5、通过上面的操作我们禁止了远程登录root但是可以通过普通用户切换登录,这个时候我们就可以开启tast01系统中的pam认证,来提高系统的安全性。
[root@tast01 ~]# vim /etc/pam.d/su //进入编辑pam配置文件 #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid //开启pam认证 auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so ~ ~ ~ :wq //保存退出6、查看是否还能够通过siti用户切换到root用户
[root@tast02 ~]# ssh siti@192.168.144.133 //登录siti用户 siti@192.168.144.133's password: //输入密码 Last failed login: Mon Sep 9 16:09:32 CST 2019 from 192.168.144.135 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Mon Sep 9 15:47:20 2019 from 192.168.144.135 [siti@tast01 ~]$ su - root //登录siti用户,并切换root用户 密码: //输入密码 su: 拒绝权限 //权限拒绝,无法切换 [siti@tast01 ~]$7、因为设定了权限,siti用户不在wheel组,所以无法用siti用户切换root用户,我们可不可以通过siti用户切换wheel组中sun用户,再用sun用户切换root,看是否可以。
[siti@tast01 ~]$ su - sun //切换sun用户 密码: //输入密码 su: 拒绝权限 //权限拒绝,无法切换 [siti@tast01 ~]$9、回到tast01中开启SSH服务配置密码验证次数服务
[root@tast01 ~]# vim /etc/ssh/sshd_config //进入服务器配置文件 #LoginGraceTime 2m PermitRootLogin no #StrictModes yes MaxAuthTries 6 //开启密码验证次数 #MaxSessions 10 :wq //保存退出10、进入tast02验证密码次数是否成功开启
[root@tast02 ~]# ssh sun@192.168.144.133 //登录sun用户 sun@192.168.144.133's password: //输入错误密码 Permission denied, please try again. //1次输错,拒绝登录 sun@192.168.144.133's password: //输入错误密码 Permission denied, please try again. //2次输错,拒绝登录 sun@192.168.144.133's password: //输入错误密码 Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). //3次输入错误直接登出11、通过上面的实验发现并没有实现6次密码后再弹出,而是默认的三次,这个时候我们就用通过命令来提高默认密码次数来实现密码次数的设置。
[root@tast02 ~]# ssh -o NumberofPasswordPrompts=8 sun@192.168.144.133 //使用命令提高密码输入次数 sun@192.168.144.133's password: Permission denied, please try again. sun@192.168.144.133's password: Permission denied, please try again. sun@192.168.144.133's password: Permission denied, please try again. sun@192.168.144.133's password: Permission denied, please try again. sun@192.168.144.133's password: Permission denied, please try again. sun@192.168.144.133's password: Received disconnect from 192.168.144.133 port 22:2: Too many authentication failures Authentication failed. //输入密码6次后弹出,设设置生效 黑白名单设置(AllowUsers、DenyUsers)在VMware 15中再增加一台Linux客户端(tast03IP地址:192.168.144.132),用于远程连接服务器。
1、再tast01中配置ssh服务端配置文件,添加AllowUsers条目,添加仅允许登录的客户端
[root@tast01 ~]# vim /etc/ssh/sshd_config //进入编辑ssh服务端配置文件 #LoginGraceTime 2m PermitRootLogin no #StrictModes yes MaxAuthTries 6 #MaxSessions 10 AllowUsers sun@192.168.144.135 stii //在此处添加条目,仅允许IP地址为192.168.144.135客户机登录sun用户 仅允许客户端登录stii用户 #PubkeyAuthentication yes :wq //保存退出 [root@tast01 ~]# useradd stii //添加stii用户 [root@tast01 ~]# passwd stii //设置stii用户密码 更改用户 stii 的密码 。 新的 密码: 无效的密码: 密码少于 8 个���符 重新输入新的 密码: passwd:所有的身份验证令牌已经成功更新。 [root@tast01 ~]# systemctl restart sshd //重启ssh服务2、分别在tast02、tast03客户机使用ssh服务远程登录tast01服务器
[root@tast02 ~]# ssh sun@192.168.144.133 //在tast02客户端中登录服务器sun用户 sun@192.168.144.133's password: //输入密码 Last failed login: Mon Sep 9 17:24:32 CST 2019 from 192.168.144.135 on ssh:notty There were 6 failed login attempts since the last successful login. Last login: Mon Sep 9 17:21:47 2019 from 192.168.144.133 [sun@tast01 ~]$ //成功登录 [sun@tast01 ~]$ exit //退出用户 登出 Connection to 192.168.144.133 closed. [root@tast02 ~]# ssh siti@192.168.144.133 //使用ssh登录服务器siti用户 siti@192.168.144.133's password: //输入密码 Permission denied, please try again. //拒绝登录 [root@tast02 ~]# ssh stii@192.168.144.133 //登录stii用户 stii@192.168.144.133's password: //输入密码 [stii@tast01 ~]$ //成功登录 [root@tast03 ~]# ssh sun@192.168.144.133 //tast03客户机使用ssh服务登录服务器sun用户 The authenticity of host '192.168.144.133 (192.168.144.133)' can't be established. ECDSA key fingerprint is SHA256:B8IsZOFG7FbtVkIK+dMILmo0iA4OEIeVGY0GnnCbXhk. ECDSA key fingerprint is MD5:c2:d8:09:17:de:6e:ec:07:06:1b:ac:b6:1e:bd:62:09. Are you sure you want to continue connecting (yes/no)? yes //询问是否建立会话,输入yes确定建立会话 Warning: Permanently added '192.168.144.133' (ECDSA) to the list of known hosts. sun@192.168.144.133's password: //输入密码 Permission denied, please try again. //拒绝登录 [root@tast03 ~]# ssh siti@192.168.144.133 //tast03客户机使用ssh服务登录服务器siti用户 siti@192.168.144.133's password: //输入密码 Permission denied, please try again. //拒绝登录 [root@tast03 ~]# ssh stii@192.168.144.133 //tast03客户机使用ssh服务登录服务器stii用户 stii@192.168.144.133's password: //输入密码 Last login: Mon Sep 9 21:55:49 2019 from 192.168.144.135 [stii@tast01 ~]$ //成功登录