
User Authentication HOWTO


Peter Hernberg

{ / UTi


2000/05/02


̕ł́ALinux XVXeŁA[UƃO[v̕ۑ@A[U
F؂̕@ (PAM)AẴ[UF؂Sɍs@ɂĐ܂B



Table of Contents
1. ͂߂
    1.1. ̕o
    1.2. Vo[Wɂ
    1.3. tB[hobN
    1.4. o[Wj
    1.5. 쌠ƏW
    1.6. ӎ
    1.7. z肷ǎ
   
   
2. [U񂪃VXeɕۑdg
    2.1. /etc/passwd ɂ
    2.2. VhEpX[h
    2.3. /etc/group  /etc/gshadow
    2.4. MD5 ÍpX[h
    2.5. ώG̉
   
   
3. PAM (Pluggable Authentication Modules)
    3.1. Ȃ PAM Ȃ̂
    3.2. PAM Ƃ͉
    3.3. PAM ̐ݒ
    3.4. Ƒ̏肷@
   
   
4. [UF؂Sɍs@
    4.1. ͂ /etc/pam.d/other t@C
    4.2. pX[h[ŨOC֎~
    4.3. svȃT[rX𖳌ɂ
    4.4. pX[hNbLOc[
    4.5. VhEpX[h MD5 pX[h
   
   
5. p
    5.1. Apache + mod_auth_pam
    5.2. ̓e
    5.3. mod_auth_pam ̃CXg[
    5.4. PAM ̐ݒ
    5.5. Apache ̐ݒ
    5.6. ݒ̃eXg
   
   
6. \[X
    6.1. PAM
    6.2. ZLeBS
    6.3. ItC
   
   
7. 
    7.1. {ɂ
   
   

1. ͂߂

1.1. ̕o

茳̉ƒlbg[Nɂ(قƂǕsKv)lbg[NT[rXǉ
悤ƂƂA킽͂F؂̖œDɂ͂܂܂BŁA킽
͈ӂāA Linux VXeł̔F؂̎dg݂𗝉 HOWTO ƍl
܂BāǍv킽̃VjAvWFNgƌĂԂƂɂ̂łB
ՎꂪłɏdvȁAF؂ƂVXeǗ̖_ɂāA
ǎ҂̗̈ꏕƂȂ΂킢łB


1.2. Vo[Wɂ

킽̃hCɗオ΁A̍̕ŐVo[W͂œł
܂B܂ł́Ahttp://www.linuxdoc.org ŉ䖝łB


1.3. tB[hobN

RgAAāAΎAUFO ̖ڌḱA܂ł肢܂B
petehern@yahoo.com


1.4. o[Wj

v0.1 (May 13, 2000) ŏ̃o[W ([Xꂸ)

v0.3 (May 14, 2000)  ([Xꂸ)

v0.5 (May 15, 2000) u[UF؂Sɍs@vƁu\[Xvǉ ([
Xꂸ)

v0.7 (May 15, 2000) : [X


1.5. 쌠ƏW

(c) 2000 Peter Hernberg

̃}jÁAȉ̏ɏ]AŁAŜ͕𕡐邱
ł܂B

 E Ŝ͕𕡐ꍇAL쌠\Ƃ̎gpA
    ̕ɊSȌ^ŋLڂĂ邱ƁB
   
 E |͓񎟓I앨쐬ꍇA̔zzɐ悾āA̒̕
    ҂̏F𓾂邱ƁB
   
 E ̈̕ꕔ̂ݔzzꍇAS̓肪\ł邱Ƃ̍Ƃ̓
    @邱ƁB
   
 E ̋͂̕ȕA]̍ޗƂđ̒앨ɓ]ڂۂ́A
    ̈pȂ̂łꍇɌA̋̕\Lȗł܂B
    AwpړI̗pɂẮA̋K̓KpOƂȂꍇ̂ŁA
    ҂܂ŘAĐq˂ĂB͒҂ƂĂ̂
    ߂łAwK҂⋳҂ɐۂƂӐ}̂ł͂܂B
    ̃̕\[XR[hɂ(̎M`ł SGML )A GNU General
    Public License Kp܂BCZXɂẮAGNU A[JCu
     FTP gē肪\łB
   



1.6. ӎ

킽̂Ƃ 18 Nԉ䖝ĂĂƑɊӂ܂BfGȗVѓ
 Debian ̘AɊӂ܂B킽uI^Nvɂ邽߂ɋ𕥂Ă
CGR Ɋӂ܂BSandy Harris ̗LvȒĂɊӂ܂BŌɁACX^g
[̐ЂɊӂƎv܂B킽͂Ȃɂ͐ĂȂ
łB


