允许12:00到14:00访问)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,无法访问;
C:\Users\Smoke>telnet 172.16.100.1
[root@Smoke ~]# ifconfig(查看网卡信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:124807 errors:0 dropped:0 overruns:0 frame:0
TX packets:179479 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10174552 (9.7 MiB) TX bytes:173742480 (165.6 MiB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3773 errors:0 dropped:0 overruns:0 frame:0
TX packets:3773 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:404062 (394.5 KiB) TX bytes:404062 (394.5 KiB)
[root@Smoke ~]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3669/./hpiod
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:610 0.0.0.0:* LISTEN 3396/rpc.statd
tcp 0 0 0.0.0.0:32803 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 23215/xinetd
tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 3762/rpc.rquotad
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3356/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3690/sshd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 23215/xinetd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3702/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3831/sendmail
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 22857/sshd
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 22900/sshd
tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN 3787/rpc.mountd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3674/python
tcp 0 0 :::139 :::* LISTEN 19041/smbd
tcp 0 0 :::22 :::* LISTEN 3690/sshd
tcp 0 0 ::1:6011 :::* LISTEN 22857/sshd
tcp 0 0 ::1:6012 :::* LISTEN 22900/sshd
tcp 0 0 :::445 :::* LISTEN 19041/smbd
提示:telnet服务监听在0.0.0.0:23端口,所有IP地址,如果我们本机有3个IP地址,就意味着3个地址都可以访问这个服务,假如只允许连接内网接口地址被访问;
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 12:00-14:00(允许12:00到14:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@Smoke ~]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3669/./hpiod
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:610 0.0.0.0:* LISTEN 3396/rpc.statd
tcp 0 0 0.0.0.0:32803 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 23249/xinetd
tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 3762/rpc.rquotad
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3356/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3690/sshd
tcp 0 0 172.16.100.1:23 0.0.0.0:* LISTEN 23249/xinetd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3702/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3831/sendmail
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 22857/sshd
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 22900/sshd
tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN 3787/rpc.mountd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3674/python
tcp 0 0 :::139 :::* LISTEN 19041/smbd
tcp 0 0 :::22 :::* LISTEN 3690/sshd
tcp 0 0 ::1:6011 :::* LISTEN 22857/sshd
tcp 0 0 ::1:6012 :::* LISTEN 22900/sshd
tcp 0 0 :::445 :::* LISTEN 19041/smbd
提示:telnet服务只监听在172.16.100.1:23号端口;
[root@Smoke ~]# man xinetd.conf(查看xinetd.conf的man帮助)
cps Limits the rate of incoming connections. Takes two arguments. The first argument is the number of connec
tions per second to
handle. If the rate of incoming connections is higher than this, the service will be temporarily disabled.
The second argument
is the number of seconds to wait before re-enabling the service after it has been disabled. The default
for this setting is 50
incoming connections and the interval is 10 seconds.(限定进来用户请求速率,可以接受两个参数,第一个参数,每秒最多所能
处理的个数,第二个参数,如果进来请求速率高于第一个参数服务会临时禁用一段时间,禁用多长时间,第一个值默认50,第二个值默认10秒)
/cps
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 12:00-14:00(允许12:00到14:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
cps = 1 10(每秒最多只允许一个请求,超过服务禁用10秒)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,无法访问;
C:\Users\Smoke>telnet 172.16.100.1
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 22:00-23:00(允许22:00到23:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
cps = 1 10(每秒最多只允许一个请求,超过服务禁用10秒)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,无法访问;
C:\Users\Smoke>telnet 172.16.100.1 正在连接172.16.100.1...无法打开到主机的连接。 在端口 23: 连接失败
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 22:00-23:00(允许22:00到23:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
cps = 2 10(每秒最多只允许一个请求,超过服务禁用10秒)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,可以访问;
C:\Users\Smoke>telnet 172.16.100.1 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 15:09:43 from 172.16.100.254 [fedora@Smoke ~]$
不关闭第一个telnet连接,继续打开另一个command(命令提示符)telnet远程登录linux主机,还是可以访问,原因由于每秒最多2个请求,我们连接速度过慢无法达到测试效果;
C:\Users\Smoke>telnet 172.16.100.1 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 15:09:43 from 172.16.100.254 [fedora@Smoke ~]$
[root@Smoke ~]# man xinetd.conf(查看xinetd.conf的man帮助)
per_source Takes an integer or "UNLIMITED" as an argument. This specifies the maximum instances of this service per
source IP address.
This can also be specified in the defaults section.(同一个IP允许同时发起几个请求)
/per_source
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 22:00-23:00(允许22:00到23:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
per_source = 1(同一个IP地址最多发起一个请求)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,可以访问;
C:\Users\Smoke>telnet 172.16.100.1 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Kernel 2.6.28-l7 on an i686 login: fedora(用户名) Password:(密码) Last login: Wed Nov 26 15:09:43 from 172.16.100.254 [fedora@Smoke ~]$
不关闭第一个telnet连接,继续打开另一个command(命令提示符)telnet远程登录linux主机,无法访问,原因由于每秒最多2个请求,我们连接速度过慢无法达到测试效果;
C:\Users\Smoke>telnet 172.16.100.1
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 22:00-23:00(允许22:00到23:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
per_source = 1(同一个IP地址最多发起一个请求)
cps = 25 30(每秒最多允许25个连接,超过服务禁止30秒)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# man xinetd.conf(查看xinetd.conf的man帮助)
instances determines the number of servers that can be simultaneously active for a service (the default is no limit). The
value of this attribute
can be either a number or UNLIMITED which means that there is no limit.(用于定义某个特定服务最多只允许被同步使用多少次)
server determines the program to execute for this service.(启动服务所对应的二进制程序文件)
server_args determines the arguments passed to the server. In contrast to inetd, the server name should not be included in
server_args.(启动服务所传递过去的参数)
banner Takes the name of a file to be splatted at the remote host when a connection to that service is established.
This banner is printed
regardless of access control. It should *always* be printed when a connection has been made. xinetd outputs the
file as-is, so you
must ensure the file is correctly formatted for the service's protocol. In paticular, if the protocol requires
CR-LF pairs for line
termination, you must supply them.(欢迎标语,当用户登录的时候显示欢迎标语,获得一个文件名,把这个文件内容作为当一个连接建立的时候显
示在用户主机上)
/instances
/banner
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 08:00-18:00(允许22:00到23:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
per_source = 1(同一个IP地址最多发起一个请求)
cps = 25 30(每秒最多允许25个连接,超过服务禁止30秒)
banner = /etc/telnet.banner(指定登录服务时候显示欢迎信息文件)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke xinetd.d]# vim /etc/telnet.banner(编辑telnet.banner文件)
Welcome to our telnet server...
[root@Smoke ~]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
测试:使用Windows系统的command(命令提示符)telnet远程登录linux主机,可以访问;
C:\Users\Smoke>telnet 172.16.100.1
Welcome to our telnet server...(banner信息)
Red Hat Enterprise Linux Server release 5.8 (Tikanga)(/etc/issue.net文件内容)
Kernel 2.6.28-l7 on an i686
login:
[root@Smoke ~]# cat /etc/issue(查看/etc/issue文件内容)
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
Kernel \r on an \m
提示:/etc/issue文件是通过本地登录时显示的信息;
[root@Smoke ~]# cat /etc/issue.net(查看/etc/issue.net文件内容)
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
Kernel \r on an \m
提示:/etc/issue.net文件是通过网络远程登录时显示的信息;
[root@Smoke xinetd.d]# vim telnet(编辑telnet文件)
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet(服务名称,需要跟/etc/xinetd.d目录下的文件名保持一致)
{
disable = on(属性,赋值操作符,值;启动服务)
flags = REUSE(标志)
socket_type = stream(套接字类型,服务本身基于的协议,stream表示tcp,dagram表示udp)
wait = no(等待,如果一个用户已经再访问,后面用户请求是不是等待第一个用户完成以后再被连入,yes表示必须得等待,no不用等待,对于udp永远不能等待,
因为不受连接控制,而对于tcp协议根据需要是否等待)
user = root(用户,运行服务用户身份)
server = /usr/sbin/in.telnetd(应用程序二进制文件)
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网段访问)
access_times = 08:00-18:00(允许22:00到23:00访问)
bind = 172.16.100.1(仅允许172.16.100.1地址提供服务)
per_source = 1(同一个IP地址最多发起一个请求)
cps = 25 30(每秒最多允许25个连接,超过服务禁止30秒)
banner = /etc/telnet.banner(指定登录服务时候显示欢迎信息文件)
log_type = FILE /var/log/telnet.log(日志类型FILE,文件为/var/log/telnet.log) log_on_failure += USERID(失败记录日志格式,
=表示赋值,有值覆盖,+=表示在默认值基础上再增加,-=把默认配置某项去掉)
}
[root@Smoke ~]# cd /etc/xinetd.d/(切换到/etc/xinetd.d目录)
[root@Smoke xinetd.d]# vim rsync(编辑rsync服务)
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
only_from = 172.16.0.0/16(仅允许172.16.0.0/16网络访问)
no_access = 172.16.0.1(不允许172.16.0.1主机访问)
bind = 172.16.100.1(服务监听地址172.16.100.1)
instances = 3(最多允许3个客户端同时连接进来)
per_source = 2(同一个IP地址最多允许连接2次)
}
[root@Smoke xinetd.d]# service xinetd restart(重启xinetd服务)
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@Smoke xinetd.d]# netstat -tnlp(查看系统服务,-t代表tcp,-n以数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3669/./hpiod
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:610 0.0.0.0:* LISTEN 3396/rpc.statd
tcp 0 0 0.0.0.0:32803 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 24312/xinetd
