Vim/etc/pam. d/sshd
Add auth required pam_listfile.so item = user sense = deny file =/etc/sshdusers onerr = succeed to the first line. Note that the execution order in pam is the top priority.
Vim/etc/sshdusers
Add root wp to the file. root and wp are two local users.
Service sshd restart
Test on another terminal
[Root @ clone2 ~] # Ssh clone1.rhel.com
A root@clone1.rhel.coms password:
Permission denied, please try again.
A root@clone1.rhel.coms password:
Permission denied, please try again.
A root@clone1.rhel.coms password:
Permission denied (publickey, gssapi-with-mic, password ).
[Wp @ clone2 ~] $ Ssh clone1.rhel.com
A wp@clone1.rhel.coms password:
Permission denied, please try again.
A wp@clone1.rhel.coms password:
Permission denied, please try again.
A wp@clone1.rhel.coms password:
Permission denied (publickey, gssapi-with-mic, password ).
Both users cannot use ssh. Haha, the goal has been achieved
Pluggable Authentication Modules for Linux Pluggable Authentication Module
When the user accesses the server, the service program sends the request to the PAM module. The PAM module is in/etc/pam according to the service name. d directory, select a corresponding service file, and then select a specific PAM module based on the service file content for processing.
Check whether libpam. so is used by the Service Program during compilation through ldd to determine whether the service program supports PAM Authentication.
The specific pam file is stored in the/lib/security directory, and the service file is stored in the/etc/pam. d directory.
PAM service file format
Eg:
Auth required pam_security.so
Auth required pam_stack.so service = system-auth
Service indicates that the sub-service file is called.
Module-type:
Auth checks the user and password and assigns Permissions
Check whether the account has expired and whether the account has the right to log on.
Session control from user logon success to exit
Password Control Process
Control-flag:
The required request must be passed; otherwise, exit
If requisite does not pass the authentication, you can continue to perform the next authentication.
If sufficient passes the authentication, no further authentication is required.
Optional Option
Common PAM service files
Login -------/etc/pam. d/login
Ipop3d -------/etc/pam. d/pop
Vsftpd -------/etc/pam. d/ftp (Compilation and installation) or/etc/pam. d/vsftpd (rpm installation)
Sshd -------/etc/pam. d/sshd
Su -------/etc/pam. d/su
Imap -------/etc/pam. d/imap
/Lib/security directory, the role of each pam module, can refer to the/usr/share/doc/pam-0.99.3.0 help file.
The same type of Module-type forms a stack.
Common PAM modules
Pam_access.so controls the visitor address and account name
Pam_listfile.so controls the visitor's account name or logon location
Pam_limits.so controls the resources allocated to users
Pam_rootok.so allows the Administrator (uid = 0) to pass
Pam_userdb.so sets up independent user account database Authentication
Use the pam_access.so module to control the hosts and users accessing the sshd service
1. Modify the service file of this module, for example, sshd:/etc/pam. d/sshd add
Account required pam_access.so
2. Modify the module configuration file
/Etc/security/access. conf
-: Redhat: ALL records t 192.168.0. (Format)
3. Test
Ssh redhat@192.168.0.22
Ssh redhat@127.0.0.1
Pam_access.so access is denied or allowed Based on the host, IP address, user.
Pam_listfile.so application (more detailed control than pam_access.so)
1. First, check its help file to see its specific format and Parameters
# Less/usr/share/doc/pam-0.99.3.0/txts/README. pam_listfile
Item user, tty, group describes the content in the list file
Sense allow, deny or allow users in files
File specifies a file. The content is added according to the item.
Onerr succeed, fail value returned when the module itself produces an error. If the file specified by file cannot be opened, it is generally set to succeed
2. Apply the module to the sshd service
Clear the pam_access.so added above and add it to/etc/pam. d/sshd (the first line)
Auth required pam_listfile.so item = user sense = deny file =/etc/denyuser onerr = succeed
Pay attention to the order of locations to be added. Otherwise, the effect will not be displayed.
3. Create a editing list file
# Echo "redhat">/etc/denyuser
4. Test
# Ssh-l redhat 192.168.0.22 failed
# Ssh-l chinaitlab 192.168.0.22 successful
# W display logged-on users and the last operation
Application of pam_limits.so
1. view the Help file and confirm its configuration file location and parameter mode.
# Less/usr/share/doc/pam-0.99.3.0/txt/README. pam_limits
<Domain> <type> <item> <value>
<Domain> User Name or group name
<Type> soft restrictions
Hard limit (not allowed)
<Item> restricted content, fsize file size, nproc maximum process count, maxlogins User Logon count
2. Apply the module to the sshd service and modify the service file.
# Add vi/etc/pam. d/sshd:
Session required pam_limits.so
Session controls the number of logins and file sizes of user processes, and limits the resources used by users by controlling their session processes.
3. Compile the configuration file/etc/security/limits. conf of pam_limits.so.
Redhat hard maxlogins 2
Limit the number of times redhat logs on to the sshd service.
4. Test
# Ssh-l redhat 192.168.0.22: 1st
# Ssh-l redhat 192.168.0.22: 2nd
Indicates that at most one redhat user can log on at the same time.
Application of pam_rootok.so
# Chfn changes the user's finger information
When you use this command to modify information, you need to enter a password to use it, while the root user does not.
Analysis:
# More/etc/pam. d/chfn
First behavior auth sufficient pam_rootok.so
Because the pam_rootok.so module is applied to the first line of the pam service file of chfn, the root user does not need to verify it when using chfn, and does not need to go down and pass it directly.
The pam_userdb.so module requires a db database to store user information.