1.7. z肷ǎ

̕ň肩炵āAǎ҂͊ɃR}hCŉKɃR}hsA
eLXg`̐ݒt@C̕ҏWĂ邱ƂOƂ܂B


2. [U񂪃VXeɕۑdg

2.1. /etc/passwd ɂ

قƂǑSĂ Linux fBXgr[V(Əp *nix Ȃ)ł́A[U
 /etc/passwd ɕۑĂ܂B̃t@C̓eLXgt@CłA
[ŨOCAÍꂽpX[hAŗL̃[U ID ԍ(uid ƌĂ΂
)AO[v ID ԍ(gid ƌĂ΂܂)ACӂ̃Rg(ʏ́A[U̎A
dbԍȂǂĂ܂)Az[fBNgAčD݂̃VFȂǂ̏
܂ł܂B/etc/passwd ̓T^IȃGg[́Aȉ̂悤Ȃ̂łB
  pete:K3xcO1Qnx8LFN:1000:1000:Peter Hernberg,,,1-800-FOOBAR:/home/pete:/bin/bash

̒ʂAɃXg[gȕ\LɂȂĂ܂BX̃Gg[͏LɌ
悤 6 ̃tB[hAꂼ̃tB[h̓Rŋ؂܂B
ꂪA킽Y܂[UF؂̎dg݂Ɠ炢GłĂꂽ
A HOWTO ͕KvȂł傤B


2.2. VhEpX[h

ǎҎg /etc/passwd t@C΁Aۂ͈ȉ̂悤ɂȂĂ̂
ł傤B
  pete:x:1000:1000:Peter Hernberg,,,1-800-FOOBAR:/home/pete:/bin/bash          

Lł́AÍꂽpX[h͂ǂɍŝł傤Hꂪǂ֍s
bOɁA኱̐KvłB

/etc/passwd t@Cɂ́AS[ȔƂ̈ÍꂽpX[h܂܂
܂BÃt@Cׂ͂Ẵ[Uɉ{\ƂȂĂ܂B܂A
VXȇS̈ÍꂽpX[h\Ȃ킯łB̓_AmɃp
X[h͈ÍĂ͂܂ApX[h̃NbLOc[̓͂킯
ȂƂłBāÃZLeB̋Ђ̍܂ɑ΍R邽߂ɁAV
h[pX[hJ܂B

Vh[pX[hLɂVXeł́A/etc/passwd ̃pX[h
́Ax ŒuAۂ̈Íꂽ[UpX[h /etc/shadow
t@Cɕۑ܂B/etc/shadow ̓[g[Uǂ߂Ȃ̂ŁAӂ
郆[ŨpX[hNbN邱Ƃ͂ł܂B /etc/shadow ̊eG
g[́A[ŨOCAÍꂽpX[hAăpX[h̗L
Ɋ֌W邢̃tB[hȂĂ܂BT^IȃGg[́Aȉ
̂悤Ȃ̂łB
    pete:/3GJllg1o4152:11009:0:99999:7:::                                      
                                                                               


2.3. /etc/group  /etc/gshadow

O[v /etc/group t@Cɕۑ܂B͑OL /etc/passwd Ǝ
̂ŁAGg[ɂ̓O[vApX[hAid ԍ(gid)AɃJ}ŋ
؂ꂽO[vo[̃tB[h܂܂Ă܂B /etc/group ̃Gg[
͈ȉ̂悤Ȃ̂łB
   pasta:x:103:spagetti,fettucini,linguine,vermicelli                          
                                                                               

pX[htB[h "x" Ă̂悤ɁAO[vpX[hVh[
ł܂BO[vO[v̂̃pX[hƂ͂قƂǂȂ̂ł
AVh[ꂽO[vpX[h̏ /etc/gshadow t@Cɕۑ
ƂƂɒӂĂB


2.4. MD5 ÍpX[h

`Iɂ́AUnix ̃pX[h͕WI crypt() ֐ňÍĂ܂B(
crypt() ֐̏ڍׂɂẮAcrypt(3) ̃}jAy[WB) 
ARs[^̍iނɂÅ֐ňÍꂽpX[hNb
N邱ƂeՂɂȂ܂BC^[lbgoꂷƁÃzXgɑ΂
pX[hNbLOsł悤ȃc[\ɂȂ܂BŁA
VfBXgr[V̑ɂ͂苦͂ MD5 nbVASYŃpX
[hÍIvV@\悤ɂȂĂ܂B ( MD5 nbV
ASYɂĂ̏ڂ́ARFC1321 ) MD5 pX[h̓p
X[hNbLŐЂSɎ菜̂ł͂܂񂪁ApX[h̃N
bLOƓ邱Ƃ͊młB