tcp 0 0 172.16.100.1:873 0.0.0.0:* LISTEN 24312/xinetd
tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 3762/rpc.rquotad
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3356/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3690/sshd
tcp 0 0 172.16.100.1:23 0.0.0.0:* LISTEN 24312/xinetd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3702/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3831/sendmail
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 23649/sshd
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 23687/sshd
tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN 3787/rpc.mountd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3674/python
tcp 0 0 :::139 :::* LISTEN 19041/smbd
tcp 0 0 :::22 :::* LISTEN 3690/sshd
tcp 0 0 ::1:6010 :::* LISTEN 23649/sshd
tcp 0 0 ::1:6011 :::* LISTEN 23687/sshd
tcp 0 0 :::445 :::* LISTEN 19041/smbd
提示:rsync服务监听在tcp的873端口,rsync server主要作用是提供rsync文件同步服务的;
管理资源授权服务:
Authentication(认证)
Authorization(授权)
Audtion(审计)
Authentication & Authorization
The process of determining whether a client shoud have access to a resource can be divided into to tasks(某个来使用资源的申请者到底是否是它所声称的用户)
Authentication determines whether a client username and password is authenticated(用于决定一个用户的用户名和密码是否能通过检验)
For instance, aperson logging in with acorrect username and password is authenticated
Authorization determines whether or not a user is granted access to a service(用于决定是否能被授权访问服务或资源,决定一个用户能否被访问一个服务的过程)
Even if you correctly authenticate, you may be denied access due to other restrictions(service configuration, /etc/securetty,etc)
A user
username
password
username --> UID(操作系统识别用户是靠UID)
groupname --> GID(操作系统识别组是靠GID)
名称解析: 将用户容易识别的字符串转换为操作系统容易识别的数字的过程;
FQDN-->IP
http-->80
名称解析:将用户容易识别的字符串转换为操作系统容易识别的数字的过程;
route
FQDN --> IP
dns
/etc/hosts
mysql
nis (网络信息服务)
ldap(轻量级目录访问协议)
App --> nsswitch(网络服务转换) --> resolve lib
nsswitch
login
username
/etc/nsswitch.conf(可以为众多的名称解析提供名称解析库)
passwd: file(当查找用户帐号到文件中找,这个文件指/etc/password)
group: file
root --> UID
hostname: file dns(当解析主机名的时候先到文件中找,文件中没有到dns找)
Name Service Lookup Results(名称服务查找结果)
Four results are possible when looking up an entry in particular name service
SUCCESS service ok, found name(服务正常,找到名称转换对应的值)
NOTFOUND service ok, name not found(服务正常,没有找到对应名称值)
UNAVAIL service not available(服务不可用)
TRYAGAIN temporary service failure(服务临时故障)
By default, return on the first SUCCESS, otherwise continue(在出现第一个success就return,成功以后就返回)
Result Actions
The action taken for a particular lookup result can be changed
passwd: nis[NOTFOUND=return] files(找用户帐号到nis中找,如果找不着就返回)
In the example above, libc will try to look up passwd information in NIS, and will only use local files if NIS is not available
Theis example would require the root account to be stored in NIS, which is not ideal
mingetty (只能提供虚拟终端)
login
/etc/nsswitch.conf
passwd: files
group: files
shadown: files(/etc/shadow)
名称解析
libnss
认证
两套各自独立运行的机制
app --> username: password
root --> nsswitch.conf --> passwd:files
'123456' --> nsswitch.conf --> shadown: files
auth: 123456 --> md5(salt) --> compar(比较)
认证本身也可以不用借助名称解析服务去找用户与那里存放的密码
123456 --> md5,salt
shadow
Authentication
md5:/etc/shadow pam_unix.so(是实现传统意义用户认证模块)
mysql
ldap App:login, /etc/pam.d/login
nis
kerberos
app --> PAM)认证框架) --> Authentication
App: login, /etc/pam.d/login
PAM
Pluggable Authentication Modules(可插入式认证模块)
A generic framework for applications which must handle authentication and authorized of users
Centralized, shared code base
A PAM-enabled application calls the PAM libraries to perform all authencation tasks for it and return a pass or fail response to the application
Dynamicall configurable
Install a new module to add new authentication methods or other capabilities
Edit application's PAM configuration,changes take effect immediately
PAM如何认证:
PAM如何认证:
假如有个应用程序X,它需要认证用户了,当需要认证用户的时候,认证机制自己不做,外包出去给PAM, PAM如何为应用程序实现认证用户,要根据配置文件的定义实现认证,配置文件中定义使用什么模块认证检测,检测的结果再返回给PAM, PAM真正最后的检查结果返回给应用程序,这个用户到底检查通过没有,认证结束没有返回给应用程序,应用程序发现PAM返回的认证通过了,接下来就正常服务了,否则就拒绝了,比如PAM告诉它这个用户是个非法的,接下来应用程序就直接拒绝这个用户,所以整个认证过程是由PAM实现的,PAM怎么实现的,主要依赖于PAM的配置文件和库文件,而它的配置文件比较复杂,有四类用户认证栈定义,这四类它们分别完成用户的认证过程当中不同的功能;
PAM
/etc/pam.conf(集中式的,这个文件就没有)
Service(跟那个服务相关) type control module-path [module-arguments]
/etc/pam.d/service(/etc/pam.d/所有文件,通常跟服务名相同)
type(类型auth、acct、pssword、session) contral(控制,当某一种类型有多个时候它们彼此之间互相如何作用) module-path(完成功能使用的模块) [module-arguments](模块参数)
The service(服务)
service(服务对应的文件名)
The service is the name of the file in the /etc/pam.d/directory
This filename must be in lower case(文件名必须要小写)
An important feature of PAM, is that a number of rules may be stacked to combine the services of a number of PAMs for a given authentication task
The service is typically the familiar name of the corresponding application
The service-name, other, is reserved for giving default rules(other用于定义默认规则,实现认证的时候首先去找/etc/pam.d/login,如果login文件认证某个用户的时候认证到最后没有结果,就找other)
Only lines that mention the current service (or in the absence of such, the otherentries) will be associated with the given service-application
类型:
account this module type performs non-authentication based account management.It is typically used to restrict/permit access to a service based on the time of day.currently available system resources(maxinmum mumber of users)or perhaps the location of the applicat user -- 'root' login only on the console.
auth this module type privides two aspects of authenticating the user. Firstly,it establishes that he user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification.Secondly, the module can grant group membership or other privileges through its credential granting properties.
password this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication(auth) type.
session theis module type is associated with doing things that need to be done for the user before after they can be given service.Such things include the logging of
information conceming the opening/closing of some data exchange with a user,mounting directories,etc.
Each of these groups is independent
A module need not support all four groups
The control(控制)
Indicates the behavior of the PAM-API should the module fail to succeed in its authentication task
There are two types of syntax for this control field:
the simple one has a single simple keyword
the more complicated one involves a square-bracketed selection of value=action pairs(获取某个返回值采取什么样行动)
组合:
required falure of such PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules(for this service and type) have been invoked.(要求、需要,这关必须得过,它有一票否决权,过了就过了继续同一组其它的检查,这关没过,后面还要过,它有一票否决权,它只要说不行那就一定不行了,但是后面还有同组中其它的条目还要检查,它要想看一看为什么这一关没通过,后面还有没有人其它反对的,required我通过,我只赞成意见,并不能起到最终的决定作用,它通过了是起不到决定作用的,如果还有其它人说不过,也是过不了的,所以required有一票否决全,它说不过就一定不过了,但不过是不过,后面还要继续检查)
requiste like requtred,bowever,in the case that such a module returns a failure, control is directly returned to the application, the return value is that associated with the first required or requisite module to fail.Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium.It is conceivable that such behavior might inform an attacker of vailid accounts on a system.This possibity should be weighed against the not insignificant concems of exposing a sensitive password in a hostile environment.(需要必须,必须得过,requise是真正意义上一票否决权,requise也是表示需要必须的意思,这关必须得过,过了之后,过了就过了,看其他人意见,它没有一票肯定权,如果不过,一票否决,它说不过,后面不用检查了,这是它跟required区别,requiste这关不过,后面其他条目就不用检查)
suffcient success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored).A failure of this module is not deemed as fatal to satis fying the application that this type has succeded.If the module succeeds the PAM framework returns success to the application immediately without trying any other modules.(充分的,足够的,充分条件,如果这关过了,就一定过了,后面不用检查了,一票通过权,它说可以就可以了后面不用检查了,如果没通过,对于没通过来讲它没有决定权,如果其他人说过了,它不受影响,它只参与投赞成票,它说可以就可以了,它说不可以,那无所谓,不影响最终结果)
optional the success or falure of this module is only important if it is the only module in the stack associated with this service-type.(陪衬,可选的,过于不过不受影响)
include include all lines of given type from the configuration file secified as an argument to this control.(包含,把其他文件包含进来,以其它文件为准,投弃权票,让其它文件决定,把权利移交给其它文件)
subsack include all lines of given type from the configuration file specified as an argument to this control.This differs from include in that evaluation of the done and die actions in a substack does not canse skipping the rest of the complete module stack,but only of the substack.Jumps in a substack also can not make evaluation jump out of it.and the whole substack is counted as one module when the jump is done in a parent stack.The reset action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation.
For the more complicated syntax valid control values have the following form:
[value1=action1 value2=action2 ...]
PAM模块执行结果:
Where valueN corresponds to the return code from the function invoked in the module for which the line is defined.It is selected from one of these:success,(执行成功)open_err,(打开文件失败了)symbol_err,(查找链接文件失败)service_err,(服务失败)system_err,(系统故障)buf_err,(缓冲失败)perm_denied,(权限被拒绝)auth_err,(认证失败)cred_insufficient,autlninfo_unavail,user_unknown,maxtries,new_authtok_reqd,acct_expired,session_err,cred_umavail,cred_expired,cred_err,no_module_data,com_err,authtok_err,authtok_recover_err,authtok_locak_busy,authtok_disable_agmg,ny_again,ignore,abort,authtok_expired,module_unknown,bad_item,conv_again,incomplete,and default.(默认的)
More advanced syntax for controlling how PAM reacts to different module return codes
