Skip to main content

系統帳號管理

教學連結
    How to Lock User Accounts After Failed Login Attempts Restrict SSH User Access to Certain Directory Using Chrooted Jail How can I restrict the normal user to run only limited set of commands in RHEL? How To Limit User’s Access To The Linux System Set a password policy in Red Hat Enterprise Linux
    建立系統用帳號

    CentOS/RedHat)

    groupadd -r asterisk
useradd -r -g asterisk -d /var/lib/asterisk -M asterisk

    Ubuntu/Debian)

    addgroup --system asterisk
adduser --system --ingroup asterisk --home /var/lib/asterisk --no-create-home --shell /bin/bash asterisk
    強制修改密碼

    強迫使用者在第一次登入後,修改他們的登入密碼

    # 先將帳號鎖定
usermod -L <username>

# 強制第一次登入必須修改密碼
# 套用後,原密碼會立即過期,直到完成密碼變更。
chage -d 0 <username>

# 解除帳號鎖定
usermod -U <username>

# 檢查帳號的期限
chage -l <user-name>
    帳號使用期限
    # 檢查帳號期限
chage -l <user-name>

# 設定有效期限 
chage -M 10 <user-name>             # 10 天後密碼即失效
chage -E "2017-02-20" <user-name>   # 2017-02-20 以後帳號即鎖定
chage -I 10 <user-name>             # 如有設定密碼期限時,當密碼失效起 10 日後自動鎖定帳號 

# 解除期限
chage -E -1 <user-name>       ; 數字 -1 解除期限設定
    帳號鎖定與解鎖
    # 鎖定帳號
usermod -L <user-name>
passwd -l <user-name>
chage -E 0 <user-name>

# 解鎖帳號
usermod -U <user-name>
passwd -u <user-name>
chage -E <user-name>

# 檢查帳號鎖定狀態
grep <user-name> /etc/shadow

dbtest:!$6$hFCW6eI1$kI9J9QrxCjnpvzFPJnxSpNvQ...  密碼欄有 ! 符號表示鎖定

    TIPs:
    注意:passwd 雖然可以鎖定帳號,但仍可以用 SSH-Key 登入。

    修改既有帳號的設定

    修改帳號的註解 Comment

    usermod -c "John" john
usermod -s "/sbin/nologin" alang
    限制某帳號不可遠端登入

    但可以由其他允許帳號從遠端登入後,執行 su 切換到該帳號

    情境:限制 devrpt 可以從遠端登入,但其他帳號在登入後可以 su 到 devrpt。

    方法一: 修改 sshd_config

    # Added by Alang
# prevent certain users from using ssh for login
# while retaining the option to 'su username'
#
DenyUsers istdc

    方法二: 最快速且容易設定但不適用需要有密碼的帳號

    # 刪除 devrpt 的密碼
passwd -d devrpt

    方法三: 比較嚴謹的做法

    以 CentOS 為例:

    1. 編輯 /etc/security/access.conf,加上這幾行

    # The line 'cron crond' is required
+:devrpt:cron crond tty1 tty2 tty3 tty4 tty5 tty6
-:devrpt:ALL

    TIPs:
    內容格式為 permission : username: origins

    permission + 允許 或 - 拒絕
    username 帳號
    origins 來源,這可以是 tty 名稱'、主機/網域名稱、IP 。

    注意:在此例,必須加上 cron crond 這一行,否則該帳號的 crontab 會無法工作。

    2. 對於不同的登入服務,需要修改相應的安全設定檔

    • telnet : /etc/pam.d/remote (修改後立即生效)
    • SSH : /etc/pam.d/sshd (修改後需重新載入 SSHD)
    • Local 本機登入 : /etc/pam.d/login

    視需要將以下內容加入其中一項或多項檔案內

    # Limited users for remote login via telnet
# Check the file /etc/security/access.conf
account    required     pam_access.so
    重建帳號的家目錄
    mkhomedir_helper <username>
    限制登入後的行為

    情境: 帳號執行遠端登入後,只能變更密碼與幾個受限制的指令權限

    RedHat-KB: https://access.redhat.com/solutions/65822

    # Create the restricted shell
cp /bin/bash /bin/rbash

# Create a directory that is used as the HOME of the user
mkdir /home/dbuser/
mkdir /home/dbuser/bin

# Modify the target user for the shell as restricted shell
usermod -d /home/dbuser -s /bin/rbash siview
# or for new user
useradd -d /home/dbuser -s /bin/rbash siview

    If a user uses rbash, the user can not do the following after login:

    • Changing directories with the |cd| built in.
    • Setting or unsetting the values of the |SHELL|, |PATH|, |ENV|, or |BASH_ENV| variables.
    • Specifying command names containing slashes.
    • Specifying a filename containing a slash as an argument to the |.| built in command.
    • Importing function definitions from the shell environment at startup.
    • Parsing the value of |SHELLOPTS| from the shell environment at startup.
    • Redirecting output using the `|>|', `|>||', `|<>|', `|>&|', `|&>|', and `|>>|' redirection operators.
    • Using the |exec| built in to replace the shell with another command.
    • Adding or deleting built in commands with the `|-f|' and `|-d|' options to the |enable| built in.
    • Specifying the `|-p|' option to the |command| built in.
    • Turning off restricted mode with `|set +r|' or `|set +o restricted|'.
    # Create specific profile for the user
vi /home/dbuser/.bash_profile