2.5. ώG̉

ȏł̂悤ɁA[UF؂̂߂̏񂪃VXeɕۑ@ɂ͉
ނ܂B(MD5 ňÍȂVhEpX[hAMD5 ňÍ /etc/
passwd ȂǂȂ) ƂƁAlogin  su Ȃǂ̃vÓA[ŨpX
[hF؂̕@ǂĒm̂ł傤HɁAVXẽpX[h̕
@ύXƂ͂ǂ΂̂ł傤H[ŨpX[hKvƂ
vÓÃpX[h̕ۑ@ύXꂽƂǂĒm̂ł
傤H PAM ̓ɂȂ܂B


3. PAM (Pluggable Authentication Modules)

PAM (Pluggable Authentication Modules) ͌ݓIȃfBXgr[Vɂ
[UF؂̊jƂȂ̂łB


3.1. Ȃ PAM Ȃ̂

Âǂ Linux ł΁Asu  passwd  login 邢 xlock Ƃv
ÓA[UF؂̕KvɁA/etc/passwd Kvȃ[U
ݍ߂΂łB[UpX[h̕ύXKvȂA/etc/passwd t@C
ҏW邾łBA̒Płtقȕ@̂߂ɁAVXeǗ
AvP[VJ҂͐X̖ɒʂ邱ƂɂȂ̂łBMD5 ƃVh
[pX[h̗p񂾂ƍLɂāA[UF؂KvƂvO
́Aނ̈قȂFؕ@ۂɂ̔Fؕ@ɓK𓾂i
ɒmĂȂ΂ȂȂȂłB܂AFؕύXꍇ́A
ׂẴvORpCȂ΂Ȃ܂łBPAM ́A
[U񂪕ۑ@Ƃ͖֌WȓߓI[UFؕvOɒ񋟂
ƂŁA̔ώGȎ葱|̂łB


3.2. PAM Ƃ͉

Linux-PAM System Administrator's Guide pƁAuLinux-PAM vWFNg
̖ړÍA[Uɉ炩̌t^\tgEFÅJASK؂ȔF
ؕ̂̊J番邱ƂłB̖ڕẂA֐̃Cu񋟂AA
vP[Vłgă[UF؂NGXgdg݂邱ƂŒB
܂Bv܂APAM ΁ApX[h /etc/passwd ɂ邩A`̃T
[oɂ邩ƂƂ͖ł͂ȂȂ܂BvO[UF؂Kv
ƂƂ́APAM K؂ȔFؕ̂߂̊֐܂ރCu񋟂Ă
B̃Cu͓IɃ[ĥŁAFؕ̕ύX͐ݒt@C̕ҏW
Ŏ\ɂȂ̂łB

_ PAM ŋł闝R̂ЂƂłBPAM ̐ݒɂāAvO
[UF،̍sg֎~Ã[U̔F؂\ɂA邢
AvO[UF؂悤Ƃƌx𔭂AɑSẴ[U
OCłȂĂ܂ł悤ɂȂ܂BPAM ̃W[݌v́A[
UFؕ@̊SȊǗ\ɂ܂B


3.2.1. PAM T|[gfBXgr[V

قƂǑSĂ̗LfBXgr[V PAM T|[gł傤B
͕sSłA PAM T|[gĂfBXgr[V̈ꗗłB

 E Redhat o[W 5.0 ȍ~
   
 E Mandrake 5.2 ȍ~
   
 E Debian o[W 2.1 ȍ~( 2.1 ł͕IT|[gA2.2 ŊST|[g)
   
 E Caldera o[W 1.3 ȍ~
   
 E Turbolinux o[W 3.6 ȍ~
   
 E SuSE o[W 6.2 ȍ~
   
 E () Vine ׂẴo[W
   
 E () Kondara ׂẴo[W
   

LXǵAsSȂ͂łAsmłł傤B̃Xgւ̒ǉ
C𑗂ĂƂꂵłB petehern@yahoo.com


3.2.2. PAM ̃CXg[

PAM \[XCXg[邱Ƃ́AԂ̂ƂłA HOWTO ̔
eẑłBVXe PAM CXg[ĂȂȂA炭AA
bvO[hׂRɂ낢날Âo[W̃fBXgr[V
gĂ邩ł傤B܂AŃCXg[Ȃ΋Cς܂ȂƂ
lȂA킽̎菕͕svȂ͂łBɂÁA PAM 
CXg[Ă邱ƂOɂ܂B