Can fine tune authentication based on the reason why the modules failed
Assigns a action to particular return codes
About thirty different return codes, as described in previous page
Six standard actions(通常情况下有6种默认动作,当获得某种结构以后执行什么样的动作)
ok,done,bad,die,ignore,reset
动作:
ok This modules passwd, keep checking(这个模块过了,继续检查,没有一票通过权)
done This modules passwd, and return the final result to the application now(一票通过权,通过了,而且返回最终结果告诉应用程序过了)
bad The result is failed, keep checking(失败了,继续检查,连一票否决权也没有)
die The result is failed, and return the failure result to the application now(结果失败了,而且返回最终结果,一票否决权)
ignore The result will not affect the overall result(忽略,没有最终决定结果)
reset Ignore any results that have already been collected in the final result(忽略此前的处理结果,从我这里重新继续,我来检查)
Each of the four keywords: required;requisite;suffcient;and optional,have an equivalent expression in terms of the [...]syntax.They are as follows;
required [success=ok new_authtok_reqd=ok ignore=ignore default=bad](success=ok成功为ok, 陈功了还要检查,ignore=ignore忽略等于忽略,如果没检查通过,跟它不匹配,就不用检查了,default=bad,如果没成功,其它的条件意味bad,bad意味着失败还要继续检查,但失败就一定失败了,这关过不了就一定失败了,但失败之后还要继续检查)
requisite [success=ok new_authtok_reqd=ok ignore=ignore default=die](success=ok成功了还要继续检查,default=die默认为die,如果失败,只要不是success就死掉了,一票否决)
suffcient [success=done new_authtok_reqd=done default=ignore](success=done,一票通过,default=ignore如果这关通过无所谓,其他人如果说能过照样过)
optional [success=ok new_authtok_reqd=ok default=ignore](success=ok,default=ignore检查过了也得继续检查,不过忽略了)
[root@Smoke ~]# cd /usr/lib(切换到/usr/lib目录)
[root@Smoke lib]# ls(查看当前目录文件及子目录)
alchemist libdb.so libgstfft-0.10.so.0 libnfsidmap_umich_ldap.so
libsvn_fs-1.so.0 alsa-lib libdbus-glib-1.so libgstfft-0.10.so.0.14.0
libnfsidmap_umich_ldap.so.0 libsvn_fs-1.so.0.0.0 anaconda-runtime libdbus-glib-1.so.2
libgstinterfaces-0.10.so.0 libnfsidmap_umich_ldap.so.0.0.0 libsvn_fs_base-1.so.0 ao
libdbus-glib-1.so.2.1.0 libgstinterfaces-0.10.so.0.14.0 libnl.so.1 libsvn_fs_base-1.so.0.0.0
apr-util-1 libdes425.a libgstnet-0.10.so.0 libnl.so.1.0-pre5
libsvn_fs_fs-1.so.0 aspell-0.60 libdes425.so libgstnet-0.10.so.0.17.0
libnm_glib.so.0 libsvn_fs_fs-1.so.0.0.0 audit libdes425.so.3
libgstnetbuffer-0.10.so.0 libnm_glib.so.0.1.0 libsvn_fs_util-1.so.0 autofs
libdes425.so.3.0 libgstnetbuffer-0.10.so.0.14.0 libnm_glib_vpn.so.0 libsvn_fs_util-1.so.0.0.0
bcc libdl.a libgstpbutils-0.10.so.0 libnm_glib_vpn.so.0.0.0
libsvn_ra-1.so.0 bonobo libdl.so libgstpbutils-0.10.so.0.14.0
libnm-util.so.1 libsvn_ra-1.so.0.0.0 bonobo-2.0 libdmx.so.1
libgstreamer-0.10.so.0 libnm-util.so.1.0.0 libsvn_ra_dav-1.so.0 chinese-standard
libdmx.so.1.0.0 libgstreamer-0.10.so.0.17.0 libnotify.so libsvn_ra_dav-1.so.0.0.0
cracklib_dict.hwm libdns_sd.so.1 libgstriff-0.10.so.0 libnotify.so.1
libsvn_ra_local-1.so.0 cracklib_dict.pwd libdns_sd.so.1.0.1 libgstriff-0.10.so.0.14.0
libnotify.so.1.1.0 libsvn_ra_local-1.so.0.0.0 cracklib_dict.pwi libdns.so.26
libgstrtp-0.10.so.0 libnsl.a libsvn_ra_neon-1.so.0 crt1.o
libdns.so.26.0.2 libgstrtp-0.10.so.0.14.0 libnsl.so libsvn_ra_neon-1.so.0.0.0
crti.o libdrm.so.2 libgstrtsp-0.10.so.0 libnspr4.so
libsvn_ra_svn-1.so.0 crtn.o libdrm.so.2.0.0 libgstrtsp-0.10.so.0.14.0
libnss3.so libsvn_ra_svn-1.so.0.0.0 cups libdv.so.4
libgstsdp-0.10.so.0 libnssckbi.so libsvn_repos-1.so.0 dbus-1.0
libdv.so.4.0.2 libgstsdp-0.10.so.0.14.0 libnss_compat.so libsvn_repos-1.so.0.0.0
dri libdw-0.137.so libgsttag-0.10.so.0 libnss_db.so
libsvn_subr-1.so.0 elfutils libdw.so.1 libgsttag-0.10.so.0.14.0
libnss_dns.so libsvn_subr-1.so.0.0.0 esc-1.1.0 libe2p.a
libgstvideo-0.10.so.0 libnss_files.so libsvn_swig_py-1.so.0 evolution-data-server-1.2
libe2p.so libgstvideo-0.10.so.0.14.0 libnss_hesiod.so libsvn_swig_py-1.so.0.0.0
evolution-openldap libebook-1.2.so.9 libgtkhtml-2.so.0 libnss_ldap.so
libsvn_wc-1.so.0 firefox-3.6 libebook-1.2.so.9.1.0 libgtkhtml-2.so.0.0.0
libnss_nisplus.so libsvn_wc-1.so.0.0.0 games libecal-1.2.so.7
libgtkhtml-3.14.so.19 libnss_nis.so libsvrcore.so.0 gcc
libecal-1.2.so.7.0.2 libgtkhtml-3.14.so.19.1.0 libnssutil3.so libsvrcore.so.0.0.0
gcc-lib libecpg_compat.so.2 libgtksourceview-1.0.so.0 libnss_winbind.so
libsysfs.so.2 gcj libecpg_compat.so.2.1 libgtksourceview-1.0.so.0.0.0
libnss_wins.so libsysfs.so.2.0.1 gcj-4.1.1 libecpg.so.5
libgtk-x11-2.0.so libnuma.so.1 libtalloc.so.2 gcj-4.1.2
libecpg.so.5.1 libgtk-x11-2.0.so.0 libogg.a libtalloc.so.2.0.1
GConf libedata-book-1.2.so.2 libgtk-x11-2.0.so.0.1000.4 libOggFLAC++.so.2
libtcl8.4.so gconv libedata-book-1.2.so.2.4.1 libgtop-2.0.so.7
libOggFLAC++.so.2.0.0 libtdb.so.1 gcrt1.o libedata-cal-1.2.so.6
libgtop-2.0.so.7.0.0 libOggFLAC.so.3 libtdb.so.1.2.1 gedit-2
libedata-cal-1.2.so.6.0.2 libgucharmap.so.5 libOggFLAC.so.3.0.0 libtermcap.a
gettext libedataserver-1.2.so.7 libgucharmap.so.5.0.1 libogg.so
libtermcap.so ghostscript libedataserver-1.2.so.7.1.0 libgweather.so
libogg.so.0 libtheora.so.0 glib-2.0 libedataserverui-1.2.so.8
libgweather.so.0 libogg.so.0.5.3 libtheora.so.0.2.0 gnome-vfs-2.0
libedataserverui-1.2.so.8.0.2 libgweather.so.0.0.0 libogrove.la libthread_db.so
gnuefi libeel-2.so.2 libhal.so libogrove.so
libtiff.so.3 gnupg libeel-2.so.2.16.1 libhal.so.1
libogrove.so.0 libtiff.so.3.8.2 gstreamer-0.10 libefi.a
libhal.so.1.0.0 libogrove.so.0.0.1 libtiffxx.so.3 gthumb
libegroupwise-1.2.so.13 libhal-storage.so liboil-0.3.so.0 libtiffxx.so.3.8.2
gtk-2.0 libegroupwise-1.2.so.13.0.1 libhal-storage.so.1 liboil-0.3.so.0.1.0
libtk8.4.so gtkhtml libelf-0.137.so libhal-storage.so.1.0.0
libopcodes-2.17.50.0.6-20.el5.so libungif.so.4 hal libelf.a
libhesiod.a libOpenIPMIcmdlang.so.0 libungif.so.4.1.3 hmaccalc
libelf.so libhesiod.so libOpenIPMIcmdlang.so.0.0.5 libuniconf.so.4.2
httpd libelf.so.1 libhesiod.so.0 libOpenIPMIglib.so.0
libusb-0.1.so.4 ImageMagick-6.2.8 libesd.a libhesiod.so.0.0.0
libOpenIPMIglib.so.0.0.1 libusb-0.1.so.4.4.4 isdn libesddsp.a
libhistory.a libOpenIPMIposix.so.0 libusb.a java
libesddsp.so libhistory.so libOpenIPMIposix.so.0.0.1 libusbpp-0.1.so.4
java-1.3.1 libesddsp.so.0 libhistory.so.5 libOpenIPMIpthread.so.0
libusbpp-0.1.so.4.4.4 java-1.4.0 libesddsp.so.0.2.36 libhistory.so.5.1
libOpenIPMIpthread.so.0.0.1 libusbpp.a java-1.4.1 libesd.so
libhpip.so.0 libOpenIPMI.so.0 libusbpp.so java-1.4.2
libesd.so.0 libhpip.so.0.0.1 libOpenIPMI.so.0.0.5 libusb.so
java-1.5.0 libesd.so.0.2.36 libhugetlbfs.so libOpenIPMItcl.so.0
libuser java-1.6.0 libestbase.so.1.2.95.1 libI810XvMC.so.1
libOpenIPMItcl.so.0.0.1 libuser.so java-ext libeststring.so.1.2
libI810XvMC.so.1.0.0 libOpenIPMIui.so.1 libuser.so.1 jvm
libevent-1.4.so.2 libICE.so libOpenIPMIui.so.1.0.1 libuser.so.1.1.6
jvm-commmon libevent-1.4.so.2.1.3 libICE.so.6 libOpenIPMIutils.so.0
libutempter.so.0 jvm-exports libevent_core-1.4.so.2 libICE.so.6.3.0
libOpenIPMIutils.so.0.0.1 libutempter.so.1.1.4 jvm-private libevent_core-1.4.so.2.1.3
libicudata.so.36 libORBit-2.a libutil.a kde3
libevent_extra-1.4.so.2 libicudata.so.36.0 libORBit-2.so libutil.so
krb5 libevent_extra-1.4.so.2.1.3 libicui18n.so.36 libORBit-2.so.0
libuuid.a lftp libexchange-storage-1.2.so.3 libicui18n.so.36.0
libORBit-2.so.0.1.0 libuuid.so liba2ps.a libexchange-storage-1.2.so.3.0.0
libicuio.so.36 libORBitCosNaming-2.a libviaXvMCPro.so.1 liba2ps.la
libexif.so.12 libicuio.so.36.0 libORBitCosNaming-2.so libviaXvMCPro.so.1.0.0
libacl.a libexif.so.12.3.2 libicule.so.36 libORBitCosNaming-2.so.0
libviaXvMC.so.1 libacl.so libexpat.a libicule.so.36.0
libORBitCosNaming-2.so.0.1.0 libviaXvMC.so.1.0.0 libaio.so.1 libexpat.la
libiculx.so.36 libORBit-imodule-2.a libvorbis.a libaio.so.1.0.0
libexpat.so libiculx.so.36.0 libORBit-imodule-2.so libvorbisenc.a
libaio.so.1.0.1 libexslt.a libicutu.so.36 libORBit-imodule-2.so.0
libvorbisenc.so libalchemist.so.0 libexslt.so libicutu.so.36.0
libORBit-imodule-2.so.0.0.0 libvorbisenc.so.2 libalchemist.so.0.0.0 libexslt.so.0
libicuuc.so.36 libospgrove.la libvorbisenc.so.2.0.2 libanl.a
libexslt.so.0.8.13 libicuuc.so.36.0 libospgrove.so libvorbisfile.a
libanl.so libext2fs.a libIDL-2.so libospgrove.so.0
libvorbisfile.so libao.so.2 libext2fs.so libIDL-2.so.0
libospgrove.so.0.0.1 libvorbisfile.so.3 libao.so.2.1.3 libfam.so.0
libIDL-2.so.0.0.0 libosp.so.5 libvorbisfile.so.3.1.1 libapol.so
libfam.so.0.0.0 libidn.a libosp.so.5.0.0 libvorbis.so
libapol.so.3 libfipscheck.so.1 libidn.so libostyle.la
libvorbis.so.0 libapr-1.so.0 libfipscheck.so.1.1.0 libidn.so.11
libostyle.so libvorbis.so.0.3.1 libapr-1.so.0.2.7 libfl.a
libidn.so.11.5.19 libostyle.so.0 libvte.so.9 libaprutil-1.so.0
libFLAC++.so.5 libiec61883.so.0 libostyle.so.0.0.1 libvte.so.9.1.5
libaprutil-1.so.0.2.7 libFLAC++.so.5.0.0 libiec61883.so.0.0.0 libpamc.so
libWand.so.10 libart_lgpl_2.so libFLAC.so.7 libieee1284.so.3
libpam_misc.so libWand.so.10.0.3 libart_lgpl_2.so.2 libFLAC.so.7.0.0
libieee1284.so.3.2.1 libpam.so libwbclient.so.0 libart_lgpl_2.so.2.3.17
libfontconfig.so libieee.a libpanel.a libwmf-0.2.so.7
libasm-0.137.so libfontconfig.so.1 libijs-0.35.so libpanel-applet-2.so.0
libwmf-0.2.so.7.1.0 libasm.so.1 libfontconfig.so.1.1.0 libijs.so
libpanel-applet-2.so.0.2.11 libwmflite-0.2.so.7 libasound.a libfontenc.so.1
libip4tc.la libpanel_g.a libwmflite-0.2.so.7.0.1 libasound.so
libfontenc.so.1.0.0 libip4tc.so libpanel.so libwnck-1.so.18
libaspell.so.15 libform.a libip4tc.so.0 libpanel.so.5
libwnck-1.so.18.2.3 libaspell.so.15.1.3 libform_g.a libip4tc.so.0.0.0
libpanel.so.5.5 libwrap.a libatk-1.0.so libform.so
libip6tc.la libpanelw.a libwrap.so libatk-1.0.so.0
libform.so.5 libip6tc.so libpanelw_g.a libwvbase.so.4.2
