Linux Learning Summary (vi)-SU command sudo command limit root telnet

Root users have the supremacy of the right, then our OPS personnel is not directly under the root user to deal with all problems? The answer is no, the greater the power, the greater the responsibility, the person will be wrong, so we have to do without prejudice to our work, as far as possible to limit our power, so as to avoid accidental operation caused disaster

One-su command---switching between accounts

Normal user cut root user or the switch between ordinary users need to enter the other side account login password, root user into ordinary users do not need password authentication, this is also the embodiment of power.
Command format:

su usernamesu - username

If you do not have a user name, the default root user
Without-the switch is just invoking power in your own home, and the environment variable does not change.
Band-directly into each other's home, his new, using power, the current user environment variable is initialized to the other user environment variable. Take a look at the following example

Two sudo----get root right execution command

Although the SU command makes it easy for ordinary users to take over the root user under the root user's work, but requires the root user authorization password, we know that the common use for more than one, so the root password issued many times, once accidentally leaked, it is not safe. We have not long-term root password method, but also to allow ordinary users to work, of course, sudo is to solve this problem

            sudo 用法 ----- sudo + 要执行的命令

sudo----get root power to work under your own account, each time you do a job, you need to verify your current identity, that is, to enter your current account password, provided that the account has been previously authorized. The relationship between Sudo and Su I can give an example, if you are the Prime Minister to exercise the power of the emperor, Su's approach is to run to the emperor to ask for power, su-the way is to usurper himself when the emperor, Sudo is the emperor to send you a gold medal token, let you exercise power.

Looking at the example above, I would like to use sudo to modify my own test account password, I entered my password after the test account is not in the sudoers this file, meaning that the file must be registered in order to obtain the power, we modify the configuration file, add test account

                        命令visudo---可以查看sudo配置文件

Note: Be sure to use Visudo to open the file, do not use VI, because this file is particularly important, vi cannot display syntax errors, Visudo can display syntax errors. All of the intermediate brackets indicate the authorized user, and all at the end of the command
In Root all= (all) the next line to add a line, we try to change the password again, see the results:

Prompt us to enter our own account password, then we can change the password
In the current sign-in state, this authentication only takes one time, and you do not need to lose the password again with the sudo command
Let me take a case, our requirement is to set up the Linux server as such: only allow the use of ordinary account login, and the ordinary account login, you can not enter the password will be able to sudo switch to the root account.
Edit just the configuration file/etc/sudoers modify two places

Put the sudo power of the group wheel this line in front of the # Delete, let this line of code execution, followed by the end of the file if the following three lines:

Three lines means: the first line to three ordinary accounts set up a group name, let the power issued by the group. The second line takes the alias Su for/BIN/SU. Third line password-free login.
After saving the configuration file, using Test, test1, LV three account login linux, execute command sudo su-switch to root account, get all rights of root account, the result is as follows:

So the last question, how to limit not to allow root to log in directly, you can use the tool to generate a very complex immediately after the string password, so that they do not remember, if you want to use it, of course, with KAPSS to save the password tool, the password management up

Summarize:
sudo works as follows:

• 1 when the user executes sudo, the system proactively looks for the/etc/sudoers file to determine if the user has permission to execute sudo
• 2 after confirming that the user has the ability to execute sudo, let the user enter the user's own password confirmation
• 3 If the password is entered successfully, execute sudo follow-up command
• 4 root does not need to enter the password when executing sudo (eudoers file has configuration root all= (all) all such a rule)

• 5 If you want to switch the identity of the performer is the same, do not need to enter a password

  Three restrictions ssh telnet

  /etc/ssh/sshd_config to the SSHD service, the default root account can be SSH telnet to Linux. To implement not allowing logins, modify the configuration file to
  Look in the file for #permitrootlogin Yes, yes to No, save exit and restart Sshd

                  systemctl  restart sshd.service

Linux Learning Summary (vi)-SU command sudo command limit root telnet