3.3. PAM ̐ݒ

ʓIȘb͂ꂭ炢ɂāA@艺܂傤B


3.3.1. PAM ̐ݒt@C

PAM ̐ݒt@ĆA/etc/pam.d ɕۑĂ܂B ( /etc/pam.d Ƃf
BNgȂƂĂSz܂B͂Ŏグ܂B) ̃fBNg
ɍsāA`Ă݂܂傤B
  ~$ cd /etc/pam.d                                                             
  /etc/pam.d/$ ls                                                              
  chfn  chsh    login   other   passwd  su      xlock                          
  /etc/pam.d/$                                                                 
                                                                               

VXeɉCXg[Ă邩ɂāÃfBNgɂt@C
邩܂Bڍׂ͂ǂłAVXeŃ[U̔F؂Ɋւ
vOƂɂЂƂ̃t@C݂邱ƂƎv܂BɋCt
܂񂪁Aǂ̃t@C PAM ɂF؂̐ݒt@CȂ̂łAꂼ
YvOƓ̖OtĂ܂B ( other OłA
͂Řb܂B) ł̓pX[hɊ֘A PAM ̐ݒt@CĂ
܂傤B(̃t@C͕Ղ邽߂ɒPĂ܂B)
  /etc/pam.d/$ cat login                                                       
  # PAM ݒt@C( login vOp )                                     
  auth       requisite  pam_securetty.so                                       
  auth       required   pam_nologin.so                                         
  auth       required   pam_env.so                                             
  auth       required   pam_unix.so nulok                                      
  account    required   pam_unix.so                                            
  session    required   pam_unix.so                                            
  session    optional   pam_lastlog.so                                         
  password   required   pam_unix.so nullok obscure min=4 max=8                 
                                                                               

̃t@C@艺OɁAׂƂ܂B


3.3.2. ׂ

͂̕lĂ邩܂BuI /etc/pam.d fBNgȂ
ȂBfBXgr[V̎^vOXg PAM ͊܂܂Ă̂ɁAf
BNgȂBPAM ȂlȂāAۂŖӖIǂ΂
񂾂낤HvSzpłBȂ̂ł͂܂BfBXgr[V
 PAM ܂܂Ă̂ɁA /etc/pam.d ȂƂ́APAM ̐ݒt@C /etc/
pam.conf ɕۑĂ̂łB̃t@CɕU邩ɁAPAM 
ݒt@C܂Ƃ߂ĂЂƂ̃t@CɕۑĂ̂łB̏ꍇAPAM ̐
͂قȂ\ɂȂ܂Ał̐ݒɂĂ͂̏͂ Section
3.3.4 u pam.conf t@C̐ݒvŐ܂B


3.3.3. ݒt@C̍\

PAM ̐ݒt@C͈ȉ̂悤ȍ\ɂȂĂ܂B
  type  control  module-path  module-arguments                                 
                                                                               

login vO(قǂ̋LqĂ)̐ݒt@CQlɂāAPAM 
t@C̍\Ă݂܂傤B


PAM ̐ݒ莚

type
    type Ƃł́A̍s̃W[łǂF؂̌^gpׂ
     PAM ɒm点܂BF؂̍ۂɕ̗v[Uɉۂꍇ́A^̃W
    [dĎgp邱Ƃł܂BPAM ͎ 4 ̌^F܂B
   
    account
        [UT[rXւ̃ANZXĂ邩ǂApX[h
        ؂ɂȂĂȂȂǂ(pX[hƂ͖֌W)mF܂B
       
    auth
        [Ûʂ̖{̃[Uǂm߂܂Bʏ̓pX[
        hŊmF܂AoCIgNX(biometrics)Ȃǂ̂Ɛꂽ
        @Ŋm߂ꍇ邩܂B
       
    password
        [UɎ̔Fؕ@ύX郁JjY񋟂܂Bʏ̓p
        X[h̕ύXɂĂȂ܂B
       
    session
        [U̔FؑO܂͔F،A邢̗͂ŎsƂw肵
        Bɂ́A[UfBNg̃}EgA}EgAOC⃍
        OAEg̃OL^A[UpłT[rX𐧌A̐
        OƂƂȂǂ܂܂ł傤B
       
   
   