    .bash_profile:

    # cat /home/localuser/.bash_profile  
# .bash_profile  

# Get the aliases and functions  
if [ -f ~/.bashrc ]; then  
. ~/.bashrc  
fi  
# User specific environment and startup programs  
PATH=$HOME/bin  
export PATH
    # Create the softlinks of commands which are required for the user
ln -s /bin/date /home/dbuser/bin/
ln -s /bin/ls /home/dbuser/bin/
ln -s /usr/bin/passwd /home/dbuser/bin/
    密碼強度

    預設強度:

    • difok=N , 預設字元數 5 位數
    • minlen=N, 最少字元位數,預設是 9。
    • dcredit=-1, 數字至少 1 位數
    • ucredit=-1, 大寫字母至少 1 位數
    • lcredit=-1, 小寫字母至少 1 位數

    Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

    CentOS 5/6)

    NOTE: CentOS 5 沒有 /etc/pam.d/password-auth , 所以只需要設定 /etc/pam.d/system-auth

    # Set password strength
#password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    requisite     pam_cracklib.so minlen=8 dcredit=-1 ucredit=-1 lcredit=-1

    CentOS 7.x)

    Edit /etc/security/pwquality.conf

    # Set password strength
minlen = 8
dcredit = -1
ucredit = -1
lcredit = -1

    預設 root 不會套用密碼強度規則,如果要做限制,編輯 /etc/pam.d/system-auth/etc/pam.d/password-auth ,在 password 這一行加上 enforce_for_root

    # Enforce root for password strength
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root

    記住幾代密碼
    CentOS 6.x)

    # Keep history of passwords used
# Add remember=N
# The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history 
# and keep the user from alternating between the same password too frequently.
#password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_unix.so sha512 remember=6 shadow nullok try_first_pass use_authtok

    CentOS 7.x)

    password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
# Keep history of passwords used, insert the below line after pam_pwquality.so line
password    requisite     pam_pwhistory.so remember=6 use_authtok

    TIP: 歷史密碼會被儲存在 /etc/security/opasswd .

    登入失敗後鎖定帳號

    CentOS 6.x
    Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

    # for auth
# add the below line BEFORE pam_unix.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600  # insert this

auth        sufficient    pam_unix.so nullok try_first_pass

# add the below line AFTER pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600  # insert this

# for account
# add the below line BEFORE pam_unix.so
account required pam_faillock.so  # insert this

account     required      pam_unix.so

    預設不會套用在 root;如果需要限制 root,下面這一行加上 even_deny_root

    auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600

    如果要排除特定 user,在第一個 pam_faillock.so 之前加上這行:

    auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3

    如何手動解鎖與檢查被鎖定的帳戶

    # display the authentication failure for all users 
faillock

# display the authentication failure for the specified user
faillock --user mytest

# unlock the user
faillock --user mytest --reset
    Tip:

    要確認設定是否有作用,可以監看 log 檔 /var/log/secure,登入錯誤次數達到設定值時,應該要出現下面的訊息。

    Mar 8 15:26:08 centos7 sshd[26995]: pam_faillock(sshd:auth): Consecutive login failures for user i04181 account temporarily locked

     

    群組管理
    # add a group into an account
usrmod -aG mygroup user1

# remove user from a group
gpasswd -d user1 mygroup

# list all users in a group
lid -g mygroup
    passwd
    # displays the status of user account password settings
passwd -S evans
evans PS 2020-09-07 0 99999 7 -1 (Password set, SHA512 crypt.)

# lock the password of a specified account
passwd -l user1

# unlock the password
passwd -u user2

# delete a password for an account
passwd -d user1

# expire a password for an account
passwd -e user2

# This sets the number of days before a password can be changed. 
# By default, a value of zero is set, which indicates that the user may change 
# their password at any time.
# This means user2 cannot change its own password until 10 days have passed.
passwd -n 10 user2

# To confirm the password setting made with the -n option above, run the following command:
# The value of 10 after the date indicates the minimum number of days 
# until the password can be changed.
passwd -S user1
user1 PS 2020-12-04 10 99999 7 -1 (Password set, SHA512 crypt.)

# This means after 90 days, the password is required to be changed.
passwd -x 90 user2

# This means the user will receive warnings that the password will expire 7 days 
# before the expiration.
passwd -w 7 user2

# This means after a user account has had an expired password for 5 days, 
# the user may no longer sign on to the account.
passwd -i 5 user2

# This command will read from the echo command and pass it to the passwd command. 
# So this will set the user1 password to userpasswd1.
echo "userpasswd1"|passwd --stdin user1
    Learning
      How to Lock User Accounts After Failed Login Attempts Restrict SSH User Access to Certain Directory Using Chrooted Jail How can I restrict the normal user to run only limited set of commands in RHEL? How To Limit User’s Access To The Linux System Set a password policy in Red Hat Enterprise Linux

       

      Back to top