Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

140.2. PAM 插件認證

配置檔案

ls  /etc/pam.d/
chfn         crond                login    passwd            remote    runuser-l          smtp          ssh-keycat  sudo-i       system-auth-ac
chsh         fingerprint-auth     newrole  password-auth     run_init  smartcard-auth     smtp.postfix  su          su-l
config-util  fingerprint-auth-ac  other    password-auth-ac  runuser   smartcard-auth-ac  sshd          sudo        system-auth
		

認證插件

ls /lib64/security/
		

140.2.1. pam_tally2.so

此模組的功能是,登陸錯誤輸入密碼3次,5分鐘後自動解禁,在未解禁期間輸入正確密碼也無法登陸。

在配置檔案 /etc/pam.d/sshd 頂端加入

auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
			

查看失敗次數

# pam_tally2
Login           Failures Latest failure     From
root               14    07/12/13 15:44:37  192.168.6.2
neo                 8    07/12/13 15:45:36  192.168.6.2
			

重置計數器

# pam_tally2 -r -u root
Login           Failures Latest failure     From
root               14    07/12/13 15:44:37  192.168.6.2

# pam_tally2 -r -u neo
Login           Failures Latest failure     From
neo                 8    07/12/13 15:45:36  192.168.6.2
			

pam_tally2 計數器日誌保存在 /var/log/tallylog 注意,這是二進制格式的檔案

例 140.1. /etc/pam.d/sshd - pam_tally2.so

# cat  /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300

auth	   required	pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
				

以上配置root用戶不受限制, 如果需要限制root用戶,參考下面

auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800
			

140.2.2. pam_listfile.so

用戶登陸限制

將下面一行添加到 /etc/pam.d/sshd 中,這裡採用白名單方式,你也可以採用黑名單方式

auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
			

將允許登陸的用戶添加到 /etc/ssh/whitelist,除此之外的用戶將不能通過ssh登陸到你的系統

# cat /etc/ssh/whitelist
neo
www
			

例 140.2. /etc/pam.d/sshd - pam_listfile.so

# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
auth       required     pam_tally2.so deny=3 onerr=fail unlock_time=300

auth	   required	pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
				

sense=allow 白名單方式, sense=deny 黑名單方式

auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail
			

更多細節請查看手冊 $ man pam_listfile

140.2.3. pam_access.so

編輯 /etc/pam.d/sshd 檔案,加入下面一行

account required pam_access.so
			

保存後重啟sshd進程

編輯 /etc/security/access.conf 檔案

			
cat >>  /etc/security/access.conf << EOF

- : root : ALL EXCEPT 192.168.6.1
EOF
			
			

只能通過 192.168.6.1 登陸, 添加多個IP地址

- : root : ALL EXCEPT 192.168.6.1 192.168.6.2
			

測試是否生效

140.2.4. pam_wheel.so

限制普通用戶通過su命令提升權限至root. 只有屬於wheel組的用戶允許通過su切換到root用戶

編輯 /etc/pam.d/su 檔案,去掉下面的註釋

auth		required	pam_wheel.so use_uid
			

修改用戶組別,添加到wheel組

# usermod -G wheel www

# id www
uid=501(www) gid=501(www) groups=501(www),10(wheel)
			

沒有加入到wheel組的用戶使用su時會提示密碼不正確。

$ su - root
Password:
su: incorrect password