系統帳號管理
教學連結
- How to Lock User Accounts After Failed Login Attempts
- Restrict SSH User Access to Certain Directory Using Chrooted Jail
- How can I restrict the normal user to run only limited set of commands in RHEL?
- How To Limit User’s Access To The Linux System
- Set a password policy in Red Hat Enterprise Linux
建立系統用帳號
CentOS/RedHat)
groupadd -r asterisk
useradd -r -g asterisk -d /var/lib/asterisk -M asterisk
Ubuntu/Debian)
addgroup --system asterisk
adduser --system --ingroup asterisk --home /var/lib/asterisk --no-create-home --shell /bin/bash asterisk
強制修改密碼
強迫使用者在第一次登入後,修改他們的登入密碼
# 先將帳號鎖定
usermod -L <username>
# 強制第一次登入必須修改密碼
chage -d 0 <username>
# 解除帳號鎖定
usermod -U <username>
# 檢查帳號的期限
chage -l <user-name>
帳號使用期限
# 檢查帳號期限
chage -l <user-name>
# 設定有效期限
chage -M 10 <user-name> # 10 天後密碼即失效
chage -E "2017-02-20" <user-name> # 2017-02-20 以後帳號即鎖定
chage -I 10 <user-name> # 如有設定密碼期限時,當密碼失效啟 10 日後自動鎖定帳號
# 解除期限
chage -E -1 <user-name> ; 數字 -1 解除期限設定
帳號鎖定與解鎖
# 鎖定帳號
usermod -L <user-name>
passwd -l <user-name>
chage -E 0 <user-name>
# 解鎖帳號
usermod -U <user-name>
passwd -u <user-name>
chage -E <user-name>
# 檢查帳號鎖定狀態
grep <user-name> /etc/shadow
dbtest:!$6$hFCW6eI1$kI9J9QrxCjnpvzFPJnxSpNvQ... 密碼欄有 ! 符號表示鎖定
TIPs:
注意:passwd 雖然可以鎖定帳號,但仍可以用 SSH-Key 登入。
修改既有帳號的設定
修改帳號的註解 Comment
usermod -c "John" john
usermod -s "/sbin/nologin" alang
限制某帳號不可遠端登入
但可以由其他允許帳號從遠端登入後,執行 su 切換到該帳號
情境:限制 devrpt 可以從遠端登入,但其他帳號在登入後可以 su 到 devrpt。
方法一: 修改 sshd_config
# Added by Alang
# prevent certain users from using ssh for login
# while retaining the option to 'su username'
#
DenyUsers istdc
方法二: 最快速且容易設定但不適用需要有密碼的帳號
# 刪除 devrpt 的密碼
passwd -d devrpt
方法三: 比較嚴謹的做法
以 CentOS 為例:
1. 編輯 /etc/security/access.conf,加上這幾行
# The line 'cron crond' is required
+:devrpt:cron crond tty1 tty2 tty3 tty4 tty5 tty6
-:devrpt:ALL
TIPs:
內容格式為 permission : username: originspermission + 允許 或 - 拒絕
username 帳號
origins 來源,這可以是 tty 名稱'、主機/網域名稱、IP 。注意:在此例,必須加上 cron crond 這一行,否則該帳號的 crontab 會無法工作。
2. 對於不同的登入服務,需要修改相應的安全設定檔
- telnet : /etc/pam.d/remote (修改後立即生效)
- SSH : /etc/pam.d/sshd (修改後需重新載入 SSHD)
- Local 本機登入 : /etc/pam.d/login
視需要將以下內容加入其中一項或多項檔案內
# Limited users for remote login via telnet
# Check the file /etc/security/access.conf
account required pam_access.so
重建帳號的家目錄
mkhomedir_helper <username>
限制登入後的行為
情境: 帳號執行遠端登入後,只能變更密碼與幾個受限制的指令權限
RedHat-KB: https://access.redhat.com/solutions/65822
# Create the restricted shell
cp /bin/bash /bin/rbash
# Create a directory that is used as the HOME of the user
mkdir /home/dbuser/
mkdir /home/dbuser/bin
# Modify the target user for the shell as restricted shell
usermod -d /home/dbuser -s /bin/rbash siview
# or for new user
useradd -d /home/dbuser -s /bin/rbash siview
If a user uses rbash, the user can not do the following after login:
- Changing directories with the |cd| built in.
- Setting or unsetting the values of the |SHELL|, |PATH|, |ENV|, or |BASH_ENV| variables.
- Specifying command names containing slashes.
- Specifying a filename containing a slash as an argument to the |.| built in command.
- Importing function definitions from the shell environment at startup.
- Parsing the value of |SHELLOPTS| from the shell environment at startup.
- Redirecting output using the `|>|', `|>||', `|<>|', `|>&|', `|&>|', and `|>>|' redirection operators.
- Using the |exec| built in to replace the shell with another command.
- Adding or deleting built in commands with the `|-f|' and `|-d|' options to the |enable| built in.
- Specifying the `|-p|' option to the |command| built in.
- Turning off restricted mode with `|set +r|' or `|set +o restricted|'.
# Create specific profile for the user
vi /home/dbuser/.bash_profile
.bash_profile:
# cat /home/localuser/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$HOME/bin
export PATH
# Create the softlinks of commands which are required for the user
ln -s /bin/date /home/dbuser/bin/
ln -s /bin/ls /home/dbuser/bin/
ln -s /usr/bin/passwd /home/dbuser/bin/