pam_succeed_if的使用
说明:
pam_succeed_if 可以对用户登陆做一些限制
[root@station203 pam.d]# uname -a
Linux station203.example.com 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686 i686 i386 GNU/Linux
首先先man一下再说。
[root@station203 security]# man pam_succeed_if
...........省略..............
这个模块没有配置文件。直接修改需要配置的模块就可以。
[root@station203 pam.d]# vim system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_succeed_if.so uid eq 510 ## 添加这一行
## 注: 只能允许uid等于510的用户登陆到系统,root也受控制。
测试:
随便是在本地还是远程ssh,用root或者其他非uid为510的用户登陆,都是失败。
用uid为510的用户的登录,成功。
## useradd -u UID username 可以指定新建用户的UID
[root@station203 ~]# tail /var/log/secure ## 可以看到刚才成功还有失败的登录记录
另外我把man的内容复制下面:这部分内容很好理解,都是pam_succed_if.so的参数
debug Turns on debugging messages sent to syslog.
use_uid
Evaluate conditions using the account of the user whose UID the application is running under
instead of the user being authenticated.
quiet Don't log failure or success to the system log.
quiet_fail
Don't log failure to the system log.
quiet_success
Don't log success to the system log.
Conditions are three words: a field, a test, and a value to test for.
Available fields are user, uid, gid, shell, home and service:
field < number
Field has a value numerically less than number.
field <= number
Field has a value numerically less than or equal to number.
field eq number
Field has a value numerically less equal to number.
field >= number
Field has a value numerically greater than or equal to number.
field > number
Field has a value numerically greater than number.
field ne number
Field has a value numerically different from number.
field = string
Field exactly matches the given string.
field != string
Field does not match the given string.
field =~ glob
Field matches the given glob.
field !~ glob
Field does not match the given glob.
field in item:item:...
Field is contained in the list of items separated by colons.
field notin item:item:...
Field is not contained in the list of items separated by colons.
user ingroup group
User is in given group.
user notingroup group
User is not in given group.
user innetgr netgroup
(user,host) is in given netgroup.
user notinnetgr group
(user,host) is not in given netgroup.
说明:
pam_succeed_if 可以对用户登陆做一些限制
[root@station203 pam.d]# uname -a
Linux station203.example.com 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686 i686 i386 GNU/Linux
首先先man一下再说。
[root@station203 security]# man pam_succeed_if
...........省略..............
这个模块没有配置文件。直接修改需要配置的模块就可以。
[root@station203 pam.d]# vim system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_succeed_if.so uid eq 510 ## 添加这一行
## 注: 只能允许uid等于510的用户登陆到系统,root也受控制。
测试:
随便是在本地还是远程ssh,用root或者其他非uid为510的用户登陆,都是失败。
用uid为510的用户的登录,成功。
## useradd -u UID username 可以指定新建用户的UID
[root@station203 ~]# tail /var/log/secure ## 可以看到刚才成功还有失败的登录记录
另外我把man的内容复制下面:这部分内容很好理解,都是pam_succed_if.so的参数
debug Turns on debugging messages sent to syslog.
use_uid
Evaluate conditions using the account of the user whose UID the application is running under
instead of the user being authenticated.
quiet Don't log failure or success to the system log.
quiet_fail
Don't log failure to the system log.
quiet_success
Don't log success to the system log.
Conditions are three words: a field, a test, and a value to test for.
Available fields are user, uid, gid, shell, home and service:
field < number
Field has a value numerically less than number.
field <= number
Field has a value numerically less than or equal to number.
field eq number
Field has a value numerically less equal to number.
field >= number
Field has a value numerically greater than or equal to number.
field > number
Field has a value numerically greater than number.
field ne number
Field has a value numerically different from number.
field = string
Field exactly matches the given string.
field != string
Field does not match the given string.
field =~ glob
Field matches the given glob.
field !~ glob
Field does not match the given glob.
field in item:item:...
Field is contained in the list of items separated by colons.
field notin item:item:...
Field is not contained in the list of items separated by colons.
user ingroup group
User is in given group.
user notingroup group
User is not in given group.
user innetgr netgroup
(user,host) is in given netgroup.
user notinnetgr group
(user,host) is not in given netgroup.
转载于:https://blog.51cto.com/jasonyong/164005