To learn Linux From Scratch, user management will show its powerful functions in various configurations. When Linux is not quite configured, we configure a website running under different users and a database under another account. when our website is hacked, at least let others in the black database process
In Linux, user management is divided into groups and users. This is also true in Windows. a group is a collective name for a type of users. The relationship between a group and a user is multi-to-many. That is, the user can exist in multiple groups, and the group can also have multiple users. Group permissions are granted to users in the group. Users can inherit permissions from multiple groups.
Group management commands include:
Copy codeThe code is as follows: # Group management command
Groupadd # Add a group
Groupdel # delete a user group
Groupmod # Modify a user group
Groups # display the user group to which the current user belongs
Grpck # check the integrity of the user group and password files (etc/group and/etc/gshadow files)
>;
Grpunconv # synchronize or create/etc/group through the/etc/group and/etc/gshadow file content, and then delete the gshadow file.
User management commands include:
Copy codeThe code is as follows: # User management commands
Useradd # Add a user
Adduser # Add a user
Passwd # set a password for the user
Usermod # modify user commands. you can use usermod to modify the login name, user's home directory, and so on.
Pwcov # synchronize users from/etc/passwd to/etc/shadow
Pwck # pwck verifies whether the content of the user configuration file/etc/passwd and/etc/shadow is legal or complete;
Pwunconv # is the vertical reverse operation of pwcov. it creates/etc/passwd from/etc/shadow and/etc/passwd, and then deletes the/etc/shadow file;
Finger # Tools for viewing user information
Id # view the UID, GID, and user group of the user
Chfn # Change user information tool
Su # User switching tool
Sudo # sudo uses another user to execute commands (execute a command as another user), su is used to switch users, and then the user to complete the corresponding tasks through the switch, however, sudo can directly execute the following commands. for example, sudo can execute root authorization without the root password. only root can execute the corresponding commands; however, you must edit/etc/sudoers through mongodo.
Mongodo # visodo is the command for editing/etc/sudoers. you can also use vi to edit/etc/sudoers.
Sudoedit # similar to sudo
These commands can manage the vast majority of users and groups. in the following code, you can add groups and users, if there is still something that cannot be achieved-use powerful text editing, various users and group files will be waiting for you to explore (there will be a case for modifying files later ).
Copy codeThe code is as follows: # if you do not want to use an existing user group, you can create a new user group.
Groupadd GROUPNAME # GROUPNAME is the name of the new user group. GID used here is the default
# After adding a user group, we can add the user to the user group.
Useradd username-g groupname # add username to GROUPNAME. Note that no password is added.
# Modifying user passwords
Passwd username # set the user password
# Other operations...
In Linux, root is a very special account with high permissions. for the production environment, root account protection is very important, one of which is that during remote SSH connection, we 'd better disable the root remote connection function. You need to modify the configuration file. There is an sshd_config file under/etc/ssh. This file contains a PermitRootLogin configuration, which is commented out by # by default. to disable SSH login, you need to remove this comment, change the value to no (the default value is yes ).
Copy codeThe code is as follows: # modify the content of the/etc/ssh/sshd_config file
Vi/etc/ssh/sshd_config
# Find the content # PermitRootLogin yes, and change it to the following line
PermitRootLogin no
# Save the content and exit
# Restart the sshd service
Service sshd restart
Note: If you are remotely logged on to the server, you need to create a common user before the preceding Operation. Otherwise, you can only run the server room ..
After we close putty, reconnect, enter root, and provide the password, the remote return will be: Access denied. This disables SSH connections to the root account. If you need to use the root account's execution permission to execute commands during SSH, you only need to use su/sudo.
For average users, there are many ways to disable them on the internet. for the processing method that will be better, it depends on my hobbies. here I will list some of them:
Copy codeThe code is as follows: # directly disable the user so that the user cannot log on. The methods are as follows:
#1. modify the content in the second column of/etc/shadow to *, which prevents users from logging on to the system.
Username: *: 15864: 0: 99999: 7 :::
# A user in this way cannot log on to the system, and the user's password is lost. if you want to log on again, you need to reset the password.
