Su, Sudo,tcp_wrappers's related command usage and PAM Certification Body

Su,sudo,tcp_wrappers related command usage and PAM Certification Body

SU Switch Identity: su–l username–c ' command '

Sudo

From sudo package

Mans 5 Sudoers

Sudo is able to authorize specified users to run certain commands on the specified host. If

Unauthorized users attempting to use sudo will be prompted to contact an administrator

sudo can provide logs to record each user using sudo operations

sudo provides the system administrator with a configuration file that allows the system administrator to centrally

Manage user permissions and hosts used

sudo uses a timestamp file to complete a system similar to "Ticket-check", which is saved by default

5-minute "ticket" for a current account

Edit the configuration file with the Visudo command, with the syntax check function

VISUDO–C Check Syntax

Sudo

Configuration files:/etc/sudoers,/etc/sudoers.d/

Timestamp file:/var/db/sudo

Log file:/var/log/secure

The configuration file supports the use of the wildcard character Glob:

？ : Any single character

*: matches any length character

[WXC]: match one of the characters

[!WXC]: In addition to these three characters of other characters

\x: Escaping

[[Alpha]]: letter Example:/bin/ls [[alpha]]*

There are two types of configuration file rules;

1. Alias definition: Not required

2. Authorization rules: Required

Sudoers

Authorization Rule format:

User Login host = (on behalf of user) command

Example:

Root all= (All) all

Format Description:

User: The identity of the user who runs the command

Host: Which hosts are passed

(runas): which user's identity

Command: which commands to run

Alias

Users and RunAs:

Username

#uid

%group_name

% #gid

User_alias|runas_alias

Host

IP or hostname

Network (/netmask)

Host_alias

Command

Command name

Directory

Sudoedit

Cmnd_alias

sudo aliases and examples

There are four types of aliases: User_alias, Runas_alias, Host_alias

, Cmnd_alias

Alias format: [A-z] ([a-z][0-9]_) *

Alias definition:

Alias_type NAME1 = item1, item2, item3:name2 =

ITEM4, ITEM5

Example 1:

Student all= (All) all

%wheel all= (All) all

Example 2:

Student all= (Root)/sbin/pidof,/sbin/ifconfig

%wheel all= (All) Nopasswd:all

sudo example

Example 3

User_alias netadmin= Netuser1,netuser2

Cmnd_alias Netcmd =/USR/SBIN/IP

NETADMIN all= (Root) netcmd

Example 4

User_alias Sysader=wang,mage,%admins

User_alias Diskader=tom

Host_alias sers=www.magedu.com,172.16.0.0/24

Runas_alias Op=root

Cmnd_alias Sydcmd=/bin/chown,/bin/chmod

Cmnd_alias Dskcmd=/sbin/parted,/sbin/fdisk

Sysader sers= Sydcmd,dskcmd

Diskader all= (OP) dskcmd

sudo example

Example 4

User_alias ADMINUSER = Adminuser1,adminuser2

Cmnd_alias admincmd =/usr/sbin/useradd,

/usr/sbin/usermod,/usr/bin/passwd [a-za-z]*,

!/USR/BIN/PASSWD Root

ADMINUSER all= (Root) Nopasswd:admincmd,

Passwd:/usr/sbin/userdel

Example 5

Defaults:wang Runas_default=tom

Wang All= (tom,jerry) all

Example 6

Wang 192.168.175.136,192.168.175.138= (root)

/usr/sbin/,!/usr/sbin/useradd

Example 7

Wang All= (all)/bin/cat/var/log/messages*

sudo command

Ls-l/usr/bin/sudo

Sudo–i–u Wang switching identities

sudo [-u user] COMMAND

-V displays configuration information such as version information

-U user defaults to root

-L,LL lists the commands that are available and forbidden to users on the host

-V Extend password expiration 5 minutes, update timestamp

-K clear Timestamp (1970-01-01), next time you need to re-enter the password

-K is similar to-K and also deletes a timestamp file

-B executes instructions in the background

-p Change the hint symbol for asking for password

Example:-P "password on%h for user%p:"

Tcp_wrappers Introduction

Wieste Venema,ibm,google

TCP protocol working on Layer fourth (transport layer)

Security detection and access control for specific services with stateful connections

Implemented in library file format

Whether a process accepts LibWrap control depends on the program that initiates the process

Whether the translation is compiled for libwrap

A method for determining whether a service program can be accessed by Tcp_wrapper:

Ldd/path/to/program|grep libwrap.so

Strings Path/to/program|grep libwrap.so

Use of Tcp_wrappers

Configuration files:/etc/hosts.allow,/etc/hosts.deny

Help reference: Man 5 Hosts_access,man 5 hosts_options

Check Order: Hosts.allow,hosts.deny (Default allowed)

Note: Once the preceding rules are matched, the direct effect will not continue

Basic syntax:

[Email protected]: client_list [: Options:option ...]

