Jul 8

[转]通过pam限制置顶用户无法登录系统 晴

linuxing , 10:36 , 网络服务 » 安全相关 , 评论(0) , 引用(0) , 阅读(24568) , Via 本站原创 | |
    插入式验证模块(Pluggable Authentication Module,PAM)API 将公开一组功能,应用程序程序员可以使用这些功能来实现与安全性相关的功能,例如用户验证、数据加密、LDAP 等。

PAM 的主要特征表现为通过 /etc/pam.d目录下面的文件中的设置体现的。系统中可支持的pam模块可以在/lib/security/中找到。

pam_succeed_if 可以对用户登陆做一些限制,如果满足pam_succeed_if所定义的条件,那么接受。这个模块没有配置文件。直接修改需要配置的模块就可以。

此模块的使用方式如下:
引用
pam_succeed_if.so [flag...] [condition...]

其中flag可以是debug、use_uid、quiet、quiet_fail、quiet_success。

condition可以是如下格式
引用
field < number     field = string    field in item:item   user ingroup group

其中field可以是user, uid, gid, shell, home 或者 service,比如:
引用
uid < 500
gid eq 500
user = root
user ingroup admin

下面是一个详细的例子
引用
auth        required      pam_succeed_if.so uid < 500
## 注: 只能允许uid小于500的用户登陆到系统。

在/etc/pam.d/system-auth和/etc/pam.d/kde文件中添加如上行,然后使用uid大于等于500的work用户登录系统,系统拒绝,root可以登录系统。从日志/var/log/secure中可以看到如下信息:
引用
Jul  6 17:26:18 DC5 kdm: :0[5382]: pam_succeed_if: requirement "uid < 500" not met by user "work"
Jul  6 17:26:32 DC5 kdm: :0[5382]: pam_succeed_if: requirement "uid < 500" was met by user "root"

只在/etc/pam.d/system-auth文件中添加如下行,则只拒绝root用户,ssh登录、本地登录和su都是如此
引用
auth        required      pam_succeed_if.so user != root

从日志/var/log/secure中可以看到如下信息:
引用
Jul  6 17:59:14 DC5 su: pam_succeed_if: requirement "user != root" not met by user "root"
Jul  6 17:59:35 DC5 sshd[5869]: pam_succeed_if: requirement "user != root" not met by user "root"
Jul  6 18:02:15 DC5 login: pam_succeed_if: requirement "user != root" not met by user "root"

在此可以使用quiet参数,不记录日志到secure之中。

※ 更多具体参数见如下man文档
引用
NAME
       pam_succeed_if - test account characteristics

SYNOPSIS
       pam_succeed_if.so [flag...] [condition...]

DESCRIPTION
       pam_succeed_if.so is designed to succeed or fail authentication based on
       characteristics of the account belonging to the user being authenticated. One
       use is to select whether to load other modules based on this test.

       The module should be given one or more conditions as module arguments, and
       authentication will succeed only if all of the conditions are met.

OPTIONS
       The following flags are supported:

       debug
           Turns on debugging messages sent to syslog.

       use_uid
           Evaluate conditions using the account of the user whose UID the
           application is running under instead of the user being authenticated.

       quiet
           Don´t log failure or success to the system log.

       quiet_fail
              Don't log failure to the system log.

       quiet_success
              Don't log success to the system log.

       Conditions are three words: a field, a test, and a value to test for.

       Available fields are user, uid, gid, shell, home and service:

       field < number
              Field has a value numerically less than number.

       field <= number
              Field has a value numerically less than or equal to number.

       field eq number
              Field has a value numerically less equal to number.

       field >= number
              Field has a value numerically greater than or equal to number.

       field > number
              Field has a value numerically greater than number.

       field ne number
              Field has a value numerically different from number.

       field = string
              Field exactly matches the given string.

       field != string
              Field does not match the given string.

       field =~ glob
              Field matches the given glob.

       field !~ glob
              Field does not match the given glob.

       field in item:item:...
              Field is contained in the list of items separated by colons.

       field notin item:item:...
              Field is not contained in the list of items separated by colons.

       user ingroup group
              User is in given group.

       user notingroup group
              User is not in given group.

       user innetgr netgroup
              (user,host) is in given netgroup.

       user notinnetgr group
              (user,host) is not in given netgroup.

以上内容,由dffan#redflag-linux.com提供。
Tags:
发表评论
表情
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
打开HTML
打开UBB
打开表情
隐藏
记住我
昵称   密码   游客无需密码
网址   电邮   [注册]