#2. similar to the first one, this method is to directly modify the last column of the user path in/etc/passwd and change/bin/bash to/sbin/nologin.
Username: x: 501: 500:/home/username:/sbin/nologin
# After this method is modified, the user cannot log on, and the effect is similar to above. However, if/bin/bash is restored, the user can directly enter the password to log on.
#3. of course, you can directly use usermod without modifying the file.
Usermod-L username # lock the username account
# If you want to unlock this method, use usermod-U username. No need to modify the file
#4. modify the shell type to disable the user and let the user know the reason
Chsh username-s/sbin/nologin # Modify the username shell
# Modify/etc/nologin.txt (if not, create one)
# Add the reason for being banned to the file.
# This method is similar to the second method, but it allows users to know why they cannot log on.
#5. multi-user login prohibited
# Create a nologin document under/etc
Touch/etc/nologin
# If a file exists, all users except root cannot log on to the file. This file can be used to indicate the cause of login prohibition, so that users can see the cause when they cannot log on.
# If you do not want to prohibit all users, you only need to delete the/etc/nologin file.
#6. modify the/etc/ssh/sshd_config file and modify the value of AllowUsers.
# Search for AllowUsers in the file. if not, add it at the end of the file.
AllowUsers username root # Only username is allowed, and root logs on through SSH
# Restart the sshd service after saving the modified file
# To display the prompt information, you can modify/etc/issue.net and add the information to the file. Add the Banner parameter to the sshd_config file.
Banner/etc/issue.net
# This Banner is prompted before the user logs on.
# If you want to prompt after entering the password, you can put the prompt information in/etc/motd
######################################## #########
# Differences between motd and issue.net (online version of issue) on the Internet:
#/Etc/motd, that is, messageoftoday. each time a user logs on, the content of the/etc/motd file is displayed on the user's terminal. The system administrator can edit system activity messages in files. for example, the administrator notifies the user of the system when to upgrade the software or hardware and when to perform system maintenance. The/etc/motd prompt may not be displayed when the user enters the graphic interface.
# The/etc/issue.net file is similar to the/etc/motd file. The difference is that when a network user logs on to the system, the/etc/issue.net file is displayed before the login prompt, the/etc/motd content is displayed after the user successfully logs on to the system.
#7. Another method is to modify the/etc/pam. d/sshd file.
# Add the following in the first line of the file:
Auth required pam_listfile.so item = user sense = deny file =/etc/sshdusers onerr = succeed
# It must be in the first line. The execution sequence of pam is top-to-bottom.
# After saving, we also add the user name to be banned to the file specified by file.
# Restart sshd.
Extension:
1. if you want to disable the connection of an IP address, use/etc/host. allow and/etc/host. deny files: deny files block IP files, and allow files. The rule is to match deny first and then allow. Therefore, files in allow will overwrite the file rules in deny:
Copy codeThe code is as follows: # Disable all IP connections in the/etc/host. deny file
Sshd: ALL # all ip addresses are prohibited from SSH to the local machine
# In the/etc/host. allow file, we allow the specified IP address to be connected.
Sshd: 192.168.128.183: allow
# The rules for the two files are eventually changed:
# Only 192.168.128.183 is allowed to connect to the local machine.
# After modification, the file takes effect immediately and does not take effect for the currently running program. to prevent unnecessary troubles, we recommend that you modify the host first. allow, and then modify host. deny file to ensure host. the IP address in allow can access the sshd process.
2. many files used in the above management are sshd_config files to control SSH-related operations. for details about all configuration settings of sshd_config, see here. The following is an excerpt:
Copy codeThe code is as follows: SSHD_CONFIG (5) OpenBSD Programmer's Manual SSHD_CONFIG (5)
Name
Sshd_config-OpenSSH SSH server daemon configuration file
Outline
/Etc/ssh/sshd_config
Description
By default, sshd (8) reads configuration information from the/etc/ssh/sshd_config file (or the file specified by the-f command line option.
The configuration file is composed of "command value" pairs, with one per line. Empty rows and rows starting with '#' are ignored.
If the value contains blank characters or other special characters, you can define it by adding double quotation marks (") on both sides.
[Note] the value is case-sensitive, but the command is case-insensitive.