libatk-1.0.so.0.1212.0 libform.so.5.5 libip6tc.so.0 libpanelw.so
libwvstreams.so.4.2 libattr.a libformw.a libip6tc.so.0.0.0
libpanelw.so.5 libwvtelephony.so.4.2 libattr.so libformw_g.a
libIPMIlanserv.so.0 libpanelw.so.5.5 libwvutils.so.4.2 libaudiofile.so
libformw.so libIPMIlanserv.so.0.0.1 libpango-1.0.so libX11.so
libaudiofile.so.0 libformw.so.5 libiptc.la libpango-1.0.so.0
libX11.so.6 libaudiofile.so.0.0.2 libformw.so.5.5 libiptc.so
libpango-1.0.so.0.1400.9 libX11.so.6.2.0 libavahi-client.so.3 libfreebl3.chk
libiptc.so.0 libpangocairo-1.0.so libXau.so libavahi-client.so.3.2.1
libfreebl3.so libiptc.so.0.0.0 libpangocairo-1.0.so.0 libXau.so.6
libavahi-common.so.3 libfreetype.so libisccc.so.0 libpangocairo-1.0.so.0.1400.9
libXau.so.6.0.0 libavahi-common.so.3.4.3 libfreetype.so.6 libisccc.so.0.2.3
libpangoft2-1.0.so libXaw3d.so.7 libavahi-core.so.4 libfreetype.so.6.3.10
libisccfg.so.1 libpangoft2-1.0.so.0 libXaw3d.so.7.0 libavahi-core.so.4.0.5
libFS.so.6 libisccfg.so.1.0.10 libpangoft2-1.0.so.0.1400.9 libXaw6.so.6
libavahi-glib.so.1 libFS.so.6.0.0 libiscsi.so libpangox-1.0.so
libXaw6.so.6.0.1 libavahi-glib.so.1.0.1 libfwparam.a libiscsi.so.0
libpangox-1.0.so.0 libXaw7.so.7 libavc1394.so.0 libg.a
libisc.so.15 libpangox-1.0.so.0.1400.9 libXaw7.so.7.0.0 libavc1394.so.0.3.0
libgailutil.so.18 libisc.so.15.0.2 libpangoxft-1.0.so libXaw.so.6
libbdevid.so.5.1.19.6 libgailutil.so.18.0.1 libjpeg.so libpangoxft-1.0.so.0
libXaw.so.7 libbfd-2.17.50.0.6-20.el5.so libgamin-1.so.0 libjpeg.so.62
libpangoxft-1.0.so.0.1400.9 libXcursor.so libbind9.so.0 libgamin-1.so.0.1.7
libjpeg.so.62.0.0 libparted-1.8.so.0 libXcursor.so.1 libbind9.so.0.0.11
libgcj_bc.so.1 libk5crypto.a libparted-1.8.so.0.0.1 libXcursor.so.1.0.2
libbind.so.4 libgcj_bc.so.1.0.0 libk5crypto.so libpcap.so.0
libXdamage.so.1 libbind.so.4.1.2 libgcj.so.7rh libk5crypto.so.3
libpcap.so.0.9 libXdamage.so.1.0.0 libblkid.a libgcj.so.7rh.0.0
libk5crypto.so.3.1 libpcap.so.0.9.4 libXdmcp.so libblkid.so
libgcj-tools.so.7rh libkadm5clnt.a libpci.a libXdmcp.so.6
libbluetooth.so.2 libgcj-tools.so.7rh.0.0 libkadm5clnt.so libpcrecpp.so.0
libXdmcp.so.6.0.0 libbluetooth.so.2.4.1 libgconf-2.so libkadm5clnt.so.5
libpcrecpp.so.0.0.0 libXevie.so.1 libbonobo-2.so libgconf-2.so.4
libkadm5clnt.so.5.1 libpcreposix.so.0 libXevie.so.1.0.0 libbonobo-2.so.0
libgconf-2.so.4.1.0 libkadm5srv.a libpcreposix.so.0.0.0 libXext.so
libbonobo-2.so.0.0.0 libgcrypt.a libkadm5srv.so libpcsclite.so
libXext.so.6 libbonobo-activation.so libgcrypt.so libkadm5srv.so.5
libpcsclite.so.1 libXext.so.6.4.0 libbonobo-activation.so.4 libgcrypt.so.11
libkadm5srv.so.5.1 libpcsclite.so.1.0.0 libXfixes.so libbonobo-activation.so.4.0.0
libgcrypt.so.11.5.2 libkdb5.a libpgtypes.so.2 libXfixes.so.3
libbonoboui-2.so libgdbm.a libkdb5.so libpgtypes.so.2.1
libXfixes.so.3.1.0 libbonoboui-2.so.0 libgdbm.so libkdb5.so.4
libplc4.so libXfontcache.so.1 libbonoboui-2.so.0.0.0 libgdbm.so.2
libkdb5.so.4.0 libplds4.so libXfontcache.so.1.0.0 libboost_date_time.a
libgdbm.so.2.0.0 libkeyutils.so libpng12.a libXfont.so.1
libboost_date_time.so libgdict-1.0.so.5 libkrb4.a libpng12.so
libXfont.so.1.4.1 libboost_date_time.so.1.33.1 libgdict-1.0.so.5.0.5 libkrb4.so
libpng12.so.0 libXft.so libboost_date_time.so.2 libgdk_pixbuf-2.0.so
libkrb4.so.2 libpng12.so.0.10.0 libXft.so.2 libboost_filesystem.a
libgdk_pixbuf-2.0.so.0 libkrb4.so.2.0 libpng.a libXft.so.2.1.2
libboost_filesystem.so libgdk_pixbuf-2.0.so.0.1000.4 libkrb5.a libpng.so
libXinerama.so libboost_filesystem.so.1.33.1 libgdk_pixbuf_xlib-2.0.so libkrb5.so
libpng.so.3 libXinerama.so.1 libboost_filesystem.so.2 libgdk_pixbuf_xlib-2.0.so.0
libkrb5.so.3 libpng.so.3.10.0 libXinerama.so.1.0.0 libboost_iostreams.a
libgdk_pixbuf_xlib-2.0.so.0.1000.4 libkrb5.so.3.3 libpoldiff.so libXi.so
libboost_iostreams.so libgdk-x11-2.0.so libkrb5support.a libpoldiff.so.1
libXi.so.6 libboost_iostreams.so.1.33.1 libgdk-x11-2.0.so.0 libkrb5support.so
libpoppler-glib.so.1 libXi.so.6.0.0 libboost_iostreams.so.2 libgdk-x11-2.0.so.0.1000.4
libkrb5support.so.0 libpoppler-glib.so.1.0.0 libxkbfile.so.1 libboost_prg_exec_monitor.a
libgd.so.2 libkrb5support.so.0.1 libpoppler.so.1 libxkbfile.so.1.0.2
libboost_prg_exec_monitor.so libgd.so.2.0.0 libkudzu.a libpoppler.so.1.0.0
libxklavier.so.11 libboost_prg_exec_monitor.so.1.33.1 libgettextlib-0.17.so libkudzu_loader.a
libpopt.a libxklavier.so.11.0.0 libboost_prg_exec_monitor.so.2 libgettextsrc-0.17.so
libl.a libpopt.so libxml2.a libboost_program_options.a
libgfortran.so.1 liblber-2.3.so.0 libpopt.so.0 libxml2.so
libboost_program_options.so libgfortran.so.1.0.0 liblber-2.3.so.0.2.31 libpopt.so.0.0.0
libxml2.so.2 libboost_program_options.so.1.33.1 libgif.so.4 liblber.a
libpq.so.4 libxml2.so.2.6.26 libboost_program_options.so.2 libgif.so.4.1.3
liblber.so libpq.so.4.1 libxmlsec1.a libboost_python.a
libgij.so.7rh liblcms.so.1 libprldap60.so libxmlsec1.so
libboost_python.so libgij.so.7rh.0.0 liblcms.so.1.0.18 libpspell.so.15
libxmlsec1.so.1 libboost_python.so.1.33.1 libglade libldap-2.3.so.0
libpspell.so.15.1.3 libxmlsec1.so.1.2.9 libboost_python.so.2 libglade-2.0.a
libldap-2.3.so.0.2.31 libpthread.a libXmu.so.6 libboost_regex.a
libglade-2.0.so libldap60.so libpthread_nonshared.a libXmu.so.6.2.0
libboost_regex.so libglade-2.0.so.0 libldap.a libpthread.so
libXmuu.so.1 libboost_regex.so.1.33.1 libglade-2.0.so.0.0.7 libldap_r-2.3.so.0
libpython2.4.so libXmuu.so.1.0.0 libboost_regex.so.2 libGL.so
libldap_r-2.3.so.0.2.31 libpython2.4.so.1.0 libXpm.so.4 libboost_serialization.a
libGL.so.1 libldap_r.a libqpol.so libXpm.so.4.11.0
libboost_serialization.so libGL.so.1.2 libldap_r.so libqpol.so.1
libXrandr.so libboost_serialization.so.1.33.1 libGLU.so.1 libldap.so
libraw1394.so.8 libXrandr.so.2 libboost_serialization.so.2 libGLU.so.1.3.060501
libldif60.so libraw1394.so.8.2.0 libXrandr.so.2.0.0 libboost_signals.a
libglut.so.3 liblftp-jobs.so libreadline.a libXrender.so
libboost_signals.so libglut.so.3.8.0 liblftp-jobs.so.0 libreadline.so
libXrender.so.1 libboost_signals.so.1.33.1 libgmp.a liblftp-jobs.so.0.0.0
libreadline.so.5 libXrender.so.1.3.0 libboost_signals.so.2 libgmp.so
liblftp-tasks.so libreadline.so.5.1 libXRes.so.1 libboost_test_exec_monitor.a
libgmp.so.3 liblftp-tasks.so.0 libresolv.a libXRes.so.1.0.0
libboost_test_exec_monitor.so libgmp.so.3.3.3 liblftp-tasks.so.0.0.0 libresolv.so
libxslt.a libboost_test_exec_monitor.so.1.33.1 libgmpxx.a liblockdev.a
librom1394.so.0 libxslt-plugins libboost_test_exec_monitor.so.2 libgmpxx.so
liblockdev.so librom1394.so.0.3.0 libxslt.so libboost_thread.a
libgmpxx.so.3 liblockdev.so.1 librpcsecgss.la libxslt.so.1
libboost_thread.so libgmpxx.so.3.0.5 liblockdev.so.1.0.1 librpcsecgss.so.2
libxslt.so.1.1.17 libboost_thread.so.1.33.1 libgnome-2.so liblog4cpp.so.4
librpcsecgss.so.2.0.1 libXss.so.1 libboost_thread.so.2 libgnome-2.so.0
liblog4cpp.so.4.0.6 librpcsvc.a libXss.so.1.0.0 libboost_unit_test_framework.a
libgnome-2.so.0.1600.0 libloginhelper.so.0 librpm-4.4.so libxtables.la
libboost_unit_test_framework.so libgnomecanvas-2.so libloginhelper.so.0.0.0 librpm.a
libxtables.so libboost_unit_test_framework.so.1.33.1 libgnomecanvas-2.so.0 liblwres.so.9
librpmbuild-4.4.so libxtables.so.4 libboost_unit_test_framework.so.2 libgnomecanvas-2.so.0.1400.0
liblwres.so.9.2.0 librpmbuild.a libxtables.so.4.0.0 libboost_wave.a
libgnomecups-1.0.so.1 liblzma.so.0 librpmbuild.so libXTrap.so.6
libboost_wserialization.a libgnomecups-1.0.so.1.0.0 liblzma.so.0.0.0 librpmdb-4.4.so
libXTrap.so.6.4.0 libboost_wserialization.so libgnome-desktop-2.so.2 libm.a
librpmdb.a libXt.so libboost_wserialization.so.1.33.1 libgnome-desktop-2.so.2.2.21
libmagic.a librpmdb.so libXt.so.6 libboost_wserialization.so.2
libgnome-keyring.so libMagick.so.10 librpmio-4.4.so libXt.so.6.0.0
libbrlapi.so.0.4 libgnome-keyring.so.0 libMagick.so.10.0.3 librpmio.a
libXtst.so.6 libbrlapi.so.0.4.1 libgnome-keyring.so.0.0.1 libmagic.so
librpmio.so libXtst.so.6.1.0 libBrokenLocale.a libgnome-mag.so.2
libmagic.so.1 librpm.so libXv.so.1 libBrokenLocale.so
libgnome-mag.so.2.1.1 libmagic.so.1.0.0 librsvg-2.so.2 libXv.so.1.0.0
libbsd.a libgnome-media-profiles.so.0 libmcheck.a librsvg-2.so.2.16.1
libXxf86dga.so.1 libbsd-compat.a libgnome-media-profiles.so.0.0.0 libmenu.a
librt.a libXxf86dga.so.1.0.0 libbz2.a libgnome-menu.so.2
libmenu_g.a librtkaio.a libXxf86misc.so.1 libbz2.so
libgnome-menu.so.2.1.3 libmenu.so librt.so libXxf86misc.so.1.1.0
libbz2.so.1 libgnomeprint libmenu.so.5 libsane.so.1
libXxf86vm.so.1 libbz2.so.1.0.3 libgnomeprint-2-2.so.0 libmenu.so.5.5
libsane.so.1.0.18 libXxf86vm.so.1.0.0 libc.a libgnomeprint-2-2.so.0.1.0
libmenuw.a libsasl2.a libz.a libcairo.so
libgnomeprintui-2-2.so.0 libmenuw_g.a libsasl2.so libz.so
libcairo.so.2 libgnomeprintui-2-2.so.0.1.0 libmenuw.so libsasl2.so.2
libz.so.1 libcairo.so.2.9.2 libgnomespeech.so.7 libmenuw.so.5
libsasl2.so.2.0.22 libz.so.1.2.3 libcamel-1.2.so.0 libgnomespeech.so.7.0.1
libmenuw.so.5.5 libscim-1.0.so.8 locale libcamel-1.2.so.0.0.0
libgnomeui-2.so libmetacity-private.a libscim-1.0.so.8.1.0 logging.properties
libcamel-provider-1.2.so.8 libgnomeui-2.so.0 libmetacity-private.so libscim-gtkutils-1.0.so.8
lsb libcamel-provider-1.2.so.8.1.0 libgnomeui-2.so.0.1600.0 libmetacity-private.so.0
libscim-gtkutils-1.0.so.8.1.0 lv libcapi20.so libgnomevfs-2.a
libmetacity-private.so.0.0.0 libscim-x11utils-1.0.so.8 mail.help libcapi20.so.3
libgnomevfs-2.so libmng.so.1 libscim-x11utils-1.0.so.8.1.0 mail.tildehelp
libcapi20.so.3.0.4 libgnomevfs-2.so.0 libmng.so.1.0.0 libscrollkeeper.a
