PAM disables root user logon and limits normal su Switching

The system environment is CentOS 6.4. This section describes the simple configuration process of PAM (Pluggable Authentication Modules) on the ssh service.

You must first add a common user and belong to the wheel group to ensure that other users except root can log on to the system !!!!!!!

Useradd-g wheel admin

Passwd admin

 

1. Disable root Login

Vim/etc/ssh/sshd_config

Add UsePAM yes

 

Add the following at the beginning of vim/etc/pam. d/sshd:

Auth required pam_listfile.so item = user sense = deny file =/etc/ssh/denyuser onerr = succeed

 

Echo "root">/etc/ssh/denyuser

Users listed in/etc/ssh/denyuser are rejected to log on with a password !!

 

2. Only users in the wheel group are allowed (root does not belong to the wheel group by default) to use su:

Add the first line of vim/etc/pam. d/su

 

Auth required pam_wheel.so use_uid

 

3 shell attachment:

Usage instructions:

A. You need to generate your own key pair securely and keep it safe !! Replace "mykey" with your public key string

B. The script includes creating a common user "admin", which can be changed to the user you need. It can switch to the root user using su.

C. The script execution result is: restrict the root user to use the password to log on to the system. However, if the key is set to use, the root user can still log on (secure)

D. add_my_key root $1 (red in the script). You can add the following parameters to all users who want to add public key authentication.

E. The script is for everyone to learn and exchange. before using the production environment, please test the effect in the test environment. The author is not responsible for any results.

#! /Bin/sh
LOG_FILE = $ 0.log
Wr_log (){
TIME = 'date + "% Y-% m-% d % H: % M: % S "'
If [$1-eq 0]; then
Echo "[$ TIME] $2 success"
Echo "[$ TIME] $2 success" >$ {LOG_FILE}
Else
Echo "[$ TIME] $2 error"
Echo "[$ TIME] $2 error" >$ {LOG_FILE}
Exit 1
Fi
}
Gsed (){
# Used to modify the configuration file, followed by three parameters: 1. Row to be modified 2. Modified Row 3. Modified File
# If no matching row is found, $2 is added to the first line of the file.
'/Bin/grep-E "^ $1" $3>/dev/null'
Ret1 = $?
'/Bin/grep-E "^ $2" $3>/dev/null'
Ret2 = $?
Ret = 10
If [$ ret1-eq 0]; then
/Bin/sed-I-r's/^ '"$1"'/'"$2"'/G' $3
Ret = $?
Elif [$ ret1-ne 0-a $ ret2-ne 0]; then
/Bin/sed-I '1i' "$2" ''$3
Ret = $?
Else
Ret = 0
Fi
Return $ ret
}
Add_my_key (){
Mykey = 'ssh-rsa keys/YMkPSnlEB4hyVWCc9/keys/4rQ33rnd6GGUIlv3 + 2wPI8hFc5zU13G // keys/uX8m5ZE'
For user in $ @;
Do
If test $ user = 'root'; then
Dir = '/root/. ssh'
Else
Dir = "/home/$ user/. ssh"
Fi
If! Test-d $ dir; then
/Bin/mkdir-p $ dir
Fi
Chmod 700 $ dir & echo $ mykey> $ dir/authorized_keys & chown-R $ user $ dir & chmod 600 $ dir/authorized_keys
Wr_log $? "Add ssh key for $ user"
Done

}
Add_user (){

/Usr/sbin/useradd-g wheel $1 & echo "$2" |/usr/bin/passwd $1 -- stdin
Wr_log $? "Add user $1"
}
Deny_root_login (){
# Used to modify the su and sshd configurations of PAM, disable root remote logon, and disable non-wheel User Logon (su) to root user
If test $ #-ne 2; then
Echo "usage: deny_root_login normal_user user_password"
Wr_log 1 "wrong usage: $ @"
Fi
Add_user $1 $2
Add_my_key root $1

Gsed "auth [\ t] + required [\ t] + pam_wheel \. so use_uid" "auth required pam_wheel \. so use_uid"/etc/pam. d/su &&\
Gsed "UsePAM [\ t] + no" "UsePAM yes"/etc/ssh/sshd_config &&\
Gsed "auth [\ t] + required [\ t] + pam_listfile \. so item = user sense = deny file = \/etc \/ssh \/denyuser onerr = succeed "" auth required pam_listfile.so item = user sense = deny file = \/etc \/ssh \/denyuser onerr = succeed "/etc/pam. d/sshd & echo "root">/etc/ssh/denyuser &/sbin/service sshd restart

Wr_log $? "Deny_root_login"
}

Deny_root_login admin "yourpassword"

How the FTP server works and how to log on to a virtual user through PAM Authentication

PAM Configuration Process

Implement secure communication of vsftpd based on ssl/tls and implement virtual user authentication of vsftpd through PAM

In Linux, PAM_ldap is used for ad domain authentication.

Integrate vsftp + PAM + mysql-centrally manage ftp virtual accounts

Vsftpd2.3.5 + PAM installation and configuration notes