    L login ̐ݒt@Cł́Atype ̊eX̌^ŒłЂƂ̃Gg[
    `Ă̂Ǝv܂B login vÓA̖O̒ʂ胆[
    ÚuOCv̂̂vOȂ̂ŁAF؂̉ߒłׂĂ̈
    Ȃ^ɃANZXKv邱Ƃ͔[łƎv܂B
   
control
    control 傪ʂ́AF؂sƂɉׂ PAM ɓ`
    ƂłBPAM ͎̂ 4  control ^łB
   
    requisite
        ̃W[oRĔF؂ɎsꍇɁAɔF؂₵܂B
       
    required
        F؂ɎsꍇɁAF؂ۂ܂BAPAM ́AF؋ۂ[
        Uɒm点OɁÃT[rX̂߂ɃXgAbvꂽ( type )
        SẴW[s܂B
       
    sufficient
        ̃W[ɂF؂ꍇȂO required ^̃W[
        F؂ɎsĂƂĂAPAM ͂̃[UɔF؂^܂B
       
    optional
        ̃W[F؂̐ۂɊւĈӖ̂́ÃT[rXɊւ
        Aꂪ(F؂̐ۂ߂ׂ)B̃W[^łꍇłB
       
   
   
    login vO̐ݒt@Cł́AقȂ control ^̂قڑSĂ邱Ƃ
    ł܂Brequired ^̃W[̑啔 pam_unix.so (C̔F؃W
    [)łBāAЂƂ requisite ^̃W[
    pam_securefilenamey.so ([USȃR\[ŃOCĂ邩m
    )łAЂƂ optional ^̃W[ pam_lastlogin.so (O
    OCƂ̃[ȔĂ郂W[)ƂȂĂ܂B
   
    (: control ɂẮAV\JĂ܂Bڍׂ́AThe
    Linux-PAM System Administrators' Guide )
   
module-path
    module-path ̖́Aǂ̃W[gp邩A(IvVƂ)ꂪ
    ǂɂ邩 PAM ɓ`邱ƂłBlogin ̐ݒt@CɌ悤ɁA
    啔̐ݒt@Cł̓W[܂܂Ă܂B̏ꍇAPAM 
    APAM p̃ftHgfBNgAʏ /usr/lib/security/ T܂B
    AgĂfBXgr[V Linux t@CVXe̕WK
    iɏ]ĂȂAPAM W[ /lib/security fBNgɂł
    B
   
module-arguments
    module-arguments ́AW[ɓnw肷̂łBꂼ̃W
    [g̈Ă܂BႦ΁Alogin ̐ݒt@Cł
    A"nullok" ("null ok" Ӗ܂)Ƃ́Apam_unix.so W[ɓn
    ܂ÄӖ́ApX[hƂĉ͂ȂĂ(null)F؂
    ƂƂłB
   



3.3.4. pam.conf t@C̐ݒ

 PAM ̐ݒ肪 /etc/pam.d/ fBNgł͂ȂA/etc/pam.conf t@Cɕ
ĂȂA PAM ̐ݒ͎̏኱قȂ̂ɂȂ܂BT[rXƂ
ݒt@C̂ł͂ȂASĂ̐ݒ肪 /etc/pam.conf t@C̒ōsA
T[rXes̐擪̎ʏƂȂ܂BႦ΁A/etc/pam.d/login t@C
̍śA
    auth       required   pam_unix.so                                          
                                                                               

/etc/pam.conf t@Cł́Aȉ̂悤ɂȂł傤B
    login       auth       required   pam_unix.so                              
                                                                               

L̂ƂႢ΁Ac̑SĂ PAM ̍\̂܂ܓĂ͂܂܂
B


3.4. Ƒ̏肷@

PAM ̐ݒ PAM ̑SW[̃t@XȂǁAڍׂȏ񂪕KvȂƂ
ALinux-PAM System Administrator's Guide QlɂĂB̃KCh́A
PAM ̐ݒɊւ邠邱Ƃ̂ŁAŐṼt@Xł܂
B


4. [UF؂Sɍs@

̃fBXgr[Vł́A[UF؂ɂď[SȐݒ肪ȂȂ
܂܏oׂĂ܂B̏͂ł́AVXeł̃[UF؂Sɂ@
グ܂BAs΃VXe͂SȂ̂ɂȂ܂
AŃZLeBɂȂȂǂƂ͌ĎvȂłB


