linux 的免密切换用户PAM配置
/etc/pam.d/su是Linux系统中与用户切换(su命令)相关的PAM(Pluggable Authentication Modules,可插拔认证模块)配置文件。以下是对它的详细介绍:
简介
作用
PAM是一种用于管理系统认证的机制,它允许系统管理员灵活地配置不同服务的认证方式和策略。/etc/pam.d/su文件专门用于定义当用户使用su命令切换用户身份时的认证规则和流程。例如,它可以指定是否允许无密码切换、限制某些用户的切换权限等。
配置文件内容示例
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
配置项解释
auth:用于配置认证相关的参数。pam_rootok.so:表示允许 root 用户直接切换,无需密码验证。pam_wheel.so:与用户组“wheel”相关,trust use_uid表示信任“wheel”组中的用户,允许他们无需密码切换;use_uid则表示根据用户的UID来进行权限判断。include system-auth:表示包含/etc/pam.d/system-auth文件中的认证配置,这是一种复用通用认证配置的方式。
account、password、session:分别用于配置账户相关、密码相关和会话相关的参数,这里通过include system-auth复用了系统的通用配置。
通过修改/etc/pam.d/su文件,可以根据系统的安全需求和管理策略,灵活调整用户切换身份的认证方式和权限控制。但需要注意的是,对该文件的修改需要谨慎操作,以免影响系统的正常运行和安全性。
实践
利用admin_user 免密登录切换用户user01:user02:user03:user04:user05
cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
# 允许 agent_mgr 免密切换到指定用户
#auth [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/security/su-agent_mgr onerr=fail
#auth sufficient pam_permit.so
auth [success=ignore default=1] pam_succeed_if.so user in user01:user02:user03:user04:user05
auth sufficient pam_succeed_if.so use_uid user = admin_user
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so