Jul
8
[转]通过pam限制置顶用户无法登录系统
插入式验证模块(Pluggable Authentication Module,PAM)API 将公开一组功能,应用程序程序员可以使用这些功能来实现与安全性相关的功能,例如用户验证、数据加密、LDAP 等。
PAM 的主要特征表现为通过 /etc/pam.d目录下面的文件中的设置体现的。系统中可支持的pam模块可以在/lib/security/中找到。
pam_succeed_if 可以对用户登陆做一些限制,如果满足pam_succeed_if所定义的条件,那么接受。这个模块没有配置文件。直接修改需要配置的模块就可以。
此模块的使用方式如下:
其中flag可以是debug、use_uid、quiet、quiet_fail、quiet_success。
condition可以是如下格式
其中field可以是user, uid, gid, shell, home 或者 service,比如:
下面是一个详细的例子
在/etc/pam.d/system-auth和/etc/pam.d/kde文件中添加如上行,然后使用uid大于等于500的work用户登录系统,系统拒绝,root可以登录系统。从日志/var/log/secure中可以看到如下信息:
只在/etc/pam.d/system-auth文件中添加如下行,则只拒绝root用户,ssh登录、本地登录和su都是如此
从日志/var/log/secure中可以看到如下信息:
在此可以使用quiet参数,不记录日志到secure之中。
※ 更多具体参数见如下man文档
以上内容,由dffan#redflag-linux.com提供。
PAM 的主要特征表现为通过 /etc/pam.d目录下面的文件中的设置体现的。系统中可支持的pam模块可以在/lib/security/中找到。
pam_succeed_if 可以对用户登陆做一些限制,如果满足pam_succeed_if所定义的条件,那么接受。这个模块没有配置文件。直接修改需要配置的模块就可以。
此模块的使用方式如下:
引用
pam_succeed_if.so [flag...] [condition...]
其中flag可以是debug、use_uid、quiet、quiet_fail、quiet_success。
condition可以是如下格式
引用
field < number field = string field in item:item user ingroup group
其中field可以是user, uid, gid, shell, home 或者 service,比如:
引用
uid < 500
gid eq 500
user = root
user ingroup admin
gid eq 500
user = root
user ingroup admin
下面是一个详细的例子
引用
auth required pam_succeed_if.so uid < 500
## 注: 只能允许uid小于500的用户登陆到系统。
## 注: 只能允许uid小于500的用户登陆到系统。
在/etc/pam.d/system-auth和/etc/pam.d/kde文件中添加如上行,然后使用uid大于等于500的work用户登录系统,系统拒绝,root可以登录系统。从日志/var/log/secure中可以看到如下信息:
引用
Jul 6 17:26:18 DC5 kdm: :0[5382]: pam_succeed_if: requirement "uid < 500" not met by user "work"
Jul 6 17:26:32 DC5 kdm: :0[5382]: pam_succeed_if: requirement "uid < 500" was met by user "root"
Jul 6 17:26:32 DC5 kdm: :0[5382]: pam_succeed_if: requirement "uid < 500" was met by user "root"
只在/etc/pam.d/system-auth文件中添加如下行,则只拒绝root用户,ssh登录、本地登录和su都是如此
引用
auth required pam_succeed_if.so user != root
从日志/var/log/secure中可以看到如下信息:
引用
Jul 6 17:59:14 DC5 su: pam_succeed_if: requirement "user != root" not met by user "root"
Jul 6 17:59:35 DC5 sshd[5869]: pam_succeed_if: requirement "user != root" not met by user "root"
Jul 6 18:02:15 DC5 login: pam_succeed_if: requirement "user != root" not met by user "root"
Jul 6 17:59:35 DC5 sshd[5869]: pam_succeed_if: requirement "user != root" not met by user "root"
Jul 6 18:02:15 DC5 login: pam_succeed_if: requirement "user != root" not met by user "root"
在此可以使用quiet参数,不记录日志到secure之中。
※ 更多具体参数见如下man文档
引用
NAME
pam_succeed_if - test account characteristics
SYNOPSIS
pam_succeed_if.so [flag...] [condition...]
DESCRIPTION
pam_succeed_if.so is designed to succeed or fail authentication based on
characteristics of the account belonging to the user being authenticated. One
use is to select whether to load other modules based on this test.
The module should be given one or more conditions as module arguments, and
authentication will succeed only if all of the conditions are met.
OPTIONS
The following flags are supported:
debug
Turns on debugging messages sent to syslog.
use_uid
Evaluate conditions using the account of the user whose UID the
application is running under instead of the user being authenticated.
quiet
Don´t log failure or success to the system log.
quiet_fail
Don't log failure to the system log.
quiet_success
Don't log success to the system log.
Conditions are three words: a field, a test, and a value to test for.
Available fields are user, uid, gid, shell, home and service:
field < number
Field has a value numerically less than number.
field <= number
Field has a value numerically less than or equal to number.
field eq number
Field has a value numerically less equal to number.
field >= number
Field has a value numerically greater than or equal to number.
field > number
Field has a value numerically greater than number.
field ne number
Field has a value numerically different from number.
field = string
Field exactly matches the given string.
field != string
Field does not match the given string.
field =~ glob
Field matches the given glob.
field !~ glob
Field does not match the given glob.
field in item:item:...
Field is contained in the list of items separated by colons.
field notin item:item:...
Field is not contained in the list of items separated by colons.
user ingroup group
User is in given group.
user notingroup group
User is not in given group.
user innetgr netgroup
(user,host) is in given netgroup.
user notinnetgr group
(user,host) is not in given netgroup.
pam_succeed_if - test account characteristics
SYNOPSIS
pam_succeed_if.so [flag...] [condition...]
DESCRIPTION
pam_succeed_if.so is designed to succeed or fail authentication based on
characteristics of the account belonging to the user being authenticated. One
use is to select whether to load other modules based on this test.
The module should be given one or more conditions as module arguments, and
authentication will succeed only if all of the conditions are met.
OPTIONS
The following flags are supported:
debug
Turns on debugging messages sent to syslog.
use_uid
Evaluate conditions using the account of the user whose UID the
application is running under instead of the user being authenticated.
quiet
Don´t log failure or success to the system log.
quiet_fail
Don't log failure to the system log.
quiet_success
Don't log success to the system log.
Conditions are three words: a field, a test, and a value to test for.
Available fields are user, uid, gid, shell, home and service:
field < number
Field has a value numerically less than number.
field <= number
Field has a value numerically less than or equal to number.
field eq number
Field has a value numerically less equal to number.
field >= number
Field has a value numerically greater than or equal to number.
field > number
Field has a value numerically greater than number.
field ne number
Field has a value numerically different from number.
field = string
Field exactly matches the given string.
field != string
Field does not match the given string.
field =~ glob
Field matches the given glob.
field !~ glob
Field does not match the given glob.
field in item:item:...
Field is contained in the list of items separated by colons.
field notin item:item:...
Field is not contained in the list of items separated by colons.
user ingroup group
User is in given group.
user notingroup group
User is not in given group.
user innetgr netgroup
(user,host) is in given netgroup.
user notinnetgr group
(user,host) is not in given netgroup.
以上内容,由dffan#redflag-linux.com提供。