Su,sudo,tcp_wrappers related command usage and PAM Certification Body
SU Switch Identity: su–l username–c ' command '
Sudo
From sudo package
Mans 5 Sudoers
Sudo is able to authorize specified users to run certain commands on the specified host. If
Unauthorized users attempting to use sudo will be prompted to contact an administrator
sudo can provide logs to record each user using sudo operations
sudo provides the system administrator with a configuration file that allows the system administrator to centrally
Manage user permissions and hosts used
sudo uses a timestamp file to complete a system similar to "Ticket-check", which is saved by default
5-minute "ticket" for a current account
Edit the configuration file with the Visudo command, with the syntax check function
VISUDO–C Check Syntax
Sudo
Configuration files:/etc/sudoers,/etc/sudoers.d/
Timestamp file:/var/db/sudo
Log file:/var/log/secure
The configuration file supports the use of the wildcard character Glob:
? : Any single character
*: matches any length character
[WXC]: match one of the characters
[!WXC]: In addition to these three characters of other characters
\x: Escaping
[[Alpha]]: letter Example:/bin/ls [[alpha]]*
There are two types of configuration file rules;
1. Alias definition: Not required
2. Authorization rules: Required
Sudoers
Authorization Rule format:
User Login host = (on behalf of user) command
Example:
Root all= (All) all
Format Description:
User: The identity of the user who runs the command
Host: Which hosts are passed
(runas): which user's identity
Command: which commands to run
Alias
Users and RunAs:
Username
#uid
%group_name
% #gid
User_alias|runas_alias
Host
IP or hostname
Network (/netmask)
Host_alias
Command
Command name
Directory
Sudoedit
Cmnd_alias
sudo aliases and examples
There are four types of aliases: User_alias, Runas_alias, Host_alias
, Cmnd_alias
Alias format: [A-z] ([a-z][0-9]_) *
Alias definition:
Alias_type NAME1 = item1, item2, item3:name2 =
ITEM4, ITEM5
Example 1:
Student all= (All) all
%wheel all= (All) all
Example 2:
Student all= (Root)/sbin/pidof,/sbin/ifconfig
%wheel all= (All) Nopasswd:all
sudo example
Example 3
User_alias netadmin= Netuser1,netuser2
Cmnd_alias Netcmd =/USR/SBIN/IP
NETADMIN all= (Root) netcmd
Example 4
User_alias Sysader=wang,mage,%admins
User_alias Diskader=tom
Host_alias sers=www.magedu.com,172.16.0.0/24
Runas_alias Op=root
Cmnd_alias Sydcmd=/bin/chown,/bin/chmod
Cmnd_alias Dskcmd=/sbin/parted,/sbin/fdisk
Sysader sers= Sydcmd,dskcmd
Diskader all= (OP) dskcmd
sudo example
Example 4
User_alias ADMINUSER = Adminuser1,adminuser2
Cmnd_alias admincmd =/usr/sbin/useradd,
/usr/sbin/usermod,/usr/bin/passwd [a-za-z]*,
!/USR/BIN/PASSWD Root
ADMINUSER all= (Root) Nopasswd:admincmd,
Passwd:/usr/sbin/userdel
Example 5
Defaults:wang Runas_default=tom
Wang All= (tom,jerry) all
Example 6
Wang 192.168.175.136,192.168.175.138= (root)
/usr/sbin/,!/usr/sbin/useradd
Example 7
Wang All= (all)/bin/cat/var/log/messages*
sudo command
Ls-l/usr/bin/sudo
Sudo–i–u Wang switching identities
sudo [-u user] COMMAND
-V displays configuration information such as version information
-U user defaults to root
-L,LL lists the commands that are available and forbidden to users on the host
-V Extend password expiration 5 minutes, update timestamp
-K clear Timestamp (1970-01-01), next time you need to re-enter the password
-K is similar to-K and also deletes a timestamp file
-B executes instructions in the background
-p Change the hint symbol for asking for password
Example:-P "password on%h for user%p:"
Tcp_wrappers Introduction
Wieste Venema,ibm,google
TCP protocol working on Layer fourth (transport layer)
Security detection and access control for specific services with stateful connections
Implemented in library file format
Whether a process accepts LibWrap control depends on the program that initiates the process
Whether the translation is compiled for libwrap
A method for determining whether a service program can be accessed by Tcp_wrapper:
Ldd/path/to/program|grep libwrap.so
Strings Path/to/program|grep libwrap.so
Use of Tcp_wrappers
Configuration files:/etc/hosts.allow,/etc/hosts.deny
Help reference: Man 5 Hosts_access,man 5 hosts_options
Check Order: Hosts.allow,hosts.deny (Default allowed)
Note: Once the preceding rules are matched, the direct effect will not continue
Basic syntax:
[Email protected]: client_list [: Options:option ...]
[Email protected] Format
A binary file name for a single application, not a service name, such as VSFTPD
A comma-or space-delimited list of application file names, such as
: sshd,vsftpd
All means all service programs that accept Tcp_wrapper control
Host has multiple IPs that can be @hostip for control
such as: [email protected]
Use of Tcp_wrappers
Client client_list format
List of clients separated by commas or spaces
Based on IP address: 192.168.10.1 192.168.1.