4.1. ͂ /etc/pam.d/other t@C

/etc/pam.d ɂt@C͑SāÃT[rXɊւݒ邽߂̂̂ł
B̃[ɑ΂钍ڂׂOA /etc/pam.d/other t@CłB̃t@
ĆAg̐ݒt@CȂT[rXS̐ݒ̂łBႦ
΁A(ۂ݂͑܂) xyz ƂT[rX[UF؂悤ƂꍇA
PAM  /etc/pam.d/xyz Ƃt@CT܂BꂪȂƁAF؂ /
etc/pam.d/other t@Cɏ]ĂȂ܂B/etc/pam.d/other t@C PAM T
[rX̍Ō̋菊ƂȂĂ̂ŁÄS͏dvȈӖ܂B
 /etc/pam.d/other t@CSɐݒ肷ނ̕@ɂďqׂ܂BЂ
́AقƂǕΎIȂ̂ŁAЂƂ͂ƈʓIȂ̂łB


4.1.1. Ύ̐ݒ

/etc/pam.d/other ̕ΎIȐݒ͈ȉ̂悤ɂȂ܂B
    auth        required        pam_deny.so                                    
    auth        required        pam_warn.so                                    
    account     required        pam_deny.so                                    
    account     required        pam_warn.so                                    
    password    required        pam_deny.so                                    
    password    required        pam_warn.so                                    
    session     required        pam_deny.so                                    
    session     required        pam_warn.so                                    
                                                                               

L̐ݒɂĂ΁AsȃT[rXݒt@C 4 ̌^̂ɃANZ
X悤ƂꍇłAPAM (pam_deny.so W[)F؂₵A
(pam_warn.so W[)VXeOɌxc܂B PAM ɂ̓oO
ƂǂȂ̂ŁA̐ݒ͗⍓ƂS𔭊܂B̗⍓̖_
́A܂ܑ̃T[rX̐ݒ폜Ă܂ꍇɖ肪N邩
ȂƂƂłB/etc/pam.d/login t@CԈč폜Ă܂ƁAN
OCłȂȂĂ܂܂B


4.1.2. e؂Ȑݒ

ȉ̐ݒ́A炩Ȃ̂łB
    auth        required        pam_unix.so                                    
    auth        required        pam_warn.so                                    
    account     required        pam_unix.so                                    
    account     required        pam_warn.so                                    
    password    required        pam_deny.so                                    
    password    required        pam_warn.so                                    
    session     required        pam_unix.so                                    
    session     required        pam_warn.so                                    
                                                                               

̐ݒł́AsȃT[rXɑ΂Ă(pam_unix.so W[)F؂
܂A[UpX[hύX邱Ƃ͋܂B̔F؂͋킯ł
AT[rXF؂悤ƂۂɕKVXeOɌxc܂B


4.1.3. /etc/pam.d/other ̏dv

ʂȗRȂA/etc/pam.d/other ͑SĂɐ旧Ď邱ƂE
܂BuftHgňSɐUvƂ́AǂȏꍇłǂƂłBV
ȃT[rXɔF؂̌^KvłƂĂÃT[rXɂ PAM 
ݒt@CVɍ΂łB


4.2. pX[h[ŨOC֎~

啔 Linux VXeł́Aftp  webserver, mail Q[gEFCȂǂ̃V
XeT[rXɌ^邽߂ɁAu_~[ṽ[UAJEg
܂BmɁAAJEgĂAA^bJ[̓[gŎs
T[rXł͂Ȃ_~[AJEgɕt^ꂽIȌłȂ
łAAJEgƃVXe͂SɂȂƌȂ
BA_~[AJEg̓pX[hȂ(null)ŃOCłĂ
܂ꍇʂȂ̂ŁAOČ^邱Ƃ́AЂƂ̃ZLe
B[XNƂȂ܂BpX[hȂŃOCݒIvV́A"nullok"
ƂW[(module-argument)łBOCT[rXɂĂ
A "auth" ^Cv̑SẴW[炱̈폜悤ɂׂł
BT[rXƂ́Aʏ login T[rX̂ƂłA rlogin  ssh Ȃ
܂܂邩܂BƁA/etc/pam.d/login ̎̍śA
   auth         required        pam_unix.so     nullok                         
                                                                               

ȉ̂悤ɕύXׂłB
   auth         required        pam_unix.so                                    
                                                                               


4.3. svȃT[rX𖳌ɂ

/etc/pam.d ɂt@CƁA̎gȂvOp̐ݒt@C
A邢͕ƂȂvOp̃t@CȂǂƎv܂B
T[rXւ̔F؂ƂĂ炭傫ȃZLeBz[ɂ͂ȂȂ
ł傤A͂肻͋֎~قł傤BvOɑ΂
 PAM F؂łȂ悤ɂŗǂ̕@́At@C̃t@CύX
邱ƂłBF؂vvOƓt@C̐ݒt@C
Ȃ̂ŁAPAM  /etc/pam.d/other Ƃ (炭)ɈSȐݒt@C
IIɎgp܂BقǂvOKvɂȂꍇ́At@C
ɖ߂łׂĂӐ}ʂɓ킯łB


