这里将告诉您使用PAM模块实现普通用户之间su免密切换,教程操作步骤:参考自:Allow user1 to “su - user2” without password
/d/file/shujuku/adcwslioblr
需求:
在user1用户下执行: su - user2 免密登录。
我的实验系统版本:
CentOS Linux release 7
方法:
# vim /etc/pam.d/su
#在pam_rootok.so那一行之后添加如下两行。
auth [success=ignore default=1] pam_succeed_if.so user = user2
auth sufficient pam_succeed_if.so use_uid user = user1
可以理解为:对于名为user2的账号,如果使用su程序的用户名为user1,即可以免密登录
PAM模块文档:
# less /usr/share/doc/pam-1.1.8/txts/README.pam_succeed_if
首先是 use_uid部分
Evaluate conditions using the account of the user whose UID the application
is running under instead of the user being authenticated.
然后看fields格式
Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service
field > number
Field has a value numerically greater than number.
field in item:item:...
Field is contained in the list of items separated by colons.
据此,还可以实现从user1免密su到uid 为某个范围的多个系统用户
实验:
[root@MyVm] 17:56:55 ~ # id user1
uid=1004(user1) gid=1004(user1) groups=1004(user1)
[root@MyVm] 17:56:59 ~ # id user2
uid=1005(user2) gid=1005(user2) groups=1005(user2)
[root@MyVm] 17:57:00 ~ # id user3
uid=1006(user3) gid=1006(user3) groups=1006(user3)
修改/etc/pam.d/su:
auth [success=ignore default=1] pam_succeed_if.so uid >= 1005
auth sufficient pam_succeed_if.so use_uid user = user1
可以理解为:对于UID>=1005的账号,如果使用su程序的用户名为user1,即可以免密登录
[root@MyVm] 17:57:49 ~ # su - user1
Last login: Thu Sep 3 17:55:47 CST 2020 on pts/1
[user1@MyVm] 17:57:50 ~ $ su - user2
[user2@MyVm] 17:57:52 ~ $ logout
[user1@MyVm] 17:57:53 ~ $ su - user3
Last login: Thu Sep 3 17:55:54 CST 2020 on pts/1
[user3@MyVm] 17:57:55 ~ $ logout
反之,允许多个账号su免密到某个(些)账号,可以配置为:
auth [success=ignore default=1] pam_succeed_if.so uid = 1001
auth sufficient pam_succeed_if.so use_uid uid > 1001
PAM模块资料:
/d/file/shujuku/i1obtfewvd3.html
找到这个方法之前,发现一种用利用把ssh免密加入到user1的 .bashrc 来实现自动跳转user2的方法,勉强满足需求,但是有点绕远,而且user1差不多是废了。使用PAM模块实现普通用户之间su免密切换就为您介绍到这里,感谢您关注懒咪学编程c.lanmit.com.
本文地址:https://c.lanmit.com/czxt/Linux/119071.html