[Email protected] Format

A binary file name for a single application, not a service name, such as VSFTPD

A comma-or space-delimited list of application file names, such as

: sshd,vsftpd

All means all service programs that accept Tcp_wrapper control

Host has multiple IPs that can be @hostip for control

such as: [email protected]

Use of Tcp_wrappers

Client client_list format

List of clients separated by commas or spaces

Based on IP address: 192.168.10.1 192.168.1.

Based on host name: www.magedu.com. magedu.com less

Based on network/mask: 192.168.0.0/255.255.255.0

Based on NET/PREFIXLEN:192.168.1.0/24 (CENTOS7)

Based on network group (NIS domain): @mynetwork

Built-in Acl:all,local,known,unknown,

PARANOID

Except usage:

Example: vsftpd:172.16. EXCEPT 172.16.100.0/24 EXCEPT

172.16.100.1

Example

Example: Allow only 192.168.1.0/24 hosts to access sshd

/etc/hosts.allow

sshd:192.168.1.

/etc/hosts.deny

Sshd:all

Example: Allow only 192.168.1.0/24 hosts to access telnet and VSFTPD services

/etc/hosts.allow

vsftpd,in.telnetd:192.168.1.

/etc/host.deny

Vsftpd,in.telnetd:all

Use of Tcp_wrappers

[: Options] Option:

Help: Man 5 hosts_options

Deny is primarily used in/etc/hosts.allow to define "deny" rules

such as: vsftpd:172.16. :d Eny

Allow is primarily used in/etc/hosts.deny to define "allowed" rules

such as: vsftpd:172.16. : Allow

Spawn start an external program to complete the operation

Twist the actual action is to deny access, replace the current service with the specified action

The standard I/O and error is sent to the client, default to/dev/null

Test tools:

Tcpdmatch [-d] daemon[@host] Client

-D test Hosts.allow and Hosts.deny in the current directory

Example

Sshd:ALL:spawn echo "$ (date) login attempt from

%c to%s,%d ">>/var/log/sshd.log

Description

Add in/etc/hosts.allow, allow login, and record log

Add in/etc/hosts.deny, deny login, and record log

%c Client Information

%s Server-side information

%d Service Name

PID of%p Daemon process

vsftpd:172.16. : Twist/bin/echo "Connection

Prohibited "

Pam Authentication Mechanism

Pam:pluggable Authentication Modules

Certification library: Text files, MYSQL,NIS,LDAP, etc.

A common framework mechanism developed by Sun in 1995 that is relevant to certification

PAM is an API that focuses on validating users for services by providing some dynamic

And a unified set of APIs that will provide the services provided by the system and the

Authentication method Separate

Allows system administrators the flexibility to configure different services as needed

The same authentication method without changing the service program

A certification framework that does not authenticate itself

Pam Authentication Mechanism

It provides a central mechanism for authentication of all services, for login, far

Process Login (telnet,rlogin,fsh,ftp, point-to-Point Protocol (PPP)), Su, etc.

The application. The system administrator uses the PAM configuration file to make different applications

The different authentication policies of the program, and the application developer

Use the Pam API (Pam_xxxx ()) to implement the call to the authentication method;

The developer of the PAM Service module uses the PAM SPI to write the module (mainly

Some functions pam_sm_xxxx () are called by the Pam Interface Library and will not

The same authentication mechanism is added to the system; the Pam Interface Library (LIBPAM) reads

Configuration file to associate the application with the corresponding Pam service module

PAM Certification Framework

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/07/B9/wKiom1nOO8fC0Du4AANNy7bfnDk015.png "title=" Pam.png "alt=" Wkiom1noo8fc0du4aanny7bfndk015.png "/>

Pam Authentication principle

PAM certification generally follows this sequence: service (services) →pam (configuration

Pieces) →pam_*.so

Pam certification first to determine the service, and then load the corresponding Pam with the

File (under/ETC/PAM.D), and the final call to the authentication file (located in

/lib/security) for safety certification

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/A6/6B/wKioL1nOO6jQ_zznAAFbOCk5dH4870.png "title=" Pam1.png "alt=" Wkiol1noo6jq_zznaafbock5dh4870.png "/>

Pam Authentication Mechanism

PAM Certification process:

1. The user executes the/USR/BIN/PASSWD program and enters the password

2.PASSWD starts to call the PAM module, the PAM module will search for the passwd program

Pam Related settings file, this setting file is usually in/etc/pam.d/

A file with the same name as the program, Pam will search for/etc/pam.d/passed

This setup file

3. Using the data from the/ETC/PAM.D/PASSWD settings file, use Pam to extract

Modules for verification.