Based on host name: www.magedu.com. magedu.com less
Based on network/mask: 192.168.0.0/255.255.255.0
Based on NET/PREFIXLEN:192.168.1.0/24 (CENTOS7)
Based on network group (NIS domain): @mynetwork
Built-in Acl:all,local,known,unknown,
PARANOID
Except usage:
Example: vsftpd:172.16. EXCEPT 172.16.100.0/24 EXCEPT
172.16.100.1
Example
Example: Allow only 192.168.1.0/24 hosts to access sshd
/etc/hosts.allow
sshd:192.168.1.
/etc/hosts.deny
Sshd:all
Example: Allow only 192.168.1.0/24 hosts to access telnet and VSFTPD services
/etc/hosts.allow
vsftpd,in.telnetd:192.168.1.
/etc/host.deny
Vsftpd,in.telnetd:all
Use of Tcp_wrappers
[: Options] Option:
Help: Man 5 hosts_options
Deny is primarily used in/etc/hosts.allow to define "deny" rules
such as: vsftpd:172.16. :d Eny
Allow is primarily used in/etc/hosts.deny to define "allowed" rules
such as: vsftpd:172.16. : Allow
Spawn start an external program to complete the operation
Twist the actual action is to deny access, replace the current service with the specified action
The standard I/O and error is sent to the client, default to/dev/null
Test tools:
Tcpdmatch [-d] daemon[@host] Client
-D test Hosts.allow and Hosts.deny in the current directory
Example
Sshd:ALL:spawn echo "$ (date) login attempt from
%c to%s,%d ">>/var/log/sshd.log
Description
Add in/etc/hosts.allow, allow login, and record log
Add in/etc/hosts.deny, deny login, and record log
%c Client Information
%s Server-side information
%d Service Name
PID of%p Daemon process
vsftpd:172.16. : Twist/bin/echo "Connection
Prohibited "
Pam Authentication Mechanism
Pam:pluggable Authentication Modules
Certification library: Text files, MYSQL,NIS,LDAP, etc.
A common framework mechanism developed by Sun in 1995 that is relevant to certification
PAM is an API that focuses on validating users for services by providing some dynamic
And a unified set of APIs that will provide the services provided by the system and the
Authentication method Separate
Allows system administrators the flexibility to configure different services as needed
The same authentication method without changing the service program
A certification framework that does not authenticate itself
Pam Authentication Mechanism
It provides a central mechanism for authentication of all services, for login, far
Process Login (telnet,rlogin,fsh,ftp, point-to-Point Protocol (PPP)), Su, etc.
The application. The system administrator uses the PAM configuration file to make different applications
The different authentication policies of the program, and the application developer
Use the Pam API (Pam_xxxx ()) to implement the call to the authentication method;
The developer of the PAM Service module uses the PAM SPI to write the module (mainly
Some functions pam_sm_xxxx () are called by the Pam Interface Library and will not
The same authentication mechanism is added to the system; the Pam Interface Library (LIBPAM) reads
Configuration file to associate the application with the corresponding Pam service module
PAM Certification Framework
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/07/B9/wKiom1nOO8fC0Du4AANNy7bfnDk015.png "title=" Pam.png "alt=" Wkiom1noo8fc0du4aanny7bfndk015.png "/>
Pam Authentication principle
PAM certification generally follows this sequence: service (services) →pam (configuration
Pieces) →pam_*.so
Pam certification first to determine the service, and then load the corresponding Pam with the
File (under/ETC/PAM.D), and the final call to the authentication file (located in
/lib/security) for safety certification
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/A6/6B/wKioL1nOO6jQ_zznAAFbOCk5dH4870.png "title=" Pam1.png "alt=" Wkiol1noo6jq_zznaafbock5dh4870.png "/>
Pam Authentication Mechanism
PAM Certification process:
1. The user executes the/USR/BIN/PASSWD program and enters the password
2.PASSWD starts to call the PAM module, the PAM module will search for the passwd program
Pam Related settings file, this setting file is usually in/etc/pam.d/
A file with the same name as the program, Pam will search for/etc/pam.d/passed
This setup file
3. Using the data from the/ETC/PAM.D/PASSWD settings file, use Pam to extract
Modules for verification.
