多个不正确的密码后如何排除某些帐户被锁定
时间:2020-01-09 10:38:18 来源:igfitidea点击:
可以以某种方式配置pam,以便在尝试进行身份验证时排除某些帐户被锁定,而允许其他帐户无限制地进行尝试吗?
在RHEL或者CentOS 7 Linux中输入多个错误密码后,排除某些帐户被锁定的可能性。
在示例中给出N个错误密码后,将所有用户帐户锁定为失败的密码,但在锁定某些帐户后将其排除在锁定范围之外。
排除N个错误密码后,某些帐户不会被锁定。
排除多个错误密码后阻止某些帐户被锁定的情况
在本文中,我将使用pam_faillock锁定用户帐户,并从多个错误密码后排除某些帐户被锁定。
在XX中使用pam_tally2和pam_faillock在Linux中进行XX次失败的登录尝试后,如何锁定root用户和非root用户帐户
要修改的PAM文件
必须修改以下文件使更改生效,以排除某些帐户被锁定的情况
/etc/pam.d/password-auth /etc/pam.d/system-auth
用来排除用户帐户被锁定的语法
在这两个文件中添加以下行,即" system-auth"和" password-auth"
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=1800 auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/pam-unlock.txt auth [default=die] pam_faillock.so authfail audit deny=3 auth sufficient pam_faillock.so authsucc audit deny=3
其中我们将使用" /etc/pam-unlock.txt"文件来排除某些用户无法使用多个失败密码的情况。
创建此文件并添加要为其添加例外的用户列表(每行一个)。
我们也可以使用其他任何文件名来代替/etc/pam-unlock.txt。
示例配置文件
我的示例system-auth和password-auth文件
auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=1800 auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/pam-unlock.txt auth [default=die] pam_faillock.so authfail audit deny=3 auth sufficient pam_faillock.so authsucc audit deny=3 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
添加要排除的用户列表
接下来,将要从锁定列表中排除的用户列表添加到/etc/pam-unlock.txt中。
[root@rhel-7 ~]# cat /etc/pam-unlock.txt hynman
验证更改
现在我们完成了更改。
因此,我有两个用户" rahul"和" hynman",因此我们将验证我们的配置。
对于用户rahul
我将尝试在Linux主机上使用" rahul"用户登录。
如我们所见,在4次失败尝试之后,我的用户被锁定,即使使用正确的密码,"用户也无法登录"。
Aug 31 20:43:48 rhel-7.example unix_chkpwd[27470]: password check failed for user (rahul) Aug 31 20:43:48 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:43:49 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:43:54 rhel-7.example unix_chkpwd[27471]: password check failed for user (rahul) Aug 31 20:43:54 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:43:56 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:43:57 rhel-7.example unix_chkpwd[27472]: password check failed for user (rahul) Aug 31 20:43:57 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:43:59 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:44:01 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:44:04 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:44:14 rhel-7.example unix_chkpwd[27474]: password check failed for user (rahul) Aug 31 20:44:14 rhel-7.example sshd[27467]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=rahul Aug 31 20:44:14 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:44:16 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:44:16 rhel-7.example sshd[27467]: error: maximum authentication attempts exceeded for rahul from 10.0.2.2 port 52404 ssh2 [preauth] Aug 31 20:44:16 rhel-7.example sshd[27467]: Disconnecting: Too many authentication failures [preauth]
对于用户hynman
现在,让我们与" hynman"用户验证相同的配置。
login as: hynman [email protected]'s password: Access denied [email protected]'s password: Access denied [email protected]'s password: Access denied [email protected]'s password: Access denied [email protected]'s password: Access denied [email protected]'s password: Last failed login: Sat Aug 31 20:46:15 IST 2019 from 10.0.2.2 on ssh:notty There were 5 failed login attempts since the last successful login. Last login: Sat Aug 31 20:37:05 2019 from 10.0.2.2 [hynman@rhel-7 ~]$
如我们所见,即使在多次密码失败之后,用户" hynman"仍然能够登录到该节点
从日志中我们还可以看到,hynman用户能够在多次登录失败后登录
Aug 31 20:46:02 rhel-7.example unix_chkpwd[27479]: password check failed for user (hynman) Aug 31 20:46:02 rhel-7.example sshd[27476]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=hynman Aug 31 20:46:04 rhel-7.example sshd[27476]: Failed password for hynman from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:05 rhel-7.example unix_chkpwd[27480]: password check failed for user (hynman) Aug 31 20:46:07 rhel-7.example sshd[27476]: Failed password for hynman from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:07 rhel-7.example unix_chkpwd[27481]: password check failed for user (hynman) Aug 31 20:46:09 rhel-7.example sshd[27476]: Failed password for hynman from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:10 rhel-7.example unix_chkpwd[27482]: password check failed for user (hynman) Aug 31 20:46:12 rhel-7.example sshd[27476]: Failed password for hynman from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:13 rhel-7.example unix_chkpwd[27483]: password check failed for user (hynman) Aug 31 20:46:15 rhel-7.example sshd[27476]: Failed password for hynman from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:17 rhel-7.example sshd[27476]: Accepted password for hynman from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:17 rhel-7.example systemd[1]: Created slice User Slice of hynman. Aug 31 20:46:17 rhel-7.example systemd[1]: Started Session 65 of user hynman. Aug 31 20:46:17 rhel-7.example systemd-logind[2924]: New session 65 of user hynman. Aug 31 20:46:17 rhel-7.example sshd[27476]: pam_unix(sshd:session): session opened for user hynman by (uid=0)
