Shulou(Shulou.com)06/01 Report--

The system environment is CEONOS6.4, which introduces the simple configuration process of PAM (Pluggable Authentication Modules) on ssh service.

You must first add ordinary users and belong to the wheel group to ensure that users other than root can log in to the system!

Useradd-g wheel admin

Passwd admin

1 disable root login

Vim / etc/ssh/sshd_config

Add UsePAM yes

Add at the beginning of the vim / etc/pam.d/sshd line:

Auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyuser onerr=succeed

Echo "root" > > / etc/ssh/denyuser

Users listed in / etc/ssh/denyuser will be refused to log in with a password!

2 only wheel group users (root does not belong to wheel by default) are allowed to use su:

Vim / etc/pam.d/su line header add

Auth required pam_wheel.so use_uid

3 attached shell:

Instructions for use:

a. You need to safely generate your own key pair and keep it safe! Replace "mykey" with your public key chain

b. The script includes creating a normal user "admin", which can be changed to the user you need, and it can switch to root using su.

c. The execution result of the script is to restrict root from using a password to log in to the system, but if the key is set, you can still log in (with good security)

D.add_my_key root $1 (the script won the bid red). The following parameters are for all users who want to add public key authentication, which can be added by themselves.

e. The script is for everyone to learn and communicate. Please test the effect in the test environment before using it in the production environment. The author is not responsible for any results.

#! / bin/sh

LOG_FILE=$0.log

Wr_log () {

TIME= `date + "% Y-%m-%d% H:%M:%S" `

If [$1-eq 0]; then

Echo "[$TIME] $2 success"

Echo "[$TIME] $2 success" > > ${LOG_FILE}

Else

Echo "[$TIME] $2 error"

Echo "[$TIME] $2 error" > > ${LOG_FILE}

Exit 1

Fi

}

Gsed () {

# is used to modify the configuration file, followed by three parameters: 1. The line to modify 2. Modified line 3. Modified file

# if no matching line is found, $2 will be added to the first line of the file

`/ bin/grep-E "^ $1" $3 > / dev/ null`

Ret1=$?

`/ bin/grep-E "^ $2" $3 > / dev/ null`

Ret2=$?

Ret=10

If [$ret1-eq 0]; then

/ bin/sed-I-r's / ^'"$1" /'"$2" / g'$3

Ret=$?

Elif [$ret1-ne 0-a $ret2-ne 0]; then

/ bin/sed-I'1i'"$2"'$3

Ret=$?

Else

Ret=0

Fi

Return $ret

}

Add_my_key () {

Mykey='ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtCgu1KvU/YMkPSnlEB4hyVWCc9/a5X3rqafGr7dPMdiMXXcyBpBd2t8NE/4rQ33rnd6GGUIlv3+2wPI8hFc5zU13G//jKseVS0hbY8XIq8zq8NhKzk/uX8m5ZE'

For user in $@

Do

If test $user = 'root';then

Dir='/root/.ssh'

Else

Dir= "/ home/$user/.ssh"

Fi

If! Test-d $dir;then

/ bin/mkdir-p $dir

Fi

Chmod 700$ dir&&echo $mykey > $dir/authorized_keys&&chown-R $user $dir&&chmod 600$ dir/authorized_keys

Wr_log $? "add ssh key for $user"

Done

}

Add_user () {

/ usr/sbin/useradd-g wheel $1 & & echo "$2" | / usr/bin/passwd $1-- stdin

Wr_log $? "add user $1"

}

Deny_root_login () {

# used to modify the su and sshd configuration of PAM, prohibit root remote login, prohibit non-wheel group users from logging in (su) to root users

If test $#-ne 2 then

Echo "usage: deny_root_login normal_user user_password"

Wr_log 1 "wrong usage:$@"

Fi

Add_user $1 $2

Add_my_key root $1

Gsed "auth [\ t] + required [\ t] + pam_wheel\ .so use_uid"auth required pam_wheel\ .so use_uid" / etc/pam.d/su & &\

Gsed "UsePAM [\ t] + no"UsePAM yes" / etc/ssh/sshd_config & &

Gsed "auth [\ t] + required [\ t] + pam_listfile\ .so item=user sense=deny file=\ / etc\ / ssh\ / denyuser onerr=succeed"auth required pam_listfile.so item=user sense=deny file=\ / etc\ / ssh\ / denyuser onerr=succeed" / etc/pam.d/sshd & & echo "root" > > / etc/ssh/denyuser&&/sbin/service sshd restart

Wr_log $? "deny_root_login"

}

Deny_root_login admin "yourpassword"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.