2.3 sudo与PAM认证

时间:2021-04-29 02:42:11

sudo

    sudo命令允许一个通过sudoers文件指定的授权用户作为超级用户或者另外一个用户来执行命令。

    语法:sudo [-u 用户] 命令

    选项

-u user 默认为root
-l,ll 列出用户在主机上可用的和被禁止的命令
-v 再延长密码有效期限5分钟,更新时间戳
-k 清除时间戳(1970-01-01),下次需要重新输密码
-K 与-k类似,还要删除时间戳文件
-b 在后台执行指令

查看 /etc/sudoers 文件,在配置 sudo 时,建议按照 /etc/sudoers 的格式存放在 /etc/sudoers.d 中。

[root@CentOS7 ~]# cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases    #主机别名
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases    #用户别名
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases    #命令别名
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## 	user	MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
#授权root用户在任何主机代替任何用户,执行任何命令
## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL

## Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL  #建议删除

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

    授权语法:授权用户 主机=(代替用户) 命令

注意:命令要写命令文件的绝对路径,并且命令参数必须完全一致

    root ALL=(ALL) ALL 的存在意义:当 root 用户的 UID 被修改,不再是超级用户,root用户可以通过 sudo 命令的 -u 选项拥有管理员权限取执行操作。

/etc/suoders.d 中创建 sudo 配置文件,格式与授权语法一样。

    在修改 /etc/sudoers 文件时,默认此文件是只读权限,建议使用 visudo 命令,也可以通过设置 export EDITOR=vim 变量来更改系统默认的文本编辑器。

    visudo命令用于修改或者检查 sudo 的配置文件。

[root@CentOS7 sudoers.d]# cat jiangbowen 
jiangbowen 192.168.30.75=(root) /bin/cat /etc/shadow
[root@CentOS7 sudoers.d]# visudo -c -f jiangbowen   #使用-c选项检查语法,使用-f指定文件
jiangbowen: parsed OK
[jiangbowen@CentOS7 ~]$ sudo cat /etc/shadow

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for jiangbowen: 

在配置文件中支持使用 glob 风格的通配符。

注意:当配置文件中出现类似语句时

jiangbowen 192.168.30.75=(root) /bin/cat /etc/shadow*

 那么该用户可以通过 cat /etc/shadow 后跟任何文件来查看权限以外的文件

   时间戳文件 CentOS7存放在 /var/run/sudo/ts CentOS6存放在 /var/db/sudo,默认权限保存5分钟,在5分钟以后会重新检查用户的身份。

[root@CentOS7 sudo]# cd /var/run/sudo/ts
[root@CentOS7 ts]# ll
total 4
-rw-------. 1 root jiangbowen 80 May 25 04:22 jiangbowen  #jiangbowen用户在04:27后使用sudo将会重新输入密码

查看 sudo 的日志文件 /var/log/secure

[root@CentOS7 ts]#⮀cat /var/log/secure | tail
May 25 04:16:59 CentOS7 su: pam_unix(su-l:session): session opened for user jiangbowen by root(uid=0)
May 25 04:17:10 CentOS7 su: pam_unix(su-l:session): session closed for user jiangbowen
May 25 04:21:14 CentOS7 su: pam_unix(su-l:session): session opened for user jiangbowen by root(uid=0)
May 25 04:21:57 CentOS7 unix_chkpwd[11231]: password check failed for user (jiangbowen)
May 25 04:21:57 CentOS7 sudo: pam_unix(sudo:auth): authentication failure; logname=root uid=1000 euid=0 tty=/dev/pts/0 ruser=jiangbowen rhost=  user=jiangbowen
May 25 04:22:00 CentOS7 sudo: pam_unix(sudo:auth): conversation failed
May 25 04:22:00 CentOS7 sudo: pam_unix(sudo:auth): auth could not identify password for [jiangbowen]
May 25 04:22:02 CentOS7 sudo: jiangbowen : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/jiangbowen ; USER=root ; COMMAND=/bin/cat /etc/shadow
May 25 04:22:09 CentOS7 sudo: jiangbowen : TTY=pts/0 ; PWD=/home/jiangbowen ; USER=root ; COMMAND=/bin/cat /etc/shadow
May 25 04:26:06 CentOS7 su: pam_unix(su-l:session): session closed for user jiangbowen

别名

sudo 有四种类型的别名::User_Alias, Runas_Alias, Host_Alias ,Cmnd_Alias(注意大小写)

    语法:别名类型 名字1 = 项目1,项目2,项目3...:名字2 = 项目1,项目2,项目3...