4. Pass the validation results back to the passwd program, and passwd this program will
The next action is determined based on the results of the PAM postback (re-entering the password or
Verified)
Pam Authentication Mechanism
Pam related files
Module Files directory:/lib64/security/*.so
Environment-Related settings:/etc/security/
Master configuration file:/etc/pam.conf, default does not exist
Provide a dedicated configuration file for each application module:
/etc/pam.d/app_name
Note: If/ETC/PAM.D exists,/etc/pam.conf will fail
Pam Authentication Mechanism
Common configuration file/etc/pam.conf format
Application type Control Module-path arguments
Private configuration file/etc/pam.d/* format
Type control Module-path Arguments
Description
Service Name (application)
Telnet, login, FTP, etc., the service name "other" represents all
There are other services that are explicitly configured in this file
Module type (module-type)
How the control Pam Library handles the formation of the PAM module associated with the service
Performance or failure
Module-path used to indicate the path name of the program file corresponding to this module
Arguments the parameters used to pass to the module
Pam Authentication Mechanism
Module type (module-type)
Auth Account authentication and authorization
Account management-related non-authentication class functions, such as: to limit
User access time to a service, system resources currently in effect
(Maximum number of users), restricting the user's location (for example: root
User can only log on from the console)
Password password complexity check mechanism when user changes password
Before the Session user gets to the service or uses the service to complete
Line some additional operations, such as: Logging on/Off data information, monitoring
catalogs, etc.
-type indicates that modules that cannot be loaded because they are missing will not be logged to the system day
The modules that are not always installed on the system are useful
Control:
How the PAM Library handles the success or failure of the PAM module associated with the service
Two ways to achieve:
Simple and complex
Simple way to achieve: a key word implementation
Required: A veto, indicating that the module must return to success in order to pass
Authentication, but if the module fails to return, the result is not immediately
Until all modules in the same type are executed
The result of the failure is then returned to the application. That is the necessary condition
Pam Authentication Mechanism
Requisite: One vote is rejected, the module must return to success to pass the certification,
However, once the module returns a failure, any modulo within the same type will no longer be executed
Control is returned directly to the application. is a necessary condition
Sufficient: One pass, indicating that the module returns successfully through identity recognition
Other modules within the same type are not required, but if the
Block return failure can be ignored, which is sufficient condition
Optional: Indicates that this module is optional and its success does not
Authentication plays a key role, and its return value is generally ignored
Include: Call configuration information that is defined in other configuration files
Complex and detailed implementation: Use one or more "status=action"
[Status1=action1 status2=action ...]
Status: Check the return status of the results
Action: Take action Ok,done,die,bad,ignore,reset
OK module Pass, continue to check
The Done module passes, returning the final result to the application
Bad result failed, continue check
Die result failed, return failed result to application
Ignore results are ignored without affecting the final result
Reset ignores the results that have been obtained
Pam Authentication Mechanism
Module-path: module Path
Relative path:
Modules in the/lib64/security directory can use relative paths
such as: pam_shells.so, pam_limits.so
Absolute path:
Module to complete user control of system resources by reading configuration file
/etc/security/*.conf
Note: Modifying the PAM configuration file will take effect immediately
Recommendation: When editing Pam rules, keep at least one root session open to prevent
Root Authentication Error
Arguments the parameters used to pass to the module
user/share/doc/pam-*
RPM-QD Pam
Man–k PAM_
Man module name such as Mans Rootok
The Linux-pam System Administrators ' Guide
Pam Module Example
Module: pam_shells
function: Check valid shell
Mans Pam_shells
Example: Users with/BIN/CSH are not allowed to log on locally
Vim/etc/pam.d/login
Auth Required pam_shells.so
Vim/etc/shells
Remove/bin/csh
USERADD–S/BIN/CSH TestUser
TestUser will not be logged in
Tail/var/log/secure
Module: pam_securetty.so
Function: Only allow root users on the/etc/securetty listed on the security terminal
Landing
Example: Allow root to login in Telnet
Vi/etc/pam.d/login
#auth Required Pam_securetty.so #将这一行加上注释
Or add the/etc/securetty file
pts/0,pts/1...pts/n
Module: pam_nologin.so
Function: If the/etc/nologin file exists, it will cause non-root user to login
, if the user shell is/sbin/nologin, when the user logs on, it will display
/etc/nologin.txt file contents and refuse to login
Block: pam_limits.so
Functionality: Implements restrictions on the resources available to it at the user level, such as: Available
Number of open files, number of processes that can be run, free memory space
To modify the implementation of a restriction:
(1) Ulimit command, effective immediately, but unable to save
-N Maximum number of open file descriptors
-U maximum number of user processes
-S using ' soft ' (soft) resource limits
-H use ' hard ' resource limit
(2) configuration file:/etc/security/limits.conf,
/etc/security/limits.d/*.conf
Configuration file: one definition per line;
<domain> <type> <item> <value>
Username Single User
@group all users in the group
* All Users
Types of <type> Restrictions
Soft soft limit, ordinary users can modify their own
Hard rigid limit, set by root user, and enforced by kernel
-Both limits
<item> Restricted resources
Nofile the maximum number of files that can be opened at the same time, default is 1024
The maximum number of processes that the NPROC can run concurrently, with a default of 1024
<value> specifying a specific value
Example: pam_limits.so
Limit the number of files that users open and the number of running processes
/etc/pam.d/system-auth
Session Required Pam_limits.so
Vim/etc/security/limits.conf
Apache–nofile 10240 Apache users can open 10,240 files
Student Hard Nproc 20 cannot run more than 20 processes
Su, Sudo,tcp_wrappers's related command usage and PAM Certification Body