4.4. pX[hNbLOc[

pX[hNbLOc[́AA^bJ[ɂƂĂ̓VXẻړI
Ŏgp܂AVXeǗ҂ɂƂẮAVXẽpX[h̋mF
邽߂̐ϋɖړI̓Ƃėp邱Ƃ\łBłLgpĂpX
[hNbLOc[͂ӂAꂼ "crack"  "John the Ripper" 
B crack ͂炭ǎ҂̍DȃfBXgr[VɂłɓĂ
傤BJohn the Ripper ́Ahttp://www.false.com/security/john/index.htmlœ
ł܂B̃c[pX[hf[^x[Xɑ΂Ďs΁A\ꂽ
Ă炭Ă܂ł傤B

āA[UpX[hύX邽тɂ̋x crack ̃CugČ
؂ PAM ̃W[܂B̃W[CXg[ƁA[U
AŒx̋xpX[hւ̕ύXłȂ̃pX[hύXł
Ȃ܂B


4.5. VhEpX[h MD5 pX[h

̑͂̕Ŏグ悤ɁAVhEpX[h MD5 pX[hg
VXeƈSɂ邱Ƃł܂Bŋ߂̃fBXgr[Vł́AC
Xg[̉ߒ MD5 VhEpX[hCXg[邩ǂq˂悤
ɂȂĂ܂Bۂׂʂ̗RȂALɂׂłBV
hE MD5 gȂpX[h炻ւ̕ϊ̎葱͔ɍݓĂ
̂ŁA̔̕ez܂B͐̕V͂ȂłA͖ɗ
܂B Shadow Password HOWTO({)


5. p

̏͂ł́AȒPȎ܂BO͂̓e܂Ƃ߂̂ɖ𗧂Ǝv܂B


5.1. Apache + mod_auth_pam

ł́AƂāAmod_auth_pam Ƃ Apache ̃W[̃CXg[Ɛݒ
s܂B́APAM găEFuT[õ[UF؂̂ɗp
̂łB̗̎| PAM ɂ̂ŁA Apache ɂĂ͊ɃCXg[
Ă̂Ƃ܂B܂CXg[ĂȂȂApĂ Linux ̔zz
ŁACXg[ppbP[W͂łB


5.2. ̓e

̗̖ڕẂAEFuT[oɁÂ family ƂfBNg
쐬A PAM [UF؂̗̈ɐݒ肷邱ƂłB̃fBNg
 family ̃o[̌lûŁA[UO[v family ̈łȂ
ANZXłȂ悤ɂ܂B


5.3. mod_auth_pam ̃CXg[

ŏɁAmod_auth_pam  http://blank.pages.de/pam/mod_auth_pam _E[h
ĂBāÃR}h mod_auth_pam RpC܂B ( root
ŃOC邱ƂKvł)
   ~# tar xzf mod_auth_pam.tar.gz                                              
   ~# cd mod_auth_pam-1.0a                                                     
   ~/mod_auth_pam-1.0a# make                                                   
   ~/mod_auth_pam-1.0a# make install                                           
                                                                               

 mod_auth_pam CXg[Ƃɖ肪AfBXgr[V
ɕtĂ apache-dev ƂpbP[WCXg[Ă邩ǂmF
ĂB mod_auth_pam ̃CXg[IAApache ċNKv
܂BApache ͒ʏ펟̃R}hōċNł܂B(łAroot łȂ
܂)
   ~# /etc/init.d/apache restart                                               
                                                                               


5.4. PAM ̐ݒ

Apache ̂߂ PAM ̐ݒt@C /etc/pam.d/httpd ɂ܂BftHg
ݒ( mod_auth_pam CXg[ƂɓɃCXg[Ă
)́ASł͂܂A pam_pwdb.so ƂW[gĂāÃW
[͑̃VXeł͓łȂ܂B(ɂݒ肵Ă
قyłB) āA/etc/pam.d/httpd Ƃt@C͍폜
AŏX^[g܂傤B


5.4.1. PAM ̐ݒ@߂

Apache ̔Fؗv PAM @߂OɁAPAM KvȂ͉̂`Fb
N邽߂Ȃ̂𐳊mɗȂ΂Ȃ܂B܂APAM ĝ́AWI
 Unix pX[hf[^x[XɂpX[hƃ[ŨpX[hv邩
ǂmF邽߂łBƂƁA"auth " ^ "pam_unix.so" W[
̂głBpX[h͂ȂƔF؂s悤ɂ
߂ɁAW[ control ^ "required" ɃZbĝł傤B
́Ȁꍇ /etc/pam.d/httpd t@C̍ŏ̍sǂȂ邩̂
B
     auth       required        pam_unix.so                                    
                                                                               

