指定用户才可以su-和禁止root远程直接登录

一，加入wheel组：
1，查看信息

[gudong@CentOS7.4-1 ~]$getent passwd gudong
gudong:x:1000:1000:gudong:/home/gudong:/bin/bash
[gudong@CentOS7.4-1 ~]$
[gudong@CentOS7.4-1 ~]$getent group gudong
gudong:x:1000:gudong
[gudong@CentOS7.4-1 ~]$
[gudong@CentOS7.4-1 ~]$getent passwd gd1
gd1:x:1001:1001::/home/gd1:/bin/bash
[gudong@CentOS7.4-1 ~]$getent group wheel
wheel:x:10:

2，尝试用gd1用户sudo关闭系统

[gd1@CentOS7.4-1 ~]$sudo shutdown now

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for gd1: 
gd1 is not in the sudoers file.  This incident will be reported.

3，添加附加组wheel并查看确认附加组

[root@CentOS7.4-1 ~]#usermod -a -G wheel gd1
You have new mail in /var/spool/mail/root
[gudong@CentOS7.4-1 ~]$id test11
uid=1002(test11) gid=1002(test11) groups=1002(test11)
[gudong@CentOS7.4-1 ~]$
[gudong@CentOS7.4-1 ~]$id gudong
uid=1000(gudong) gid=1000(gudong) groups=1000(gudong),10(wheel)
[gudong@CentOS7.4-1 ~]$
[gudong@CentOS7.4-1 ~]$getent group wheel
wheel:x:10:gudong,testuser1,gd1
[gudong@CentOS7.4-1 ~]$
[root@CentOS7.4-1 ~]#usermod -a -G wheel test11
[root@CentOS7.4-1 ~]#
[gudong@CentOS7.4-1 ~]$
[gudong@CentOS7.4-1 ~]$id test11
uid=1002(test11) gid=1002(test11) groups=1002(test11),10(wheel)
[gudong@CentOS7.4-1 ~]$getent group wheel
wheel:x:10:gudong,testuser1,gd1,test11

4，再次尝试用gd1用户sudo关闭系统

[gd1@CentOS7.4-1 ~]$sudo shutdown now

二，指定用户才可以su-
1，测试

[testuser1@CentOS7.4-1 gudong]$su -
Password: 
Last login: Mon Apr 13 20:31:48 CST 2020 on pts/0
[root@CentOS7.4-1 ~]#
[root@CentOS7.4-1 ~]#exit
logout
[testuser1@CentOS7.4-1 gudong]$

[gudong@CentOS7.4-1 ~]$su -
Password: 
Last login: Mon Apr 13 20:29:45 CST 2020 on pts/1
[root@CentOS7.4-1 ~]#
[root@CentOS7.4-1 ~]#exit
logout
[gudong@CentOS7.4-1 ~]$

2，修改相关配置

vim /etc/pam.d/su
把 auth            required        pam_wheel.so use_uid 前面的#号去掉
然后 echo "SU_WHEEL_ONLY yes" >> /etc/login.defs　
注：/etc/login.defs 文件是当创建用户时的一些规划，比如创建用户时，是否需要家目录，UID和GID的范围；用户的期限等等，这个文件是可以通过root来定义的；

添加用户gudong附加组到wheel

[root@CentOS7.4-1 ~]#usermod -a -G wheel gudong

3，再次测试

[testuser1@CentOS7.4-1 gudong]$su -
Password: 
su: Permission denied
[testuser1@CentOS7.4-1 gudong]$

[gudong@CentOS7.4-1 ~]$su -
Password: 
Last login: Mon Apr 13 20:31:59 CST 2020 on pts/1
Last failed login: Mon Apr 13 20:38:10 CST 2020 on pts/1
There was 1 failed login attempt since the last successful login.
[root@CentOS7.4-1 ~]#

可见这个时候，只有是wheel组成员才可以su -成功

三，禁止root远程直接登录
1，修改配置文件

vim /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers gudong testuser1   #设置只允许gudong和testuser1用户才能远程连接  

2，重启sshd服务

service sshd restart

3，测试结果：此时用root或者其他用户直接远程连接，即使输入正确的密码，也将无法直接登录。