The following configuration commands are available:
AcceptEnv
Specifies which environment variables sent by the client will be passed to the session environment. [Note] only SSH-2 protocols support the transfer of environment variables.
For details, refer to the SendEnv configuration command in ssh_config (5.
The command value is a list of variable names separated by spaces (which can be '*' and '? 'As a wildcard ). You can also use multiple AcceptEnv to achieve the same purpose.
Note that some environment variables may be used to bypass environment variables that are not allowed by users. For this reason, this command should be used with caution.
By default, no environment variables are passed.
AddressFamily
Specifies the address family that sshd (8) should use. Valid values: "any" (default), "inet" (IPv4 only), and "inet6" (IPv6 only ).
AllowGroups
This command is followed by a list of group names separated by spaces ("*" and "? "Wildcard ). All groups are allowed to log on by default.
If this command is used, only members in these groups are allowed to log on, and all other groups are rejected.
The "group" here refers to the "primary group", that is, the group specified in the/etc/passwd file.
Only group names are allowed, but GID is not allowed. The related allow/deny commands are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, AllowGroups
AllowTcpForwarding
Whether to allow TCP forwarding. the default value is "yes ".
Disabling TCP forwarding does not enhance security unless you are forbidden from accessing the shell because you can install your own forwarder.
AllowUsers
This command is followed by a list of usernames separated by spaces ("*" and "? "Wildcard ). All users are allowed to log on by default.
If this command is used, only these users are allowed to log on, and all other users are denied.
If this parameter is specified, only user names are allowed, and UID is not allowed. The related allow/deny commands are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, AllowGroups
AuthorizedKeysFile
The RSA/DSA public key that the user can log on.
The following symbols can be used to expand a connection:
% Indicates '%', % h indicates the user's main directory, and % u indicates the user name.
After expansion, the value must be either an absolute path or a relative path relative to the user's main directory.
The default value is ". ssh/authorized_keys ".
Banner
The content in the file specified by this command is displayed to the remote user before the user authenticates.
This feature is only available for SSH-2, and by default nothing is displayed. "None" indicates that this feature is disabled.
ChallengeResponseAuthentication
Whether to allow challenge-response authentication. The default value is "yes ".
All authentication methods allowed in login. conf (5) are supported.
Ciphers
Specifies the encryption algorithm that the SSH-2 allows to use. Multiple algorithms are separated by commas. You can use the following algorithms:
"Aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "aes256-ctr ",
"3des-cbc", "arcfour128", "arcfour256", "arcfour", "blowfish-cbc", "cast128-cbc"
The default value is that all the above algorithms can be used.
ClientAliveCountMax
The maximum number of "alive" messages that sshd (8) can send before receiving any client response. The default value is 3.
When the upper limit is reached, sshd (8) will force disconnect and close the session.
Note that "alive" messages differ greatly from TCPKeepAlive messages.
"Alive" messages are sent through encrypted connections, so they are not spoofed. However, TCPKeepAlive messages can be spoofed.
If the ClientAliveInterval is set to 15 and the ClientAliveCountMax is kept as the default value,
The client with no response will be forcibly disconnected in about 45 seconds. This directive can only be used for SSH-2 protocols.
ClientAliveInterval
Set a time in seconds. if you have not received any data from the client for such a long time,
Sshd (8) sends an "alive" message to the client through a secure channel and waits for a response.
The default value 0 indicates that the "alive" message is not sent. This option is only valid for the SSH-2.
Compression
Whether to encrypt the communication data or wait until the authentication succeeds before encrypting the communication data.
Available values: "yes", "delayed" (default), "no ".
DenyGroups
This command is followed by a list of group names separated by spaces ("*" and "? "Wildcard ). All groups are allowed to log on by default.
If this command is used, the members in these groups are denied logon.
The "group" here refers to the "primary group", that is, the group specified in the/etc/passwd file.
Only group names are allowed, but GID is not allowed. The related allow/deny commands are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, AllowGroups
DenyUsers
This command is followed by a list of usernames separated by spaces ("*" and "? "Wildcard ). All users are allowed to log on by default.
If this command is used, these users are denied logon.
