Linux PAM 插件认证
生活随笔
收集整理的這篇文章主要介紹了
Linux PAM 插件认证
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
2019獨(dú)角獸企業(yè)重金招聘Python工程師標(biāo)準(zhǔn)>>>
55.2.?PAM
配置文件
ls /etc/pam.d/ chfn crond login passwd remote runuser-l smtp ssh-keycat sudo-i system-auth-ac chsh fingerprint-auth newrole password-auth run_init smartcard-auth smtp.postfix su su-l config-util fingerprint-auth-ac other password-auth-ac runuser smartcard-auth-ac sshd sudo system-auth認(rèn)證插件
ls /lib64/security/55.2.1.?pam_tally2.so
此模塊的功能是,登陸錯(cuò)誤輸入密碼3次,5分鐘后自動(dòng)解禁,在未解禁期間輸入正確密碼也無(wú)法登陸。
在配置文件 /etc/pam.d/sshd 頂端加入
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300查看失敗次數(shù)
# pam_tally2 Login Failures Latest failure From root 14 07/12/13 15:44:37 192.168.6.2 neo 8 07/12/13 15:45:36 192.168.6.2重置計(jì)數(shù)器
# pam_tally2 -r -u root Login Failures Latest failure From root 14 07/12/13 15:44:37 192.168.6.2# pam_tally2 -r -u neo Login Failures Latest failure From neo 8 07/12/13 15:45:36 192.168.6.2pam_tally2 計(jì)數(shù)器日志保存在 /var/log/tallylog 注意,這是二進(jìn)制格式的文件
例?55.1.?/etc/pam.d/sshd - pam_tally2.so
# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth以上配置root用戶不受限制, 如果需要限制root用戶,參考下面
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=180055.2.2.?pam_listfile.so
用戶登陸限制
將下面一行添加到 /etc/pam.d/sshd 中,這里采用白名單方式,你也可以采用黑名單方式
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail將允許登陸的用戶添加到 /etc/ssh/whitelist,除此之外的用戶將不能通過(guò)ssh登陸到你的系統(tǒng)
# cat /etc/ssh/whitelist neo www例?55.2.?/etc/pam.d/sshd - pam_listfile.so
# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail auth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-authsense=allow 白名單方式, sense=deny 黑名單方式
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail文章出處:?http://netkiller.github.com/
轉(zhuǎn)載于:https://my.oschina.net/neochen/blog/144297
總結(jié)
以上是生活随笔為你收集整理的Linux PAM 插件认证的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 《大数据,小时代,向移动互联网迁徙-20
- 下一篇: ubuntu12.10下arm-linu