linux下利用一次性口令實(shí)現(xiàn)安全管理
Linux服務(wù)器一直就是以穩(wěn)定、高效、安全而著稱(chēng)。安全是比較重要的一個(gè)環(huán)節(jié),這關(guān)系到商業(yè)機(jī)密,更關(guān)系到企業(yè)的存亡。本文介紹了如何使用optw生成一次性口令及只允許執(zhí)行特定命令,以下為譯文:
我想允許我的朋友登錄我的服務(wù)器下載一些資料,但是只允許他登錄10次,登陸后只允許執(zhí)行scp命令,不許干別的事情,該怎么辦呢?
歸納起來(lái),完成以下2件事情:
生成一次性口令
只允許用戶(hù)執(zhí)行scp任務(wù)
實(shí)現(xiàn)目標(biāo)1:生成一次性口令
安裝otpw
sudo apt-get install otpw-bin libpam-otpw
配置common-auth
nano /etc/pam.d/common-auth
查找以下行:
auth [success=1 default=ignore] pam_unix.so nullok_secure
在上述行上加入:
auth sufficient pam_otpw.so
session optional pam_otpw.so
用戶(hù)登錄時(shí),首先嘗試使用一次性口令登錄,失敗后,使用正常登錄方法。
配置sshd服務(wù)
增加一個(gè)otpw配置文件:
nano /etc/pam.d/otpw
內(nèi)容如下:
auth sufficient pam_otpw.so
session optional pam_otpw.so
配置sshd配置文件包含otpw配置文件:
nano /etc/pam.d/sshd
查找:
@include common-auth
在上述行上增加一行:
@include otpw
修改sshd配置文件后,確保以下3個(gè)參數(shù)設(shè)置為yes:
UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
UsePAM yes
重新啟動(dòng)sshd服務(wù)
service ssh restart
這是基本的otpw配置. 確保用戶(hù)home目錄下存在文件配置文件 (~/.otpw) 的用戶(hù)才會(huì)啟用一次性口令認(rèn)證. 所有其它用戶(hù)不受影響。
下列命令產(chǎn)生4個(gè)一次性口令:
otpw-gen -h 5 -w 64
下列命令產(chǎn)生10個(gè)一次性口令:
otpw-gen -h 6 -w 79
命令輸出如下:
Generating random seed ...
If your paper password list is stolen, the thief should not gain
access to your account with this information alone. Therefore, you
need to memorize and enter below a prefix password. You will have to
enter that each time directly before entering the one-time password
(on the same line).When you log in, a 3-digit password number will be displayed. It
identifies the one-time password on your list that you have to append
to the prefix password. If another login to your account is in progress
at the same time, several password numbers may be shown and all
corresponding passwords have to be appended after the prefix
password. Best generate a new password list when you have used up half
of the old one.Overwrite existing password list '~/.otpw' (Y/n)?
Enter new prefix password:
Reenter prefix password:Creating '~/.otpw'.
Generating new one-time passwords ...OTPW list generated 2014-02-27 01:31 on kali
000 IT4U V3Bk 002 cfFE g=Gj 004 +2ML Ff92 006 kaag Ar:Y 008 VZY8 iGsp
001 9H7n aPhV 003 fcIJ zf/P 005 Qxqf OhgF 007 zPY/ QJOV 009 :N7K 3zEu!!! REMEMBER: Enter the PREFIX PASSWORD first !!!
SSH登錄:
login as: test
Using keyboard-interactive authentication.
Password 003:
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686
The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 9 20:03:23 2013 from 192.168.200.10
test@debian:~$
如果你的前綴口令是 "pass" 實(shí)際輸入的003號(hào)密碼是:
passfcIJ zf/P
(前綴密碼后不需要輸入空格)。
創(chuàng)建optw一次性口令的用戶(hù)組并添加用戶(hù):
addgroup optw adduser test optw
修改文件權(quán)限:
chown root:optw /home/test/.otpw chmod 640 /home/test/.otpw
禁止其它用戶(hù)重置口令:
chmod 750 /usr/bin/otpw-gen
目標(biāo)2.限制用戶(hù)只允許執(zhí)行scp任務(wù):
apt-get install rssh apt-get install scponly
2個(gè)定制的shell分別完成以下任務(wù):
rssh限制用戶(hù)的行為 scponly時(shí)僅有scp命令的一個(gè)shell.
現(xiàn)在,可以修改用戶(hù)的shell:
usermod -s /usr/sbin/scponly test usermod -s /usr/sbin/rssh test
And you can confiure rssh quite descent:
nano /etc/rssh.conf
Content:
# Leave these all commented out to make the default action for rssh to lock # users out completely... allowscp #allowsftp #allowcvs #allowrdist #allowrsync #allowsvnserve # if your chroot_path contains spaces, it must be quoted... # In the following examples, the chroot_path is "/usr/local/my chroot" user=test:011:000010:"/opt/scpspace/test chroot" # scp with chroot
譯者注:
1、optw是linux上的一次性口令的開(kāi)源實(shí)現(xiàn),類(lèi)似于RSA公司Secure ID功能。
2、rssh是受限的shell,提供許多實(shí)用的功能。配置簡(jiǎn)單。
[譯自vpsboard]