If this parameter is specified, only user names are allowed, and UID is not allowed. The related allow/deny commands are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, AllowGroups
ForceCommand
Execute the commands specified here and ignore any commands provided by the client. This command will be executed using the user's login shell (shell-c ).
This can be applied to the completion of shell, command, and subsystem, and is usually used in the Match block.
This command was initially supported on the client through the SSH_ORIGINAL_COMMAND environment variable.
GatewayPorts
Whether to allow the remote host to connect to the local forwarding port. The default value is "no ".
By default, sshd (8) binds the remote port forwarding to the loopback address. This will prevent other remote hosts from connecting to the forwarding port.
The GatewayPorts command allows sshd to bind the remote port forwarding to a non-loopback address. This allows remote host connection.
"No" indicates that only local connections are allowed. "yes" indicates binding the remote port forwarding to the unified address (wildcard address ),
"Clientspecified" indicates the IP address to which the remote port is forwarded.
GSSAPIAuthentication
Whether GSSAPI-based user authentication is allowed. The default value is "no ". For SSH-2 only.
GSSAPICleanupCredentials
Whether to automatically destroy the user credential cache after the user logs out. The default value is "yes ". For SSH-2 only.
HostbasedAuthentication
This command is similar to RhostsRSAAuthentication, but can only be used for SSH-2. The default value "no" is recommended ".
We recommend that you use the default value "no" to disable this insecure authentication method.
HostbasedUsesNameFromPacketOnly
When HostbasedAuthentication is enabled,
The specified server is in use ~ /. Shosts ~ /. Rhosts/etc/hosts. equiv: whether to perform reverse domain name query when remote host name matching is performed.
"Yes" indicates that sshd (8) trusts the host name provided by the client without reverse query. The default value is "no ".
HostKey
The location of the host private key file. If the permission is incorrect, sshd (8) may refuse to start.
SSH-1 default is/etc/ssh/ssh_host_key.
The default SSH-2 is/etc/ssh/ssh_host_rsa_key and/etc/ssh/ssh_host_dsa_key.
A host can have multiple private keys. "Rsa1" is for SSH-1 only, "dsa" and "rsa" is for SSH-2 only.
IgnoreRhosts
Whether to ignore the. rhosts and. shosts files during RhostsRSAAuthentication or HostbasedAuthentication.
However,/etc/hosts. equiv and/etc/shosts. equiv will still be used. We recommend that you set the default value to "yes ".
IgnoreUserKnownHosts
Whether to ignore the user's ~ during RhostsRSAAuthentication or HostbasedAuthentication ~ /. Ssh/known_hosts file.
The default value is "no ". To improve security, you can set it to "yes ".
KerberosAuthentication
Whether the password provided by the user for PasswordAuthentication must pass Kerberos KDC authentication, that is, whether to use Kerberos authentication.
To use Kerberos authentication, the server needs a Kerberos servtab that can verify the KDC identity. The default value is "no ".
KerberosGetAFSToken
If AFS is used and the user has a Kerberos 5 TGT, after this command is enabled,
An AFS token will be obtained before accessing the user's home directory. The default value is "no ".
KerberosOrLocalPasswd
If Kerberos password authentication fails, the password will also pass other authentication mechanisms (such as/etc/passwd ).
The default value is "yes ".
Restore osticketcleanup
Whether to automatically destroy the user's ticket after the user logs out. The default value is "yes ".
KeyRegenerationInterval
Under the SSH-1 protocol, the short-lived server key will be continuously regenerated based on the time (in seconds) set in this directive.
This mechanism can minimize the loss caused by key loss or hacker attacks.
If it is set to 0, the system will never be regenerated. the default value is 3600 (seconds ).
ListenAddress
Specify the network address of the sshd (8) listener. all addresses are listened to by default. You can use the following format:
ListenAddress host | listen 4_addr | listen 6_addr
ListenAddress host | listen 4_addr: port
ListenAddress [host | IPv6_addr]: port
If no port is specified, the Port command value is used.
You can use multiple ListenAddress commands to listen to multiple addresses.
LoginGraceTime
The user must be authenticated successfully within the specified time limit. 0 indicates no limit. The default value is 120 seconds.