Mcrt1.o libcdda_interface.so libgnomevfs-2.so.0.1600.2 libmp.a
libscrollkeeper.so mozilla libcdda_interface.so.0 libgnome-window-settings.so.1
libmpfr.a libscrollkeeper.so.0 mysql libcdda_interface.so.0.9.8
libgnome-window-settings.so.1.0.0 libmp.so libscrollkeeper.so.0.0.0 nautilus
libcdda_paranoia.so libgnuefi.a libmp.so.3 libsefs.so
NetworkManager libcdda_paranoia.so.0 libgnutls-extra.so.13 libmp.so.3.1.7
libsefs.so.3 notification-daemon-1.0 libcdda_paranoia.so.0.9.8 libgnutls-extra.so.13.0.6
libm.so libselinux.a nspluginwrapper libcddb-slave2.so.0
libgnutls-openssl.so.13 libmusicbrainz.so.4 libselinux.so nss
libcddb-slave2.so.0.0.0 libgnutls-openssl.so.13.0.6 libmusicbrainz.so.4.0.0 libsemanage.so
openssl libchewing.so.3 libgnutls.so.13 libname-server-2.a
libsepol.a orbit-2.0 libchewing.so.3.0.0 libgnutls.so.13.0.6
libnautilus-burn.so.4 libsepol.so pam_pkcs11 libcidn.so
libgomp.so.1 libnautilus-burn.so.4.0.0 libslang.a pango
libckyapplet.so libgomp.so.1.0.0 libnautilus-extension.so.1 libslang.so
pcsc libckyapplet.so.1 libgpg-error.a libnautilus-extension.so.1.1.0
libslang.so.2 perl5 libckyapplet.so.1.0.0 libgpg-error.so
libncurses.a libslang.so.2.0.6 php libc_nonshared.a
libgpg-error.so.0 libncurses++.a libsmbclient.so.0 pkcs11
libcom_err.a libgpg-error.so.0.3.0 libncurses_g.a libsmime3.so
pkgconfig libcom_err.so libgphoto2 libncurses.so
libSM.so pm-utils libcoolkeypk11.so libgphoto2_port
libncurses.so.5 libSM.so.6 pppd libcrack.a
libgphoto2_port.so.0 libncurses.so.5.5 libSM.so.6.0.0 preloadable_libintl.so
libcrack.so libgphoto2_port.so.0.6.1 libncurses++w.a libsnmp.so.10
psutils libcrack.so.2 libgphoto2.so.2 libncursesw.a
libsnmp.so.10.0.3 pygtk libcrack.so.2.8.0 libgphoto2.so.2.1.1
libncursesw_g.a libsoftokn3.chk python2.4 libcrmf.a
libgpm.a libncursesw.so libsoftokn3.so qt-3.3
libcroco-0.6.so.3 libgpm.so libncursesw.so.5 libsoup-2.2.so.8
rpm libcroco-0.6.so.3.0.1 libgpm.so.1 libncursesw.so.5.5
libsoup-2.2.so.8.5.0 samba libcrypt.a libgpm.so.1.19.0
libneon.so.25 libspeex.so.1 sane libcrypto.a
libgsf-1.so.114 libneon.so.25.0.5 libspeex.so.1.3.0 sasl2
libcrypto.so libgsf-1.so.114.0.1 libnetapi.so libspi.so.0
scim-1.0 libcryptsetup.so.0 libgsf-gnome-1.so.114 libnetapi.so.0
libspi.so.0.10.11 Scrt1.o libcryptsetup.so.0.0.0 libgsf-gnome-1.so.114.0.1
libnetpbm.so.10 libsqlite3.so security libcrypt.so
libgssapi_krb5.a libnetpbm.so.10.35 libsqlite3.so.0 sendmail
libc.so libgssapi_krb5.so libnetsnmpagent.so.10 libsqlite3.so.0.8.6
sendmail.sendmail libcspi.so.0 libgssapi_krb5.so.2 libnetsnmpagent.so.10.0.3
libss.a sse2 libcspi.so.0.10.11 libgssapi_krb5.so.2.2
libnetsnmphelpers.so.10 libssl3.so syslinux libc_stubs.a
libgssapi.la libnetsnmphelpers.so.10.0.3 libssl.a systemtap
libcupsimage.so.2 libgssapi.so.2 libnetsnmpmibs.so.10 libssldap60.so
tc libcups.so.2 libgssapi.so.2.0.0 libnetsnmpmibs.so.10.0.3
libssl.so tcl8.4 libcurl.a libgs.so
libnetsnmp.so.10 libss.so tclx8.4 libcurl.so
libgs.so.8 libnetsnmp.so.10.0.3 libstartup-notification-1.so tk8.4
libcurl.so.3 libgs.so.8.70 libnetsnmptrapd.so.10 libstartup-notification-1.so.0
TkXInput libcurl.so.3.0.0 libgssrpc.a libnetsnmptrapd.so.10.0.3
libstartup-notification-1.so.0.0.0 tls libcurses.a libgssrpc.so
libnewt.a libstdc++-3-libc6.2-2-2.10.0.so valgrind libcurses.so
libgssrpc.so.4 libnewt.so libstdc++-libc6.2-2.so.3 vte
libcursesw.a libgssrpc.so.4.0 libnewt.so.0.52 libstdc++.so.5
window-manager-settings libcursesw.so libgstaudio-0.10.so.0 libnewt.so.0.52.1
libstdc++.so.5.0.7 X11 libdaemon.so.0 libgstaudio-0.10.so.0.14.0
libnfsidmap_nsswitch.so libstdc++.so.6 xml2Conf.sh libdaemon.so.0.2.4
libgstbase-0.10.so.0 libnfsidmap_nsswitch.so.0 libstdc++.so.6.0.8 xmlsec1Conf.sh
libdb-4.3.a libgstbase-0.10.so.0.17.0 libnfsidmap_nsswitch.so.0.0.0 libstunnel.so
xorg libdb-4.3.la libgstcdda-0.10.so.0 libnfsidmap.so
libsvn_client-1.so.0 xserver libdb-4.3.so libgstcdda-0.10.so.0.14.0
libnfsidmap.so.0 libsvn_client-1.so.0.0.0 xsltConf.sh libdb_cxx-4.3.a
libgstcontroller-0.10.so.0 libnfsidmap.so.0.2.0 libsvn_delta-1.so.0 xulrunner-1.9.2
libdb_cxx-4.3.la libgstcontroller-0.10.so.0.17.0 libnfsidmap_static.so libsvn_delta-1.so.0.0.0
xulrunner-sdk-1.9.2 libdb_cxx-4.3.so libgstdataprotocol-0.10.so.0 libnfsidmap_static.so.0
libsvn_diff-1.so.0 yum-plugins libdb_cxx.so libgstdataprotocol-0.10.so.0.17.0
libnfsidmap_static.so.0.0.0 libsvn_diff-1.so.0.0.0
[root@Smoke lib]# ls | grep nss(查看当前目录文件及子目录将结果送给管道只显示nss相关)
libgnutls-openssl.so.13
libgnutls-openssl.so.13.0.6
libnfsidmap_nsswitch.so
libnfsidmap_nsswitch.so.0
libnfsidmap_nsswitch.so.0.0.0
libnss3.so
libnssckbi.so
libnss_compat.so
libnss_db.so
libnss_dns.so
libnss_files.so
libnss_hesiod.so
libnss_ldap.so
libnss_nisplus.so
libnss_nis.so
libnssutil3.so
libnss_winbind.so
libnss_wins.so
nss
openssl
提示:对于一个应用程序来讲要想实现名称解析服务要调用一大堆的库文件,这些库文件是操作系统上的共享库,任何一个应用程序只要涉及到名称解析服务都可以调用它,至于某个应用
程序到底使用什么库要靠配置文件来定义;
[root@Smoke lib]# vim /etc/nsswitch.conf(编辑nsswitch.conf配置文件)
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files
shadow: files
group: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files(将网卡转换为对应号码,第几块网卡)
netmasks: files
networks: files
protocols: files
rpc: files(将rpc转换成对应的端口号)
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
sudoers: files ldap
[root@Smoke lib]# cat /etc/protocols(查看protocols文件内容)
# /etc/protocols:
# $Id: protocols,v 1.5 2006/10/11 15:39:11 pknirsch Exp $
#
# Internet (IP) protocols
#
# from: @(#)protocols 5.1 (Berkeley) 4/17/89
#
# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
#
# See also http://www.iana.org/assignments/protocol-numbers
ip 0 IP # internet protocol, pseudo protocol number
hopopt 0 HOPOPT # hop-by-hop options for ipv6
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # internet group management protocol
ggp 3 GGP # gateway-gateway protocol
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
st 5 ST # ST datagram mode
tcp 6 TCP # transmission control protocol
cbt 7 CBT # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk>
egp 8 EGP # exterior gateway protocol
igp 9 IGP # any private interior gateway (Cisco: for IGRP)
bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
pup 12 PUP # PARC universal packet protocol
argus 13 ARGUS # ARGUS
emcon 14 EMCON # EMCON
xnet 15 XNET # Cross Net Debugger
chaos 16 CHAOS # Chaos
udp 17 UDP # user datagram protocol
mux 18 MUX # Multiplexing protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
hmp 20 HMP # host monitoring protocol
prm 21 PRM # packet radio measurement protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
trunk-1 23 TRUNK-1 # Trunk-1
trunk-2 24 TRUNK-2 # Trunk-2
leaf-1 25 LEAF-1 # Leaf-1
leaf-2 26 LEAF-2 # Leaf-2
rdp 27 RDP # "reliable datagram" protocol
irtp 28 IRTP # Internet Reliable Transaction Protocol
iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4
netblt 30 NETBLT # Bulk Data Transfer Protocol
mfe-nsp 31 MFE-NSP # MFE Network Services Protocol
merit-inp 32 MERIT-INP # MERIT Internodal Protocol
dccp 33 DCCP # Datagram Congestion Control Protocol
3pc 34 3PC # Third Party Connect Protocol
idpr 35 IDPR # Inter-Domain Policy Routing Protocol
xtp 36 XTP # Xpress Tranfer Protocol
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto
tp++ 39 TP++ # TP++ Transport Protocol
il 40 IL # IL Transport Protocol
ipv6 41 IPv6 # IPv6
sdrp 42 SDRP # Source Demand Routing Protocol
ipv6-route 43 IPv6-Route # Routing Header for IPv6
ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Resource ReSerVation Protocol
gre 47 GRE # Generic Routing Encapsulation
dsr 48 DSR # Dynamic Source Routing Protocol
bna 49 BNA # BNA
esp 50 ESP # Encap Security Payload
ah 51 AH # Authentication Header
i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
swipe 53 SWIPE # IP with Encryption
narp 54 NARP # NBMA Address Resolution Protocol
mobile 55 MOBILE # IP Mobility
tlsp 56 TLSP # Transport Layer Security Protocol
skip 57 SKIP # SKIP
ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6
ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
# 61 # any host internal protocol
cftp 62 CFTP # CFTP
# 63 # any local network
sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK
kryptolan 65 KRYPTOLAN # Kryptolan
rvd 66 RVD # MIT Remote Virtual Disk Protocol
ippc 67 IPPC # Internet Pluribus Packet Core
# 68 # any distributed file system
sat-mon 69 SAT-MON # SATNET Monitoring
visa 70 VISA # VISA Protocol
ipcv 71 IPCV # Internet Packet Core Utility
cpnx 72 CPNX # Computer Protocol Network Executive
cphb 73 CPHB # Computer Protocol Heart Beat
wsn 74 WSN # Wang Span Network
pvp 75 PVP # Packet Video Protocol
br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring
sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary
wb-mon 78 WB-MON # WIDEBAND Monitoring
wb-expak 79 WB-EXPAK # WIDEBAND EXPAK
iso-ip 80 ISO-IP # ISO Internet Protocol
vmtp 81 VMTP # Versatile Message Transport
secure-vmtp 82 SECURE-VMTP # SECURE-VMTP
vines 83 VINES # VINES
ttp 84 TTP # TTP
nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP
dgp 86 DGP # Dissimilar Gateway Protocol
tcf 87 TCF # TCF
eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)
ospf 89 OSPFIGP # Open Shortest Path First IGP
sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol
larp 91 LARP # Locus Address Resolution Protocol
mtp 92 MTP # Multicast Transport Protocol
ax.25 93 AX.25 # AX.25 Frames
ipip 94 IPIP # Yet Another IP encapsulation
micp 95 MICP # Mobile Internetworking Control Pro.
scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro.
