本文以SSH为例进行PAM配置来实现相应的认证功能,其它的登录方式配置相似,详情可参考文章《PAM - 可插拔认证模块》。
1、限制用户的登录(SSH)
(1)使用pam_access自定义限制规则
//新增pam_access模块认证 [[email protected] ~]# vi /etc/pam.d/sshd #%PAM-1.0 account requisite pam_access.so nodefgroup accessfile=/etc/mypam/access_ssh.conf fieldsep=| listsep=, ... //编辑accessfile(注:匹配的顺序从第一行开始) [[email protected] ~]# vi /etc/mypam/access_ssh.conf #允许root和组mygroup1的成员登录 +|root (mygroup1)|ALL #拒绝root和组mygroup1的成员以外的用户登录 -|ALL EXCEPT root (mygroup1)|ALL #拒绝指定用户从非指定的ip进行登录 -|cjh|ALL EXCEPT 120.231.146.242
(2)使用pam_nologin限制非root用户登录
[[email protected] ~]# vi /etc/pam.d/sshd #%PAM-1.0 ... account required pam_nologin.so ... [[email protected] ~]# touch /etc/nologin //设置非root用户登录失败的提示信息 [[email protected] ~]# vi /etc/nologin ====================The system is upgrading================= Please wait a minute
2、锁定多次登录失败的用户(SSH)
//新增pam_tally2模块认证,对3次尝试访问失败的用户进行锁定,普通用户锁定30秒,root用户锁定60秒 [[email protected] ~]# vi /etc/pam.d/sshd #%PAM-1.0 ... auth required pam_tally2.so deny=3 unlock_time=30 even_deny_root root_unlock_time=60 ... //查看所有或指定用户的错误访问记录 [[email protected] ~]# pam_tally2 Login Failures Latest failure From cjh 1 11/19/17 19:25:25 120.230.146.242 zhangsan 2 11/19/17 19:24:24 120.230.146.242 [[email protected] ~]# pam_tally2 --user cjh Login Failures Latest failure From cjh 1 11/19/17 19:25:25 120.230.146.242 //清空所有或指定用户的错误访问记录 [[email protected] ~]# pam_tally2 --reset [[email protected] ~]# pam_tally2 --reset --user cjh
3、踢出在线用户
[[email protected] ~]# who cjh tty2 2017-11-19 14:48 root pts/0 2017-11-19 17:46 (120.230.146.242) zhangsan pts/3 2017-11-19 20:24 (120.230.146.242) [[email protected] ~]# ps -ef| grep tty2 cjh 8917 1806 0 14:48 tty2 00:00:00 -bash //踢出用户cjh [[email protected] ~]# kill -9 8917 [[email protected] ~]# who root pts/0 2017-11-19 17:46 (120.230.146.242) zhangsan pts/3 2017-11-19 20:24 (120.230.146.242)
时间: 2024-08-04 17:44:04