2019獨角獸企業重金招聘Python工程師標準>>>

55.2.?PAM

配置文件

ls /etc/pam.d/ chfn crond login passwd remote runuser-l smtp ssh-keycat sudo-i system-auth-ac chsh fingerprint-auth newrole password-auth run_init smartcard-auth smtp.postfix su su-l config-util fingerprint-auth-ac other password-auth-ac runuser smartcard-auth-ac sshd sudo system-auth

認證插件

ls /lib64/security/

55.2.1.?pam_tally2.so

此模塊的功能是，登陸錯誤輸入密碼3次，5分鐘后自動解禁，在未解禁期間輸入正確密碼也無法登陸。

在配置文件 /etc/pam.d/sshd 頂端加入

auth required pam_tally2.so deny=3 onerr=fail unlock_time=300

查看失敗次數

# pam_tally2 Login Failures Latest failure From root 14 07/12/13 15:44:37 192.168.6.2 neo 8 07/12/13 15:45:36 192.168.6.2

重置計數器

# pam_tally2 -r -u root Login Failures Latest failure From root 14 07/12/13 15:44:37 192.168.6.2# pam_tally2 -r -u neo Login Failures Latest failure From neo 8 07/12/13 15:45:36 192.168.6.2

pam_tally2 計數器日志保存在 /var/log/tallylog 注意，這是二進制格式的文件

例?55.1.?/etc/pam.d/sshd - pam_tally2.so

# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth

以上配置root用戶不受限制, 如果需要限制root用戶，參考下面

auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800

55.2.2.?pam_listfile.so

用戶登陸限制

將下面一行添加到 /etc/pam.d/sshd 中，這里采用白名單方式，你也可以采用黑名單方式

auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail

將允許登陸的用戶添加到 /etc/ssh/whitelist，除此之外的用戶將不能通過ssh登陸到你的系統

# cat /etc/ssh/whitelist neo www

例?55.2.?/etc/pam.d/sshd - pam_listfile.so

# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail auth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth

sense=allow 白名單方式, sense=deny 黑名單方式

auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail

文章出處：?http://netkiller.github.com/

轉載于:https://my.oschina.net/neochen/blog/144297

總結

以上是生活随笔為你收集整理的Linux PAM 插件认证的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。