User_Alias Name1 = user1,#uid2: Name2 = user3,#uid4    
Host_Alias Name2=www.jiangbowen.com.cn,192.168.30.74/24
Cmnd_Alias DSKCMD=/sbin/parted,/sbin/fdisk

PAM认证机制

    PAM 提供了对所有服务进行认证的*机制,适用于login,远程登录(telnet,rlogin,fsh,ftp,点对点协议(PPP)),su等应用程序中。系统管理员通过PAM配置文件来制定不同应用程序的不同认证策略;应用程序开发者通过在服务程序中使用PAM API(pam_xxxx( ))来实现对认证方法的调用;而PAM服务模块的开发者则利用PAM SPI来编写模块(主要是引出一些函数pam_sm_xxxx( )供PAM接口库调用),将不同的认证机制加入到系统中;PAM接口库(libpam)则读取配置文件,将应用程序和相应的PAM服务模块联系起来。

PAM的基本构架

2.3 sudo与PAM认证

    PAM 模块的配置文件存放在 /etc/security/ 中
[root@CentOS7 ts]# cd /etc/security/
[root@CentOS7 security]# ll
total 52
-rw-r--r--. 1 root root 4564 Apr 11 11:21 access.conf
-rw-r--r--. 1 root root   82 Apr 11 11:21 chroot.conf
drwxr-xr-x. 2 root root   69 May 23 01:15 console.apps
-rw-r--r--. 1 root root  604 Apr 11 11:21 console.handlers
-rw-r--r--. 1 root root  939 Apr 11 11:21 console.perms
drwxr-xr-x. 2 root root    6 Apr 11 11:21 console.perms.d
-rw-r--r--. 1 root root 3635 Apr 11 11:22 group.conf
-rw-r--r--. 1 root root 2422 Apr 11 11:22 limits.conf
drwxr-xr-x. 2 root root   27 May 23 01:11 limits.d
-rw-r--r--. 1 root root 1440 Apr 11 11:22 namespace.conf
drwxr-xr-x. 2 root root    6 Apr 11 11:22 namespace.d
-rwxr-xr-x. 1 root root 1019 Apr 11 11:22 namespace.init
-rw-------. 1 root root    0 Apr 11 11:22 opasswd
-rw-r--r--. 1 root root 2972 Apr 11 11:21 pam_env.conf
-rw-r--r--. 1 root root 1718 Dec  7  2011 pwquality.conf
-rw-r--r--. 1 root root  419 Apr 11 11:22 sepermit.conf
-rw-r--r--. 1 root root 2179 Apr 11 11:22 time.conf

    PAM 模块文件存放在 /lib64/security/ 中

    各个软件的 PAM 配置文件存放在 /etc/pam.d/ 中。通用的配置文件存放在件 /etc/pam.conf,默认不存在

PAM的工作原理

    PAM认证首先要确定那一项服务,然后加载相应的PAM的配置文件(/etc/pam.d),最后调用认证文件(/lib/security)进行安全认证。

2.3 sudo与PAM认证

查看软件的 PAM 配置文件

[root@CentOS7 pam.d]# cat passwd
#%PAM-1.0
auth       include	system-auth
account    include	system-auth
password   substack	system-auth
-password   optional	pam_gnome_keyring.so use_authtok
password   substack	postlogin

    语法:模块类型 控制 模块路径 [参数]

    模块类型

Auth:账号的认证和授权
Account:与账号管理相关的非认证类的功能,如:用来限制/允许用户对某个服务的访问时间,当前有效的系统资源(最多可以有多少个用户),限制用户的位置(例如:root用户只能从控制台登录)
Password:用户修改密码时密码复杂度检查机制等功能
Session:用户获取到服务之前或使用服务完成之后需要进行一些附加的操作,如:记录打开/关闭数据的信息,监视目录等
-[模块类型]:表示因为缺失而不能加载的模块将不记录到系统日志,对于那些不总是安装在系统上的模块有用

    控制

required:一票否决,表示本模块必须返回成功才能通过认证,但是如果该模块返回失败,失败结果也不会立即通知用户,而是要等到同一type中的所有模块全部执行完毕再将失败结果返回给应用程序。即为必要条件
requisite:一票否决,该模块必须返回成功才能通过认证,但是一旦该模块返回失败,将不再执行同一type内的任何模块,而是直接将控制权返回给应用程序。是一个必要条件
sufficient:一票通过,表明本模块返回成功则通过身份认证的要求,不必再执行同一type内的其它模块,但如果本模块返回失败可忽略,即为充分条件
optional:表明本模块是可选的,它的成功与否不会对身份认证起关键作用,其返回值一般被忽略

include: 调用其他的配置文件中定义的配置信息

    注意:修改PAM配置文件将马上生效,所以建议编辑pam规则时,保持至少打开一个root会话,以防止root身份验证错误

常用 PAM 模块

[root@CentOS7 ~]#⮀ls /lib64/security/   #查看当前系统所有PAM模块
pam_access.so    pam_echo.so       pam_fprintd.so        pam_lastlog.so    pam_motd.so              pam_pwquality.so       pam_shells.so      pam_timestamp.so     pam_unix.so
pam_cap.so       pam_env.so        pam_ftp.so            pam_limits.so     pam_namespace.so         pam_rhosts.so          pam_sss.so         pam_tty_audit.so     pam_userdb.so
pam_chroot.so    pam_exec.so       pam_gdm.so            pam_listfile.so   pam_nologin.so           pam_rootok.so          pam_stress.so      pam_umask.so         pam_warn.so
pam_console.so   pam_faildelay.so  pam_gnome_keyring.so  pam_localuser.so  pam_oddjob_mkhomedir.so  pam_securetty.so       pam_succeed_if.so  pam_unix_acct.so     pam_wheel.so
pam_cracklib.so  pam_faillock.so   pam_group.so          pam_loginuid.so   pam_permit.so            pam_selinux_permit.so  pam_systemd.so     pam_unix_auth.so     pam_xauth.so
pam_debug.so     pam_filter        pam_issue.so          pam_mail.so       pam_postgresok.so        pam_selinux.so         pam_tally2.so      pam_unix_passwd.so
pam_deny.so      pam_filter.so     pam_keyinit.so        pam_mkhomedir.so  pam_pwhistory.so         pam_sepermit.so        pam_time.so        pam_unix_session.so

    pam_shells.so 模块会检查用户使用的 shell 类型,使用不在 /etc/shells 文件中的 shell 都将认证失败。

[root@CentOS7 ~]# grep pam_shells.so /etc/pam.d/*   #查看使用pam_shells.so的程序
/etc/pam.d/vmtoolsd:auth       required         pam_shells.so
/etc/pam.d/vmtoolsd:account    required         pam_shells.so

在 su 程序中添加 pam_shells.so 模块

[root@CentOS7 pam.d]# cat su
#%PAM-1.0
auth  	 	required	pam_shells.so    #将pam_shells.so放在第一行,提高优先级
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		substack	system-auth
auth		include		postlogin
account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
account		include		system-auth
password	include		system-auth
session		include		system-auth
session		include		postlogin
session		optional	pam_xauth.so

/ect/shells 文件中的 /bin/csh 行删除后,使用 su 命令切换用户使用 csh 

[root@CentOS7 pam.d]# cat /etc/shells    #文件中没有/bin/csh
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
[root@CentOS7 pam.d]#⮀usermod -s /bin/csh jiangbowen   #将jiangbowen用户的默认shell修改为csh
[root@CentOS7 pam.d]#⮀su - jiangbowen   #当使用su时,jiangbowen用户无法登陆
Password: 
su: Authentication failure
[root@CentOS7 pam.d]# echo /bin/csh >> /etc/shells    #在文件中添加/bin/csh
[root@CentOS7 pam.d]# su - jiangbowen   #切换至使用csh的用户成功
Last login: Fri May 25 04:21:14 CST 2018 on pts/0
Last failed login: Sat May 26 03:49:20 CST 2018 on pts/0
There was 1 failed login attempt since the last successful login.
[jiangbowen@CentOS7 ~]$ 

    pam_securetty.so 模块会检查 root 用户只能在 /etc/securetty 中列出的终端登陆

[root@CentOS7 pam.d]# grep pam_securetty.so /etc/pam.d/*
/etc/pam.d/login:auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
/etc/pam.d/remote:auth       required     pam_securetty.so

查看 /etc/securetty 后,发现没有 pts 类型的终端

[root@CentOS7 pam.d]# telnet 192.168.30.75   #通过telnet使用root登陆
Trying 192.168.30.75...
Connected to 192.168.30.75.
Escape character is '^]'.

Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: root
Password: 
Login incorrect    #登陆失败
[root@CentOS7 pam.d]# echo pts/1 >> /etc/securetty   #在/etc/securetty中添加pts类型终端
[root@CentOS7 pam.d]# echo pts/2 >> /etc/securetty
[root@CentOS7 pam.d]# echo pts/3 >> /etc/securetty
[root@CentOS7 pam.d]# telnet 192.168.30.75
Trying 192.168.30.75...
Connected to 192.168.30.75.
Escape character is '^]'.

Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: root     #使用root登陆
Password: 
Last failed login: Sat May 26 04:09:44 CST 2018 from ::ffff:192.168.30.75 on pts/1
There were 5 failed login attempts since the last successful login.
Last login: Fri May 25 17:24:52 from 192.168.30.1     #登陆成功

    pam_nologin.so 模块会检查 /etc/nologin 是否存在,如果存在,非root用户将不能登陆,并且会显示 /etc/nologin 中的内容。

[root@CentOS7 pam.d]#⮀grep pam_nologin.so /etc/pam.d/*   #查看使用pam_nologin.so的程序
/etc/pam.d/gdm-autologin:account    required    pam_nologin.so
/etc/pam.d/gdm-fingerprint:account     required      pam_nologin.so
/etc/pam.d/gdm-password:account     required      pam_nologin.so
/etc/pam.d/gdm-pin:account     required      pam_nologin.so
/etc/pam.d/gdm-smartcard:account     required      pam_nologin.so
/etc/pam.d/login:account    required     pam_nologin.so
/etc/pam.d/pluto:account required pam_nologin.so
/etc/pam.d/ppp:account    required	pam_nologin.so
/etc/pam.d/remote:account    required     pam_nologin.so
/etc/pam.d/sshd:account    required     pam_nologin.so
[root@CentOS7 pam.d]# echo "I don't welcome you here" > /etc/nologin   #创建/etc/nologin文件
[root@CentOS7 pam.d]# cat /etc/nologin   #查看/etc/nologin文件中的内容
I don't welcome you here
2.3 sudo与PAM认证

    pam_limits.so 模块会控制用户可用资源的限制。

[root@CentOS7 pam.d]#⮀grep pam_limits.so /etc/pam.d/*
/etc/pam.d/fingerprint-auth:session     required      pam_limits.so
/etc/pam.d/fingerprint-auth-ac:session     required      pam_limits.so
/etc/pam.d/password-auth:session     required      pam_limits.so
/etc/pam.d/password-auth-ac:session     required      pam_limits.so
/etc/pam.d/runuser:session		required	pam_limits.so
/etc/pam.d/smartcard-auth:session     required      pam_limits.so
/etc/pam.d/smartcard-auth-ac:session     required      pam_limits.so
/etc/pam.d/sudo:session    required     pam_limits.so
/etc/pam.d/sudo-i:session    required     pam_limits.so
/etc/pam.d/system-auth:session     required      pam_limits.so
/etc/pam.d/system-auth-ac:session     required      pam_limits.so

在 pam_limits.so 模块的配置文件 /etc/security/limits.conf 中设置指定用户的资源限制。

    语法:对象 资源类型 资源 数值

    对象:UserName 单用户;@GroupName 用户组;*所有用户

    资源类型:Soft 软限制,用户可以调整;Hard 硬限制,用户不能限制;- 二者同时设定

    资源:nofile 所能够同时打开的最大文件数量,默认为1024

              nproc 所能够同时运行的进程的最大数量,默认为1024....(具体查看官方文档)

也可以通过 ulimit 命令进行限制用户的资源

查看当前资源的限制
[root@CentOS7 pam.d]#⮀ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 5438
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024   #当前最大打开文件数为默认1024个
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 5438
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

使用 ab 工具向192.168.30.75发起1025个并发连接

[root@CentOS7 pam.d]# ab -c 1025 -n 2000 http://192.168.30.75/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 192.168.30.75 (be patient)
socket: Too many open files (24)    #套接字文件提示文件数量太多

通过 -n 选项调整打开文件的数量

[root@CentOS7 pam.d]# ulimit -n 1200   #将打开文件数量的最大值调整为1200
[root@CentOS7 pam.d]# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 5438
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1200    #调整成功
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 5438
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
[root@CentOS7 pam.d]#⮀ab -c 1025 -n 2000 http://192.168.30.75/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 192.168.30.75 (be patient)   #连接成功
Completed 200 requests
Completed 400 requests
Completed 600 requests
Completed 800 requests
Completed 1000 requests
Completed 1200 requests
Completed 1400 requests
Completed 1600 requests

pam_limits.so 模块可以限制的系统资源,与对应 ulinmit 命令的选项

2.3 sudo与PAM认证