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
encap 98 ENCAP # Yet Another IP encapsulation
# 99 # any private encryption scheme
gmtp 100 GMTP # GMTP
ifmp 101 IFMP # Ipsilon Flow Management Protocol
pnni 102 PNNI # PNNI over IP
pim 103 PIM # Protocol Independent Multicast
aris 104 ARIS # ARIS
scps 105 SCPS # SCPS
qnx 106 QNX # QNX
a/n 107 A/N # Active Networks
ipcomp 108 IPComp # IP Payload Compression Protocol
snp 109 SNP # Sitara Networks Protocol
compaq-peer 110 Compaq-Peer # Compaq Peer Protocol
ipx-in-ip 111 IPX-in-IP # IPX in IP
vrrp 112 VRRP # Virtual Router Redundancy Protocol
pgm 113 PGM # PGM Reliable Transport Protocol
# 114 # any 0-hop protocol
l2tp 115 L2TP # Layer Two Tunneling Protocol
ddx 116 DDX # D-II Data Exchange
iatp 117 IATP # Interactive Agent Transfer Protocol
stp 118 STP # Schedule Transfer
srp 119 SRP # SpectraLink Radio Protocol
uti 120 UTI # UTI
smp 121 SMP # Simple Message Protocol
sm 122 SM # SM
ptp 123 PTP # Performance Transparency Protocol
isis 124 ISIS # ISIS over IPv4
fire 125 FIRE
crtp 126 CRTP # Combat Radio Transport Protocol
crdup 127 CRUDP # Combat Radio User Datagram
sscopmce 128 SSCOPMCE
iplt 129 IPLT
sps 130 SPS # Secure Packet Shield
pipe 131 PIPE # Private IP Encapsulation within IP
sctp 132 SCTP # Stream Control Transmission Protocol
fc 133 FC # Fibre Channel
rsvp-e2e-ignore 134 RSVP-E2E-IGNORE
# 135 # Mobility Header
udplite 136 UDPLite
mpls-in-ip 137 MPLS-in-IP
# 138-252 Unassigned [IANA]
# 253 Use for experimentation and testing [RFC3692]
# 254 Use for experimentation and testing [RFC3692]
# 255 Reserved [IANA]
[root@Smoke lib]# cat /etc/services(查看services文件内容)
提示:/etc/service是相应协议使用的端口;
[root@Smoke lib]# vim /etc/nsswitch.conf(编辑nsswitch.conf配置文件)
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files
shadow: files
group: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files(如果nisplus中找的结果为NOTFOUND就返回)
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files(将网卡转换为对应号码,第几块网卡)
netmasks: files
networks: files
protocols: files
rpc: files(将rpc转换成对应的端口号)
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus(可以到files中找也可以到nisplus中找)
sudoers: files ldap
[root@Smoke lib]# ls /usr/lib | grep libnss(查看/usr/lib目录文件及子目录将结果送给管道只显示libnss)
libnss3.so
libnssckbi.so
libnss_compat.so
libnss_db.so
libnss_dns.so
libnss_files.so
libnss_hesiod.so
libnss_ldap.so
libnss_nisplus.so
libnss_nis.so
libnssutil3.so
libnss_winbind.so
libnss_wins.so
提示:名称解析相应库文件;
[root@Smoke lib]# export LANG=en(更改语言为英文)
[root@Smoke lib]# man getent(查看getent的man帮助)
getent - get entries from administrative database(从某个管理库中获得相应条目)
[root@Smoke lib]# getent passwd(从/etc/nsswitch.conf中定义的passwd获取所有的条目)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
Smoke:x:500:500:Smoke:/home/Smoke:/bin/bash
hadoop:x:501:501::/home/hadoop:/bin/bash
hbase:x:502:502::/home/hbase:/bin/bash
redis:x:503:503::/home/redis:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
vuser:x:504:504::/var/ftproot:/sbin/nologin
nfstest:x:510:510::/home/nfstest:/bin/bash
apache:x:48:48:Apache:/var/www:/sbin/nologin
eucalyptus:x:511:511::/home/eucalyptus:/bin/bash
fedora:x:512:512::/home/fedora:/bin/bash
[root@Smoke lib]# vim /etc/nsswitch.conf(编辑nsswitch.conf配置文件)
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files
shadow: files
group: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files(如果nisplus中找的结果为NOTFOUND就返回)
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files(将网卡转换为对应号码,第几块网卡)
netmasks: files
networks: files
protocols: files
rpc: files(将rpc转换成对应的端口号)
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus(可以到files中找也可以到nisplus中找)
sudoers: files ldap
[root@Smoke lib]# getent hosts(从/etc/nsswitch.conf配置文件中定义的hosts获取所有条目)
127.0.0.1 localhost.localdomain localhost
127.0.0.1 Smoke.com
[root@Smoke lib]# getent passwd root(从/etc/nswitch.conf配置文件中定义的passwd获取root相应的条目)
root:x:0:0:root:/root:/bin/bash
[root@Smoke lib]# getent hosts Smoke.com(从/etc/nswitch.conf配置文件中定义的hosts获取Smoke.com相应条目)
127.0.0.1 Smoke.com
[root@Smoke lib]# getent hosts www1.example.org(从/etc/nsswitch.conf配置文件中定义多的hosts获取www1.example.org相应条目)
[root@Smoke lib]# getent hosts www1.example.com(从/etc/nsswitch.conf配置文件中定义多的hosts获取www1.example.com相应条目)
125.76.239.244 www1.example.com
[root@Smoke lib]# cat /etc/hosts(查看/etc/hosts文件内容)
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
127.0.0.1 Smoke.com
提示:/etc/hosts文件没有解析www1.example.com, 它是从dns获取的,hosts有两种机制首先是fles,先到/etc/hosts文件找,找不到dns找;
[root@Smoke ~]# cat /etc/resolv.conf(查看dns指向配置文件)
; generated by /sbin/dhclient-script
search localdomain
nameserver 192.168.40.2
提示:192.168.40.2是可以解析www1.example.com主机名;
[root@Smoke ~]# ls /lib/security/(查看/lib/security目录文件及子目录)
pam_access.so pam_echo.so pam_group.so pam_ldap.so pam_motd.so pam_postgresok.so pam_selinux.so pam_tally2.so
pam_unix_auth.so pam_winbind.so pam_ccreds.so pam_env.so pam_issue.so pam_limits.so pam_mysql.so pam_pwhistory.so
pam_shells.so pam_tally.so pam_unix_passwd.so pam_xauth.so pam_chroot.so pam_exec.so pam_keyinit.so
pam_listfile.so pam_namespace.so pam_rhosts_auth.so pam_smb_auth.so pam_time.so pam_unix_session.so
pam_console.so pam_faildelay.so pam_krb5 pam_localuser.so pam_nologin.so pam_rhosts.so pam_smbpass.so pam_timestamp.so
pam_unix.so pam_cracklib.so pam_filter pam_krb5afs.so pam_loginuid.so pam_passwdqc.so pam_rootok.so pam_stack.so
pam_tty_audit.so pam_userdb.so pam_debug.so pam_filter.so pam_krb5.so pam_mail.so pam_permit.so pam_rps.so
pam_stress.so pam_umask.so pam_warn.so pam_deny.so pam_ftp.so pam_lastlog.so pam_mkhomedir.so pam_pkcs11.so
pam_securetty.so pam_succeed_if.so pam_unix_acct.so pam_wheel.so
[root@Smoke ~]# ls /etc/pam.d/(查看/etc/pam.d目录文件及子目录)
atd cvs halt pm-hibernate run_init sshd system-config-authentication
system-config-printer vsftpd.mysql authconfig dateconfig kbdrate
pm-powersave runuser su system-config-date system-config-rootpassword
xserver authconfig-gtk eject kshell pm-suspend runuser-l subscription-manager
system-config-display system-config-securitylevel authconfig-tui ekshell ksu
pm-suspend-hybrid sabayon subscription-manager-gui system-config-kdump system-config-selinux
chfn gdm login poweroff samba sudo system-config-keyboard
system-config-services chsh gdm-autologin neat ppp screen
sudo-i system-config-language system-config-soundcard config-util gdmsetup
newrole pup serviceconf su-l system-config-lvm system-config-time
cpufreq-selector gnome-screensaver other reboot setup system-auth system-config-netboot
system-config-users crond gnome-system-log passwd remote smtp
system-auth-ac system-config-network system-install-packages cups gssftp
pirut rhn_register smtp.sendmail system-cdinstall-helper system-config-network-cmd
vsftpd
提示:/etc/pam.d/login就是用于定义login应用程序在认证用户的时候使用那种机制去认证;
[root@Smoke ~]# cat /etc/pam.d/login(查看login文件内容)
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include system-auth
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
[root@Smoke ~]# cat /etc/pam.d/vsftpd(查看vsftpd文件内容)
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
[root@Smoke ~]# ls /etc/pam.d/(查看/etc/pam.d目录文件及子目录)
atd cvs halt pm-hibernate run_init sshd system-config-authentication
system-config-printer vsftpd.mysql authconfig dateconfig kbdrate pm-powersave
runuser su system-config-date system-config-rootpassword xserver authconfig-gtk
eject kshell pm-suspend runuser-l subscription-manager system-config-display
system-config-securitylevel authconfig-tui ekshell ksu pm-suspend-hybrid
sabayon subscription-manager-gui system-config-kdump system-config-selinux
chfn gdm login poweroff samba sudo system-config-keyboard
system-config-services chsh gdm-autologin neat ppp screen
sudo-i system-config-language system-config-soundcard config-util gdmsetup
newrole pup serviceconf su-l system-config-lvm system-config-time
cpufreq-selector gnome-screensaver other reboot setup system-auth system-config-netboot
system-config-users crond gnome-system-log passwd remote smtp
system-auth-ac system-config-network system-install-packages cups gssftp pirut
rhn_register smtp.sendmail system-cdinstall-helper system-config-network-cmd vsftpd
提示:/etc/pam.d/other,用于定义默认规则;
[root@Smoke ~]# cat /etc/nsswitch.conf(查看nsswitch.conf配置文件)
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files
shadow: files
group: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
sudoers: files ldap
模块:
module-path(模块路径) is either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the defalt modulelocation:/lib/security/ or /lib64/security/, depending on the architecture
module-arguments(模块参数) are a space separated list of tokens that can be used to modify the specific behavior of the given PAM.\
Such arguments will be documented for each individual module
Note, if you wish to include spaces in an argument, you should surround that argument with square brackets
Basic PAM Modules(常用模块)
pam_unix - traditional password authentication(实现/etc/password和/etc/shaodwn中验证用户用到的,实现模拟传统意义上基于MD5的方式计算值以后到/etc/shadown中再的值比较两者之间相同或者不同地方,相同通过,不同就不通过)
This module implements standard C library name service checking as a modular check
Therefore, instead of calling the getpwent() calls directly, the application calls PAM and has it perform those checks through C library calls in the pam_unix module
OPTIONS(选项)
nullok(允许为空,也是OK的)
shadow Try to maintain a shadow based system.(到/etc/shadown中验证密码的方式进行)
md5 When a user changes their password next, encrypt it with the MD5 algorithm.(表示用户密码的加密是使用md5算法,而不是sha1算法或者其它算法的)
try_first_pass(如果用户此前输入过密码,使用此前的密码先试试,不要再让用户输入,避免用户连续输入同一个密码)
use_first_pass(直接使用)
pam_permit(允许访问)
A PAM module that always permit access. It does nothing else(只要是permit就允许方式)
pam_deny(拒绝访问)
This module can be used to deny access(这个模块拒绝访问)
It always indicates a failure to the application through the PAM framework(返回最终结果告诉应用程序不过)
It might be suitable for using for default(the OTHER) entries(通过用在other当中)
Include Control Value(包含其它文件)