LogLevel
Specify the log level (details) of sshd (8 ). The available values are as follows:
QUIET, FATAL, ERROR, INFO (default), VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3
DEBUG and DEBUG1 are equivalent; DEBUG2 and DEBUG3 specify more detailed and more detailed log output respectively.
Logs that are more detailed than DEBUG may leak user sensitive information, so they are opposed to use.
MACs
Specifies which message digest algorithms are allowed in the SSH-2 for data validation.
You can use a comma-separated list to specify multiple algorithms. The default value (including all available algorithms) is:
HMAC-MD5, HMAC-SHA1, umac-64@openssh.com, hmac-ripemd160, hmac-sha1-96, hmac-md5-96
Match
Introduce a condition block. The end of a block is another Match command or the end of a file.
If all the conditions specified on the Match row are met, the subsequent commands will overwrite the commands in the global configuration.
The value of Match is one or more "condition-mode" pairs. The available "conditions" are: User, Group, Host, Address.
Only the following commands can be used in the Match block: AllowTcpForwarding, Banner,
ForceCommand, GatewayPorts, GSSApiAuthentication,
KbdInteractiveAuthentication, too many uthentication,
PasswordAuthentication, PermitOpen, PermitRootLogin,
RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
X11Forwarding, X11UseLocalHost
MaxAuthTries
Specifies the maximum number of authentications allowed for each connection. The default value is 6.
If the number of failed authentication attempts exceeds half of this value, the connection is forcibly disconnected and an additional failure log message is generated.
MaxStartups
Maximum number of unauthenticated connections allowed. The default value is 10.
When the limit is reached, new connections will not be accepted unless the previous connection authentication is successful or exceeds the limit of LoginGraceTime.
PasswordAuthentication
Whether password-based authentication is allowed. The default value is "yes ".
PermitEmptyPasswords
Whether to allow users with blank passwords to log on remotely. The default value is "no ".
PermitOpen
Specifies the destination allowed for TCP port forwarding. multiple forwarding targets can be separated by spaces. All forwarding requests are allowed by default.
The valid command format is as follows:
PermitOpen host: port
PermitOpen IPv4_addr: port
PermitOpen [IPv6_addr]: port
"Any" can be used to remove all restrictions and allow all forwarding requests.
PermitRootLogin
Whether to allow root logon. The available values are as follows:
"Yes" (default) indicates yes. "No" indicates no.
"Without-password" indicates password authentication is prohibited.
"Forced-commands-only" indicates that public key authentication is allowed only when the command option is specified.
All other authentication methods are forbidden. This value is often used for remote backup and other things.
PermitTunnel
Whether to allow tun (4) device forwarding. The available values are as follows:
"Yes", "point-to-point" (layer 3), "ethernet" (layer 2), "no" (default ).
"Yes" also contains "point-to-point" and "ethernet ".
PermitUserEnvironment
Specify whether sshd (8) processing is allowed ~ /. Ssh/environment and ~ Environment = Option in/. ssh/authorized_keys.
The default value is "no ". If it is set to "yes", users may have the opportunity to use some mechanisms (such as LD_PRELOAD) to bypass access control, resulting in security vulnerabilities.
PidFile
Specifies the file in which the SSH daemon process number is stored. the default value is the/var/run/sshd. pid file.
Port
Specifies the port number listened by the sshd (8) Daemon. the default value is 22. You can use multiple commands to listen to multiple ports.
By default, listeners are listened on all network interfaces of the local machine. However, you can use ListenAddress to specify to only listen on a specific interface.
PrintLastLog
Specify whether sshd (8) prints the logon time of the last user during each Interactive logon. The default value is "yes ".
PrintMotd
Specify whether sshd (8) prints the content of the/etc/motd file at each interactive login. The default value is "yes ".
Protocol
Specifies the version number of the SSH protocol supported by sshd (8.
'1' and '2' indicate that only SSH-1 and SSH-2 protocols are supported. "" Indicates that both SSH-1 and SSH-2 protocols are supported.
PubkeyAuthentication
Whether public key authentication is allowed. Can only be used for SSH-2. The default value is "yes ".