4. Pass the validation results back to the passwd program, and passwd this program will

The next action is determined based on the results of the PAM postback (re-entering the password or

Verified)

Pam Authentication Mechanism

Pam related files

Module Files directory:/lib64/security/*.so

Environment-Related settings:/etc/security/

Master configuration file:/etc/pam.conf, default does not exist

Provide a dedicated configuration file for each application module:

/etc/pam.d/app_name

Note: If/ETC/PAM.D exists,/etc/pam.conf will fail

Pam Authentication Mechanism

Common configuration file/etc/pam.conf format

Application type Control Module-path arguments

Private configuration file/etc/pam.d/* format

Type control Module-path Arguments

Description

Service Name (application)

Telnet, login, FTP, etc., the service name "other" represents all

There are other services that are explicitly configured in this file

Module type (module-type)

How the control Pam Library handles the formation of the PAM module associated with the service

Performance or failure

Module-path used to indicate the path name of the program file corresponding to this module

Arguments the parameters used to pass to the module

Pam Authentication Mechanism

Module type (module-type)

Auth Account authentication and authorization

Account management-related non-authentication class functions, such as: to limit

User access time to a service, system resources currently in effect

(Maximum number of users), restricting the user's location (for example: root

User can only log on from the console)

Password password complexity check mechanism when user changes password

Before the Session user gets to the service or uses the service to complete

Line some additional operations, such as: Logging on/Off data information, monitoring

catalogs, etc.

-type indicates that modules that cannot be loaded because they are missing will not be logged to the system day

The modules that are not always installed on the system are useful

Control:

How the PAM Library handles the success or failure of the PAM module associated with the service

Two ways to achieve:

Simple and complex

Simple way to achieve: a key word implementation

Required: A veto, indicating that the module must return to success in order to pass

Authentication, but if the module fails to return, the result is not immediately

Until all modules in the same type are executed

The result of the failure is then returned to the application. That is the necessary condition

Pam Authentication Mechanism

Requisite: One vote is rejected, the module must return to success to pass the certification,

However, once the module returns a failure, any modulo within the same type will no longer be executed

Control is returned directly to the application. is a necessary condition

Sufficient: One pass, indicating that the module returns successfully through identity recognition

Other modules within the same type are not required, but if the

Block return failure can be ignored, which is sufficient condition

Optional: Indicates that this module is optional and its success does not

Authentication plays a key role, and its return value is generally ignored

Include: Call configuration information that is defined in other configuration files

Complex and detailed implementation: Use one or more "status=action"

[Status1=action1 status2=action ...]

Status: Check the return status of the results

Action: Take action Ok,done,die,bad,ignore,reset

OK module Pass, continue to check

The Done module passes, returning the final result to the application

Bad result failed, continue check

Die result failed, return failed result to application

Ignore results are ignored without affecting the final result

Reset ignores the results that have been obtained

Pam Authentication Mechanism

Module-path: module Path

Relative path:

Modules in the/lib64/security directory can use relative paths

such as: pam_shells.so, pam_limits.so

Absolute path:

Module to complete user control of system resources by reading configuration file

/etc/security/*.conf

Note: Modifying the PAM configuration file will take effect immediately

Recommendation: When editing Pam rules, keep at least one root session open to prevent

Root Authentication Error

Arguments the parameters used to pass to the module

user/share/doc/pam-*

RPM-QD Pam

Man–k PAM_

Man module name such as Mans Rootok

The Linux-pam System Administrators ' Guide

Pam Module Example

Module: pam_shells

function: Check valid shell

Mans Pam_shells

Example: Users with/BIN/CSH are not allowed to log on locally

Vim/etc/pam.d/login

Auth Required pam_shells.so

Vim/etc/shells

Remove/bin/csh

USERADD–S/BIN/CSH TestUser

TestUser will not be logged in

Tail/var/log/secure

Module: pam_securetty.so

Function: Only allow root users on the/etc/securetty listed on the security terminal

Landing

Example: Allow root to login in Telnet

Vi/etc/pam.d/login

#auth Required Pam_securetty.so #将这一行加上注释

Or add the/etc/securetty file

pts/0,pts/1...pts/n

Module: pam_nologin.so

Function: If the/etc/nologin file exists, it will cause non-root user to login

, if the user shell is/sbin/nologin, when the user logs on, it will display

/etc/nologin.txt file contents and refuse to login

Block: pam_limits.so

Functionality: Implements restrictions on the resources available to it at the user level, such as: Available

Number of open files, number of processes that can be run, free memory space

To modify the implementation of a restriction:

(1) Ulimit command, effective immediately, but unable to save

-N Maximum number of open file descriptors

-U maximum number of user processes

-S using ' soft ' (soft) resource limits

-H use ' hard ' resource limit

(2) configuration file:/etc/security/limits.conf,

/etc/security/limits.d/*.conf

Configuration file: one definition per line;

<domain> <type> <item> <value>

Username Single User

@group all users in the group

* All Users

Types of <type> Restrictions

Soft soft limit, ordinary users can modify their own

Hard rigid limit, set by root user, and enforced by kernel

-Both limits

<item> Restricted resources

Nofile the maximum number of files that can be opened at the same time, default is 1024

The maximum number of processes that the NPROC can run concurrently, with a default of 1024

<value> specifying a specific value

Example: pam_limits.so

Limit the number of files that users open and the number of running processes

/etc/pam.d/system-auth

Session Required Pam_limits.so

Vim/etc/security/limits.conf

Apache–nofile 10240 Apache users can open 10,240 files

Student Hard Nproc 20 cannot run more than 20 processes

Su, Sudo,tcp_wrappers's related command usage and PAM Certification Body