The include control value includes all the checks for this management group from another PAM services configuration file at this point in the file
The checks from the other file are each performed as if they were inserted into this file individually at that point
auth required pam_securety.so
auth include system-auth(把system-auth中auth开头的段都包含进来)
auth required pam_env.so
auth suffcent pam_unix.so nullok
auth required pam_deny.so
pam_cracklib.so
checks the password against dictionary words(依据字典中记录的密码检查密码,如果在字典中包含有密码就不过,如果密码出现在字典中说明这是一个很容易被别人暴力破解的密码,检查密码的目的在于要求用户改密码,改的密码在字典中有,很显然这就是一个弱口令,别人可以暴力破解的,所以这项主要实在别人改密码的时候用)
Prompts for the new password(提示输入新密码)
Checks password against rules and a database(根据规则要求密码长度、字符类型等,比如密码至少要多少位,要包含四类字符大写、小写、数值和特殊字符至少几种,不否和rules也不行,如果否和fules就检查database,就是检查字典,如果在字典中也有也照样不通过)
Passes password to the next stacked module
Options, such as
minlen,(最短长度) difok,(验证密码是否跟此前相同) dcredit=N,(至少包含几个数字) ucredit=N,(要包含几位大写字母) lcredit=N,(包含几位小写字母) ocredit=N,(要包含几个其它字符) retry=N(最多尝试多少次)
# These lines stack two password type modules. In this example the
# user is given 3 opportunities to enter a strong password. The
# "use_authtok" argument ensures that the pam_unix module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd(service) password(type) required(control,这关必须得过) pam_cracklib.so(模块) retry=3(最多尝试3次)
passwd password required(必须得过) pam_unix.so use_authtok(当用户改密码的时候要求用户密码设定上关检查时通过的密码,所以第一关不过第二关就不会设置)
pam_shells
check for valid login shell(检测合法登录shell)
A PAM module that only allows access to the system if the users shell is listed in /etc/shells.(要求用户登录默认使用的shell必须是/etc/shells目录当中列出的shell)
pam_securetty(控制管理员只能通过那个终端登录)
Limits root login to secial devices(限定管理员只能通过某些特殊的设备登录)
A PAM module that allows root logins only if the user is logging in on a "secure" tty,as defined by the listing in /etc/securetty(/etc/securetty文件所写的tty是root用户登录的时候能够使用的tty,除此之外其它任何终端root用户都登录不了)
Also checks to make sure that /etc/securetty is a plain file and not world writable
auth required pam_securetty.so
auth required pam_unix.so
pam_listfile(到某个文件中验证用户的帐号是否合法的,可以自己定义一个文件那个用户可以登录系统那些用户不能登录系统)
A PAM module which provides a way to deny or allow services based on an arbitrary file(根据某个文本文件来实现对某个服务的用户帐号的允许或者拒绝的)
pam_listfile.so item=[tty|user|ruser|group|shell](写在这个文件中的是什么的) sense=[allow|deny](定义拒绝或允许) file=/path/filename(文件目录) onen=[succeed|fail][apply=[user|@group]][quiet](一旦发生错误,处理动作)
The module gets the item of the type secified -- user specifies the username,PAM_USER;tty specifies the name of the terminal over which the request has been made,PAM_TTY;rhost specifies the name of the remote host (if any) from which the request was made,PAM_RHOST;and ruser specifies the name of the remote user (if available) who made the request,PAM_RUSER -- and looks for an instance of that item in the file=filename, filename contains one line per item listed.If the item is found,then if sense=allow,PAM_SUCCESS is returned,causing the authorization request to succeed; else if sense=deny,PAM_AUTH_ERR is returned,causing the authorization request to fail.
If an error is encountered (for instance, if filename does not exist, or a poorly-constructed argument is encountered),then if onerr=succeed,PAM_SUCCESS is returned,otherwise if onerr=fail,PAM_AUTH_ERR or PAM_SERVICE_ERR(as appropriate)will be returned.(一旦出现故障,比如file=/path/filename根本不存在或者文件给的选项错乱了,如果是succeed就使用PAM_SUCCESS认证通过了,否则就返回PAM_AUTH_ERR认证失败了)
An additional argument,apply=, can be used to restrict the application of the above to a specific user(apply=username) or a given group (apply=@groupname).This added restriction is only meaningful when used with the tty,rhost and shell items.
Besides this last one,all arguments should be specified;do not count on any default behavior.
pam_rootok
A PAM module that authenticates the user if their UID is 0(只要它的UID为0直接通过)
Applications that are created setuid-root generally retain the UID of the user but run with the authority of an enhanced effective-UID
IN the case of the su(1) application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password.To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the /etc/pam.d/su configuration file;
# su authentication. Root is granted access by default.
auth sufficient pam_rootok.so
auth required pam_unix.so
pam_limits
The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session.(在一次用户会话里面整个能够使用的系统资源的限定)
User of uid=0 are affected by this limits,too.(就算是管理员也依然受此限制)
By default limits are taken from the /etc/security/limits.conf config file.(默认情况下它使用的限定配置文件/etc/security/limits.conf)
Then individual *.conf files from the /etc/security/limits.d/ directory are read.(或者是/etc/security/limits.d/目录下所有*.conf结尾的文件)
pam_env.so [debug] [conffile=conf-file]penvfile=env-file][readenv=0|1] (设置或撤销环境变量)
/etc/security/pam_env.conf(根据这个文件来为用户设置环境变量)
pam_whell(允许su到root用户,限定谁可以su到root用户)
pam_lastlog(是不是显示用户上次登录信息)
pam_issue(定义/etc/issue文件中信息)
pam_motd(是否显示motd文件内容)
pam_succedd_if(如果某个帐号具有某些特征表示成功,通常可以检查一个用户的ID号,比如大于500就可以登录系统,大于0小于500就不能登录操作系统,这些都是系统帐号,可以通过它来定义)
auth required pam_succeed_if.so quiet user ingroup wheel(用户名在wheel组当中那就成功)
pam_time(根据时间限定登录,可以限定用户在什么时间登录系统)
service;ttys;users;times(使用格式)
login ;(服务) tty* & !tty* ;(终端) !root ;(用户) !A1000-2400(时间)(登录系统login程序,所有tty, 或者是非tty的,只要不是root用户,在非所有时间从0点到24小时时间都非root用户只能通过tty和非ttyp*的不允许登录)
/etc/security/time.conf(配置文件)
games ; * ; !waster ; wd0000-2400 | Wk1800-0800(任意终端只要不是waster用户只能在工作日0点到24点或周末18点到8点玩游戏)
PAM是认证框架,基于一堆的模块组合起来可以完成认证、帐号审核、会话审核、密码修改审核等各种相关功能,而每一种类型都可以有多个条目,这些条目之间产生怎么样的联系靠control定义;
[root@Smoke ~]# cd /etc/pam.d/(切换到/etc/pam.d目录) [root@Smoke pam.d]# ls(查看当前目录文件及子目录) atd eject login pup smtp system-config-authentication system-config-securitylevel authconfig ekshell neat reboot smtp.sendmail system-config-date system-config-selinux authconfig-gtk gdm newrole remote sshd system-config-display system-config-services authconfig-tui gdm-autologin other rhn_register su system-config-kdump system-config-soundcard chfn gdmsetup passwd run_init subscription-manager system-config-keyboard system-config-time chsh gnome-screensaver pirut runuser subscription-manager-gui system-config-language system-config-users config-util gnome-system-log pm-hibernate runuser-l sudo system-config-lvm system-install-packages cpufreq-selector gssftp pm-powersave sabayon sudo-i system-config-netboot vsftpd crond halt pm-suspend samba su-l system-config-network vsftpd.mysql cups kbdrate pm-suspend-hybrid screen system-auth system-config-network-cmd xserver cvs kshell poweroff serviceconf system-auth-ac system-config-printer dateconfig ksu ppp setup system-cdinstall-helper system-config-rootpassword 提示:system-auth是个链接文件链接到system-auth-ac; [root@Smoke pam.d]# cat system-auth-ac(查看system-auth-ac文件内容) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so(如果用户登录的时候要做认证,这项必须得过,如果没过底下继续检查) auth sufficient pam_unix.so nullok(允许为空) try_first_pass(如果第一项过了,后面的也得检查,如果这项过了,后面不再检查,直接返回给应用程序, 直接告诉它auth这些ok了,如果这项不过,比如第一项过了第二项没过,sufficient没过不影响最终结果,没过继续检查其它的,try_first_pass如果用户此前输入过密码,先尝试 使用此前输入过的密码,如果此前密码能通过这项就通过了,后面继续检查) auth requisite pam_succeed_if.so uid >= 500 quiet(它过了不影响最终结果,后面照样检查,如果它没过的话,一票否决,如果这关不过直接返回应用程序 告诉它这关没通过) auth required pam_deny.so(必须得通过) account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet(模块参数) account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@Smoke pam.d]# cat /etc/securetty(查看securetty文件内容) console vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 提示:tty1到tty11是虚拟终端,vc1到vc11是模拟终端,远程ssh登录使用的,console控制台;
测试:通过ctrl+alt+f2启动第二个虚拟终端,使用root用户登录,可以登录,在使用logout退出;
[root@Smoke pam.d]# sed -i '/tty2/d' /etc/securetty(删除ecuretty文件中的tty2,-i直接修改原文件) [root@Smoke pam.d]# cat /etc/securetty(查看/etc/securetty文件内容 console vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11
测试:通过ctrl+alt+f2启动第二个虚拟终端,使用root用户登录,无法登录;
[root@Smoke pam.d]# ls(查看当前目录文件及子目录) atd gnome-screensaver poweroff su system-config-network authconfig gnome-system-log ppp subscription-manager system-config-network-cmd authconfig-gtk gssftp pup subscription-manager-gui system-config-printer authconfig-tui halt reboot sudo system-config-rootpassword chfn kbdrate remote sudo-i system-config-securitylevel chsh kshell rhn_register su-l system-config-selinux config-util ksu run_init system-auth system-config-services cpufreq-selector login runuser system-auth-ac system-config-soundcard crond neat runuser-l system-cdinstall-helper system-config-time cups newrole sabayon system-config-authentication system-config-users cvs other samba system-config-date system-install-packages dateconfig passwd screen system-config-display vsftpd eject pirut serviceconf system-config-kdump vsftpd.mysql ekshell pm-hibernate setup system-config-keyboard xserver gdm pm-powersave smtp system-config-language gdm-autologin pm-suspend smtp.sendmail system-config-lvm gdmsetup pm-suspend-hybrid sshd system-config-netboot [root@Smoke pam.d]# cat login(查看login文件内容) #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session optional pam_keyinit.so force revoke session required pam_loginuid.so session include system-auth session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open [root@Smoke pam.d]# cp system-auth-ac system-auth-ac.bak(复制system-auth-ac叫system-auth-ac.bak) [root@Smoke pam.d]# vim system-auth-ac(编辑system-auth-ac文件) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so(检查用户环境变量,用户的环境变量设置正确才能登录) auth required pam_listfile.so item=group sense=allow file=/etc/pam_allowgroups(pam_allowgroups文件都是组,而且只有这些组才会被允许) auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@Smoke pam.d]# vim /etc/pam_allowgroups(编辑pam_allowgroups文件) root allowgrp [root@Smoke pam.d]# groupadd allowgrp(添加组allowgrp)
测试:使用用户fedora,密码redhat登录系统,无法登录;
[root@Smoke pam.d]# usermod -a -G allowgrp fedora(更改用户帐号属性,修改用户的附加组,不实用-a选项,会覆盖此前的附加组,使用-a为用户追加附加组)
测试:使用用户fedora,密码redhat登录系统,登录成功;
c:\~]$ ssh 172.16.100.1 Connecting to 172.16.100.1:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Thu Jan 21 22:48:33 2016 from 172.16.100.254 /usr/bin/xauth: creating new authority file /home/fedora/.Xauthority [fedora@Smoke ~]$ exit