RhostsRSAAuthentication
Whether to use strong trusted host authentication (by checking the remote host name and associated user name for authentication ). For SSH-1 only.
This is done after successful RSA authentication ~ /. Rhosts or/etc/hosts. equiv for authentication.
For security reasons, we recommend that you use the default value "no ".
RSAAuthentication
Whether to allow pure RSA public key authentication. For SSH-1 only. The default value is "yes ".
ServerKeyBits
Specify the length of the temporary server key. For SSH-1 only. The default value is 768 (bits ). Minimum value: 512.
StrictModes
Specify whether to require sshd (8) to check the host and permissions of the user's home directory and related configuration files before accepting the connection request.
We strongly recommend that you use the default value "yes" to prevent possible low-level errors.
Subsystem
Configure an external subsystem (for example, a file transfer daemon ). Only for SSH-2 protocols.
The value is the name of a sub-system and the corresponding command line (including options and parameters ). For example, "sft/bin/sftp-server ".
SyslogFacility
Specify the log subsystem in which sshd (8) sends the log message. Valid values:
DAEMON, USER, AUTH (default), LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
TCPKeepAlive
Specifies whether the system sends TCP keepalive messages to the client. The default value is "yes ".
This type of message can detect exceptions such as dead connections, improperly closed connections, and client crashes.
You can set "no" to disable this feature.
UseDNS
Specify whether sshd (8) should reverse resolve the remote host name to check whether the host name actually corresponds to its IP address. The default value is "yes ".
UseLogin
Whether to use login (1) During interactive session login ). The default value is "no ".
If this command is enabled, X11Forwarding will be disabled because login (1) does not know how to handle xauth (1) cookies.
Note that login (1) is forbidden for remote command execution.
If UsePrivilegeSeparation is specified, it is disabled after authentication.
UsePrivilegeSeparation
Whether to allow sshd (8) to separate permissions by creating a non-privileged sub-process to process access requests. The default value is "yes ".
After successful authentication, another sub-process will be created as the authenticated user.
The purpose of this operation is to prevent unauthorized sub-processes from improving the permissions and thereby making the system more secure.
X11DisplayOffset
Specify the first available display area (display) number forwarded by sshd (8) X11. The default value is 10.
This can be used to prevent sshd from occupying the real X11 server display area and thus causing confusion.
X11Forwarding
Whether to allow X11 forwarding. The default value is "no", and "yes" indicates yes.
If X11 forwarding is allowed and the display area of the sshd (8) proxy is configured to listen on an address (X11UseLocalhost) containing wildcards.
Additional information may be leaked. The default value of this command is "no" due to the risk of X11 forwarding ".
It should be noted that disabling X11 forwarding does not prohibit users from forwarding X11 communications, because users can install their own referer.
If UseLogin is enabled, X11 forwarding is automatically disabled.
X11UseLocalhost
Should sshd (8) bind the X11 forwarding server to the local loopback address. The default value is "yes ".
By default, sshd binds the forwarding server to the local loopback address and sets the host name of the DISPLAY environment variable to "localhost ".
This prevents remote hosts from connecting to proxy display. However, some old X11 clients cannot work properly under this configuration.
To be compatible with these old X11 clients, you can set it to "no ".
XAuthLocation
Specify the absolute path of the xauth (1) program. The default value is/usr/X11R6/bin/xauth.
Time format
The time value used in the sshd (8) command line parameters and configuration files can be specified in the following format: time [qualifier].
Time is a positive integer, and qualifier can be one of the following units:
<无> Seconds
S | S seconds
M | M minutes
H | H Hour
D | D days
W | W weeks
You can specify multiple values to accumulate time, for example:
1h30m 1 hour 30 minutes (90 minutes)
File
/Etc/ssh/sshd_config
The main configuration file of sshd (8. The host of this file should be root, and the maximum permission can be "644 ".
See
Sshd (8)
Author
OpenSSH is a derivative of the original and free ssh 1.2.12 release
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
De Raadt and Dug Song removed into bugs, re-added newer features and cre-
Ated OpenSSH. Markus Friedl contributed the support for SSH protocol
Versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
For privilege separation.