ɁA[ŨAJEgLɂȂĂ邩ǂmFȂ΂Ȃ܂B
(܂A[ŨpX[h̗L؂ĂȂǂ̖肪ȂǂƂ
ƂłB)  "account" ^Cv̖ŁA̋@\ɂĂ pam_unix.so 
W[Œ񋟂Ă܂BēxÃW[ "control" ^Cv "
required" ɐݒ肵܂B̍sǉIƁA/etc/pam.d/httpd ̐ݒ͈ȉ
悤ɂȂ܂B
     auth       required        pam_unix.so                                    
     account    required        pam_unix.so                                    
                                                                               

L̐ݒ͔ɐĂƂ͌łA@\܂B PAM 
T[rX̐ݒ@wԃX^[gƂĂ͈Ȃ͂łB


5.5. Apache ̐ݒ

PAM  Apache ̔Fؗvł悤ɐݒ肳ꂽ̂ŁAx Apache 
PAM ̔F؂K؂ɗp family fBNgւ̃ANZX𐧌ł悤ɐ
肵܂傤Bɂ́A̐s httpd.conf t@CɕtĂ
B ( httpd.conf t@C͒ʏ /etc/apache  /etc/httpd fBNgɂ
)
    <Directory /var/www/family>                                                
    AuthPAM_Enabled on                                                         
    AllowOverride None                                                         
    AuthName "Family Secrets"                                                  
    AuthType "basic"                                                           
    require group family                                                       
    </Directory>                                                               
                                                                               

ƁAL /var/www ́̕AEFu֌W̕ftHgŒu
 /home/httpd ƂꏊɕύXȂ΂ȂȂ܂B̏ꏊ
ǂł낤ƂA family ƂfBNg쐬Kv܂B

̐ݒeXgOɁAҏW Apache ̐ݒɂĊȒPɐ
v܂B<Directory> fBNeBu(directive)́ÃfBNgɊւݒ
f[^JvZ邽߂Ɏgp܂BāÃfBNeBu̓ł
A܂APAM ̔F؋@\Lɂ ("AuthPAM_enabled on")A̐ݒ̏㏑
~(" AllowOverride none")A̔F̖ؗ̈O "Family Secrets " ƂĂ
("AuthName "Family Secrets"")BāAhttpd ̔F؃^Cv(PAM ɂF؂ł
܂)ftHgɃZbg("AuthType "basic"")A[UO[vƂ
 family ̐ڑݒ("require group family")ɂ܂B


5.6. ݒ̃eXg

őSĂ̐ݒ肪ȂÎŁAj܂傤BCɓ
̃uEUNāAhttp://your-domain/family/ ɓːi܂傤B
(your-domain ̕ɂ́A[ƁAȂ̃hC(your-domain)Ă
) łȂ͊SȔF؂󂯂(uber-authenticator)ɂȂ킯łB


6. \[X

ICAItCƂɑ̃\[X܂A[UF؂Ɋւ
葽̏ŎWł܂B̃Xgɕtׂ\[X䑶
mȂA킽܂ŏĂB petehern@yahoo.com


6.1. PAM

 E Linux-PAM System Administrator's Guide
   
 E  Linux-PAM Module Writer's Manual
   
 E  Linux-PAM Application Developer's Manual
   



6.2. ZLeBS

 E linuxsecurity.com
   
 E securitywatch.com
   
 E Security HOWTO ({)
   
 E Packetstorm
   



6.3. ItC

VXẽ}jAy[Wg΁AȂ̏񂪏W߂܂Bȉ̓[UF
؂Ɋ֌W}jAy[WłBۃJbR̒̐̓}jAy[W̃ZNV
ԍłBpasswd(5) ̃}jAy[Wɂ́Aman 5 passwd Ƒł
B

 E passwd(5)
   
 E crypt(3)
   
 E pam.d(5)
   
 E group(5)
   
 E shadow(5)
   



7. 

 HOWTO ɗƂĂ܂BARgAĂȂǂ΁A[
炦Ƃւv܂B[̈͂łB
petehern@yahoo.com


7.1. {ɂ

|UTi

ZL

ÁAJF@linux.or.jp A ysenda@pop01.odn.ne.jp ܂ł肢܂B