测试:使用用户redhat,密码redhat登录系统,无法登录;
[root@Smoke pam.d]# usermod -a -G allowgrp redhat(更改用户帐号属性,修改用户的附加组,不实用-a选项,会覆盖此前的附加组,使用-a为用户追加附加组)
测试:使用用户redhat,密码redhat登录系统,登录成功;
[c:\~]$ ssh 172.16.100.1 Connecting to 172.16.100.1:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. /usr/bin/xauth: creating new authority file /home/redhat/.Xauthority [redhat@Smoke ~]$ exit
[root@Smoke pam.d]# vim su(编辑su文件)
#%PAM-1.0
auth sufficient pam_rootok.so(直接通过,管理员su到其它用户直接通过,如果不是管理员这关过不了)
# Uncomment the following line to implicitly trust users in the "wheel" group.(只允许wheel组中的用户做出相应动作)
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
[root@Smoke pam.d]# cat /etc/security/limits.conf(查看limits.conf文件内容)
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain>(表示对谁生效,有可能是用户、组等) <type>(限制类型,软限制或硬限制) <item>(对哪一种资源进行限制,使用cpu时间、使用内存大小、打开的文件
数、一共能够启动的进程数都可以限定) <value>(限制值大小)
#
#Where:
#<domain> can be:
# - an user name(可以是用户名)
# - a group name, with @group syntax(可以是组名,为@group格式)
# - the wildcard *, for default entry(还可以是通配符,*表示所有的,设定默认对谁的生效)
# - the wildcard %, can be also used with %group syntax,(还可以使用%百分号,限定最大登录次数的)
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits(软限制,作为一个普通用户它只能调整自己的软限制,软限可以超出的,不能随便超出,要使用ulimit命令把自己上限
调以后才能超出)
# - "hard" for enforcing hard limits(硬限制,上限值,设定强制上限)
#
#<item> can be one of the following:
# - core - limits the core file size (KB)(所能够打开核心文件大小,通常指内核中要运行的)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files(所能够打开最大的文件数)
# - rss - max resident set size (KB)(所能够使用的最大实际内存级,实际物理空间限制)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)(所能够使用CPU最大时间)
# - nproc - max number of processes(用户最多能够打开多少个进程)
# - as - address space limit(线性地址空间限制)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0(默认对所有用户都生效,软限制为0,表示不做限制)
#* hard rss 10000(实际物理内存大小10000KB)
#@student hard nproc 20(限制student组最多能打开的进程的个数为20个)
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4(-表示软硬都限制,maxlogins最多允许登录多少次,)
# End of file
[root@Smoke pam.d]# ls /etc/security/limits.d/(查看/etc/secirity/limits.d目录文件及子目录)
提示:这些限制要想让它永久有效就得编辑/etc/security/limits.conf文件或者是编辑/etc/security/limits.d/目录下自己随便建立一个以.conf结尾的文件,如果想直接调整
管理员可以随意调整不受限制,普通用户只能调整软限制;
[root@Smoke pam.d]# help ulimit(查看ulimit命令的帮助)
ulimit: ulimit [-SHacdfilmnpqstuvx] [limit]
Ulimit provides control over the resources available to processes
started by the shell, on systems that allow such control. If an
option is given, it is interpreted as follows:
-S use the `soft' resource limit
-H use the `hard' resource limit
-a all current limits are reported
-c the maximum size of core files created
-d the maximum size of a process's data segment
-e the maximum scheduling priority (`nice')
-f the maximum size of files written by the shell and its children
-i the maximum number of pending signals
-l the maximum size a process may lock into memory
-m the maximum resident set size (has no effect on Linux)
-n the maximum number of open file descriptors(修改所能够打开的最大的文件数)
-p the pipe buffer size
-q the maximum number of bytes in POSIX message queues
-r the maximum real-time scheduling priority
-s the maximum stack size
-t the maximum amount of cpu time in seconds
-u the maximum number of user processes(用户所能打开的最大进程个数)
-v the size of virtual memory
-x the maximum number of file locks
If LIMIT is given, it is the new value of the specified resource;
the special LIMIT values `soft', `hard', and `unlimited' stand for
the current soft limit, the current hard limit, and no limit, respectively.
Otherwise, the current value of the specified resource is printed.
If no option is given, then -f is assumed. Values are in 1024-byte
increments, except for -t, which is in seconds, -p, which is in
increments of 512 bytes, and -u, which is an unscaled number of
processes.
[root@Smoke pam.d]# export(查看用户的环境变量)
declare -x CVS_RSH="ssh"
declare -x DISPLAY="localhost:10.0"
declare -x G_BROKEN_FILENAMES="1"
declare -x HISTSIZE="1000"
declare -x HOME="/root"
declare -x HOSTNAME="Smoke.com"
declare -x INPUTRC="/etc/inputrc"
declare -x LANG="en_US"
declare -x LESSOPEN="|/usr/bin/lesspipe.sh %s"
declare -x LOGNAME="root"
declare -x LS_COLORS="no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:
*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.
lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;
35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:"
declare -x MAIL="/var/spool/mail/root"
declare -x OLDPWD="/root"
declare -x PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"
declare -x PWD="/etc/pam.d"
declare -x SHELL="/bin/bash"
declare -x SHLVL="1"
declare -x SSH_ASKPASS="/usr/libexec/openssh/gnome-ssh-askpass"
declare -x SSH_CLIENT="172.16.100.254 6013 22"
declare -x SSH_CONNECTION="172.16.100.254 6013 172.16.100.1 22"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm"
declare -x USER="root"
[root@Smoke pam.d]# cat /etc/security/pam_env.conf(查看pam_env.conf文件内容)
# $Date: 2005/08/16 12:27:42 $
# $Author: kukuk $
# $Id: pam_env.conf,v 1.1 2005/08/16 12:27:42 kukuk Exp $
#
# This is the configuration file for pam_env, a PAM module to load in
# a configurable list of environment variables for a
#
# The original idea for this came from Andrew G. Morgan ...
#<quote>
# Mmm. Perhaps you might like to write a pam_env module that reads a
# default environment from a file? I can see that as REALLY
# useful... Note it would be an "auth" module that returns PAM_IGNORE
# for the auth part and sets the environment returning PAM_SUCCESS in
# the setcred function...
#</quote>
#
# What I wanted was the REMOTEHOST variable set, purely for selfish
# reasons, and AGM didn't want it added to the SimpleApps login
# program (which is where I added the patch). So, my first concern is
# that variable, from there there are numerous others that might/would
# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
#
# Of course, these are a different kind of variable than REMOTEHOST in
# that they are things that are likely to be configured by
# administrators rather than set by logging in, how to treat them both
# in the same config file?
#
# Here is my idea:
#
# Each line starts with the variable name, there are then two possible
# options for each variable DEFAULT and OVERRIDE.
# DEFAULT allows and administrator to set the value of the
# variable to some default value, if none is supplied then the empty
# string is assumed. The OVERRIDE option tells pam_env that it should
# enter in its value (overriding the default value) if there is one
# to use. OVERRIDE is not used, "" is assumed and no override will be
# done.
#
# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
#
# (Possibly non-existent) environment variables may be used in values
# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
# be used in values using the @{string} syntax. Both the $ and @
# characters can be backslash escaped to be used as literal values
# values can be delimited with "", escaped " not supported.
# Note that many environment variables that you would like to use
# may not be set by the time the module is called.
# For example, HOME is used below several times, but
# many PAM applications don't make it available by the time you need it.
#
#
# First, some special variables
#
# Set the REMOTEHOST variable for any hosts that are remote, default
# to "localhost" rather than not being set at all
#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
#
# Set the DISPLAY variable if it seems reasonable
#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
#
#
# Now some simple variables
#
#PAGER DEFAULT=less
#MANPAGER DEFAULT=less
#LESS DEFAULT="M q e h15 z23 b80"
#NNTPSERVER DEFAULT=localhost
#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
#
# silly examples of escaped variables, just to show how they work.
#
#DOLLAR DEFAULT=\$
#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
#ATSIGN DEFAULT="" OVERRIDE=\@
[root@Smoke pam.d]# cat /etc/shadow(查看shadown文件内容)
root:$1$0Z0BvYRX$JAeOXhKNyI.bNKq8siKMn.:16396:0:99999:7:::
bin:*:16396:0:99999:7:::
daemon:*:16396:0:99999:7:::
adm:*:16396:0:99999:7:::
lp:*:16396:0:99999:7:::
sync:*:16396:0:99999:7:::
shutdown:*:16396:0:99999:7:::
halt:*:16396:0:99999:7:::
mail:*:16396:0:99999:7:::
news:*:16396:0:99999:7:::
uucp:*:16396:0:99999:7:::
operator:*:16396:0:99999:7:::
games:*:16396:0:99999:7:::
gopher:*:16396:0:99999:7:::
ftp:*:16396:0:99999:7:::
nobody:*:16396:0:99999:7:::
nscd:!!:16396:0:99999:7:::
vcsa:!!:16396:0:99999:7:::
pcap:!!:16396:0:99999:7:::
ntp:!!:16396:0:99999:7:::
dbus:!!:16396:0:99999:7:::
avahi:!!:16396:0:99999:7:::
rpc:!!:16396:0:99999:7:::
mailnull:!!:16396:0:99999:7:::
smmsp:!!:16396:0:99999:7:::
sshd:!!:16396:0:99999:7:::
rpcuser:!!:16396:0:99999:7:::
nfsnobody:!!:16396:0:99999:7:::
xfs:!!:16396:0:99999:7:::
haldaemon:!!:16396:0:99999:7:::
avahi-autoipd:!!:16396:0:99999:7:::
gdm:!!:16396:0:99999:7:::
sabayon:!!:16396:0:99999:7:::
Smoke:$1$/adYlQMw$nRwf6k/QLyWiRawhDLWRn1:16395:0:99999:7:::
hadoop:$1$PdHSBPzF$phtT./WQkmwV1rXOG6Ubz/:16395:0:99999:7:::
hbase:$1$IR3MtCOn$PZrSF.lKfG7CeRpr1R/EX1:16396:0:99999:7:::
redis:$1$WGQYTubD$rc475ncPthuaUse.54FWA.:16396:0:99999:7:::
mysql:!!:16396::::::
oprofile:!!:16396::::::
vuser:!!:16396:0:99999:7:::
nfstest:!!:16397:0:99999:7:::
apache:!!:16397::::::
eucalyptus:$1$JFCDUxlX$xBCTfMMKDDNtpfRFtXtKJ0:16399:0:99999:7:::
fedora:$1$AEfyYtjB$R6B7h/hQ/NEOfXmBBej1H/:16400:0:99999:7:::
redhat:$1$lBdYWs6B$OtHbOHllRvT7u0.39c2KW0:16822:0:99999:7:::
[root@Smoke pam.d]# cat /etc/group | grep wheel(查看/etc/group目录文件及子目录姜结果送给管道只显示whell相关)
wheel:x:10:root
[root@Smoke pam.d]# vim su(编辑su文件)
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
[root@Smoke ~]# cat /etc/motd(查看motd文件内容)
[root@Smoke ~]# vim /etc/motd(编辑motd文件)
Welcome to
测试:使用xhell软件用户root,密码smoke520登录linux系统;
[c:\~]$ ssh 172.16.100.1 Connecting to 172.16.100.1:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Fri Jan 22 20:34:56 2016 from 172.16.100.254 Welcome to(显示/etc/motd文件内容) [root@Smoke ~]#
浙公网安备 33010602011771号