LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Remote-Serial-Console-HOWTO/misc-pam.html

407 lines
7.6 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Configure Pluggable Authentication Modules</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Remote Serial Console HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Configure incidentals"
HREF="misc.html"><LINK
REL="PREVIOUS"
TITLE="Alter target of /dev/systty"
HREF="misc-devsystty.html"><LINK
REL="NEXT"
TITLE="Configure Red Hat Linux"
HREF="misc-configure-rhl.html"></HEAD
><BODY
CLASS="SECTION"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Remote Serial Console HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="misc-devsystty.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 7. Configure incidentals</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="misc-configure-rhl.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECTION"
><H1
CLASS="SECTION"
><A
NAME="MISC-PAM"
></A
>7.6. Configure Pluggable Authentication Modules</H1
><P
>The <SPAN
CLASS="APPLICATION"
>Pluggable Authentication
Module</SPAN
> system can be used to give special privileges
to users that logged in through the console. It is used to make
devices like the floppy disk mountable by the console's user;
usually they would need to become the super-user to mount a
disk.</P
><P
>The <SPAN
CLASS="ACRONYM"
>PAM</SPAN
> configuration file
<TT
CLASS="FILENAME"
>/etc/security/console.perms</TT
> contains the
<TT
CLASS="LITERAL"
>&#60;console&#62;</TT
> variable. For <SPAN
CLASS="PRODUCTNAME"
>Red
Hat Linux</SPAN
> <SPAN
CLASS="PRODUCTNUMBER"
>7.1</SPAN
>
<TT
CLASS="LITERAL"
>&#60;console&#62;</TT
> is the regular
expression:</P
><DIV
CLASS="FIGURE"
><A
NAME="MISC-PAM-DEFAULT-CONSOLE"
></A
><P
><B
>Figure 7-9. Default <TT
CLASS="LITERAL"
>&#60;console&#62;</TT
> in
<TT
CLASS="FILENAME"
>console.perms</TT
> refers to attached keyboard and
screen</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>&#60;console&#62;=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><P
>Later in the file the <TT
CLASS="LITERAL"
>&#60;console&#62;</TT
> user
is granted permission to use some devices. This is done by
altering the devices' permissions upon login and logout.</P
><DIV
CLASS="FIGURE"
><A
NAME="MISC-PAM-DEFAULT-DEV"
></A
><P
><B
>Figure 7-10. Default device listing in
<TT
CLASS="FILENAME"
>console.perms</TT
></B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>&#60;console&#62; 0660 &#60;floppy&#62; 0660 root.floppy
&#60;console&#62; 0600 &#60;sound&#62; 0600 root
&#60;console&#62; 0600 &#60;cdrom&#62; 0660 root.disk
&#60;console&#62; 0600 &#60;pilot&#62; 0660 root.uucp
&#60;console&#62; 0600 &#60;jaz&#62; 0660 root.disk
&#60;console&#62; 0600 &#60;zip&#62; 0660 root.disk
&#60;console&#62; 0600 &#60;ls120&#62; 0660 root.disk
&#60;console&#62; 0600 &#60;scanner&#62; 0600 root
&#60;console&#62; 0600 &#60;camera&#62; 0600 root
&#60;console&#62; 0600 &#60;memstick&#62; 0600 root
&#60;console&#62; 0600 &#60;flash&#62; 0600 root
&#60;console&#62; 0600 &#60;fb&#62; 0600 root
&#60;console&#62; 0600 &#60;kbd&#62; 0600 root
&#60;console&#62; 0600 &#60;joystick&#62; 0600 root
&#60;console&#62; 0600 &#60;v4l&#62; 0600 root
&#60;console&#62; 0700 &#60;gpm&#62; 0700 root
&#60;console&#62; 0600 &#60;mainboard&#62; 0600 root
&#60;console&#62; 0600 &#60;rio500&#62; 0600 root</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><P
>There are two types of devices listed above: those devices
required by someone connecting from an attached keyboard and
monitor and those devices that allow convenient access to devices.
The configuration file fails to make the distionction between
logical and physical console noted in <A
HREF="intro-word.html"
>Section 1.3</A
>.
The configuration file is modified to create that
distinction.</P
><DIV
CLASS="FIGURE"
><A
NAME="MISC-PAM-SERIAL-DEV"
></A
><P
><B
>Figure 7-11. Devices in <TT
CLASS="FILENAME"
>console.perms</TT
> required for
attached keyboard and screen</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>&#60;console&#62; 0600 &#60;fb&#62; 0600 root
&#60;console&#62; 0600 &#60;kbd&#62; 0600 root
&#60;console&#62; 0600 &#60;joystick&#62; 0600 root
&#60;console&#62; 0600 &#60;v4l&#62; 0600 root
&#60;console&#62; 0700 &#60;gpm&#62; 0700 root</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><P
>The remaining devices should be altered to give control only
to people attaching from the serial console. For example, we don't
want an unprivileged user at a co-location site mounting a floppy
disk. Define a new console type for the serial console, say
<TT
CLASS="LITERAL"
>&#60;sconsole&#62;</TT
>.</P
><DIV
CLASS="FIGURE"
><A
NAME="MISC-PAM-SERIAL-SCONSOLE"
></A
><P
><B
>Figure 7-12. Add <TT
CLASS="LITERAL"
>&#60;sconsole&#62;</TT
> in
<TT
CLASS="FILENAME"
>console.perms</TT
> to refer to serial
console</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>&#60;sconsole&#62;=ttyS0</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><P
>Now modify the remaining entries from
<TT
CLASS="LITERAL"
>&#60;console&#62;</TT
> to
<TT
CLASS="LITERAL"
>&#60;sconsole&#62;</TT
>.</P
><DIV
CLASS="FIGURE"
><A
NAME="MISC-PAM-SERIAL-SDEV"
></A
><P
><B
>Figure 7-13. Remaining devices in <TT
CLASS="FILENAME"
>console.perms</TT
>
altered to refer to serial console</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>&#60;sconsole&#62; 0660 &#60;floppy&#62; 0660 root.floppy
&#60;sconsole&#62; 0600 &#60;sound&#62; 0600 root
&#60;sconsole&#62; 0600 &#60;cdrom&#62; 0660 root.disk
&#60;sconsole&#62; 0600 &#60;pilot&#62; 0660 root.uucp
&#60;sconsole&#62; 0600 &#60;jaz&#62; 0660 root.disk
&#60;sconsole&#62; 0600 &#60;zip&#62; 0660 root.disk
&#60;sconsole&#62; 0600 &#60;ls120&#62; 0660 root.disk
&#60;sconsole&#62; 0600 &#60;scanner&#62; 0600 root
&#60;sconsole&#62; 0600 &#60;camera&#62; 0600 root
&#60;sconsole&#62; 0600 &#60;memstick&#62; 0600 root
&#60;sconsole&#62; 0600 &#60;flash&#62; 0600 root
&#60;sconsole&#62; 0600 &#60;mainboard&#62; 0600 root
&#60;sconsole&#62; 0600 &#60;rio500&#62; 0600 root</PRE
></FONT
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="misc-devsystty.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="misc-configure-rhl.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Alter target of <TT
CLASS="FILENAME"
>/dev/systty</TT
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="misc.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Configure <SPAN
CLASS="PRODUCTNAME"
>Red Hat Linux</SPAN
></TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink