使用PAM模块实现普通用户之间su免密切换

参考自:Allow user1 to “su - user2” without password

https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password

需求:

在user1用户下执行: su - user2 免密登录。

我的实验系统版本:

CentOS Linux release 7

方法:

# vim /etc/pam.d/su
#在pam_rootok.so那一行之后添加如下两行。
auth            [success=ignore default=1]      pam_succeed_if.so user = user2
auth            sufficient      pam_succeed_if.so use_uid user = user1

可以理解为:对于名为user2的账号,如果使用su程序的用户名为user1,即可以免密登录

PAM模块文档:

# less /usr/share/doc/pam-1.1.8/txts/README.pam_succeed_if

 

首先是 use_uid部分

    Evaluate conditions using the account of the user whose UID the application
    is running under instead of the user being authenticated.

 然后看fields格式

Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service

field > number

    Field has a value numerically greater than number.

field in item:item:...

    Field is contained in the list of items separated by colons.

 

据此,还可以实现从user1免密su到uid 为某个范围的多个系统用户

实验:

[root@MyVm] 17:56:55 ~ # id user1
uid=1004(user1) gid=1004(user1) groups=1004(user1)
[root@MyVm] 17:56:59 ~ # id user2
uid=1005(user2) gid=1005(user2) groups=1005(user2)
[root@MyVm] 17:57:00 ~ # id user3
uid=1006(user3) gid=1006(user3) groups=1006(user3)

 

修改/etc/pam.d/su:

auth            [success=ignore default=1]      pam_succeed_if.so uid >= 1005
auth            sufficient      pam_succeed_if.so use_uid  user = user1

 可以理解为:对于UID>=1005的账号,如果使用su程序的用户名为user1,即可以免密登录

[root@MyVm] 17:57:49 ~ # su - user1
Last login: Thu Sep  3 17:55:47 CST 2020 on pts/1
[user1@MyVm] 17:57:50 ~ $ su - user2
[user2@MyVm] 17:57:52 ~ $ logout
[user1@MyVm] 17:57:53 ~ $ su - user3
Last login: Thu Sep  3 17:55:54 CST 2020 on pts/1
[user3@MyVm] 17:57:55 ~ $ logout

 

反之,允许多个账号su免密到某个(些)账号,可以配置为:

auth            [success=ignore default=1]      pam_succeed_if.so uid = 1001
auth            sufficient      pam_succeed_if.so use_uid  uid > 1001

 

PAM模块资料:

https://www.cnblogs.com/kevingrace/p/8671964.html

 

找到这个方法之前,发现一种用利用把ssh免密加入到user1的 .bashrc 来实现自动跳转user2的方法,勉强满足需求,但是有点绕远,而且user1差不多是废了。

 

附:利用pam认证模块实现一个免密登陆后门
 
https://cloud.tencent.com/developer/article/1047280
posted @ 2020-09-03 18:12  M1927  阅读(964)  评论(0编辑  收藏  举报