使用PAM模組實現普通使用者之間su免密切換
阿新 • • 發佈:2020-09-03
參考自:Allow user1 to “su - user2” without password
https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password
需求:
在user1使用者下執行: su - user2 免密登入。
方法:
# vim /etc/pam.d/su #在pam_rootok.so那一行之後新增如下兩行。 auth [success=ignore default=1] pam_succeed_if.so user = user2 auth sufficient pam_succeed_if.so use_uid user = user1
PAM模組文件:
# less /usr/share/doc/pam-1.1.8/txts/README.pam_succeed_if
首先是 use_uid部分
Evaluate conditions using the account of the user whose UID the application
is running under instead of the user being authenticated.
然後看fields格式
Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service
field > number
Field has a value numerically greater than number.
field in item:item:...
Field is contained in the list of items separated by colons.
據此,還可以實現從user1免密su到uid 為某個範圍的多個系統使用者
實驗:
[root@MyVm] 17:56:55 ~ # id user1 uid=1004(user1) gid=1004(user1) groups=1004(user1) [root@MyVm] 17:56:59 ~ # id user2 uid=1005(user2) gid=1005(user2) groups=1005(user2) [root@MyVm] 17:57:00 ~ # id user3 uid=1006(user3) gid=1006(user3) groups=1006(user3)
修改/etc/pam.d/su:
auth [success=ignore default=1] pam_succeed_if.so uid >= 1005 auth sufficient pam_succeed_if.so use_uid user = user1
[root@MyVm] 17:57:49 ~ # su - user1 Last login: Thu Sep 3 17:55:47 CST 2020 on pts/1 [user1@MyVm] 17:57:50 ~ $ su - user2 [user2@MyVm] 17:57:52 ~ $ logout [user1@MyVm] 17:57:53 ~ $ su - user3 Last login: Thu Sep 3 17:55:54 CST 2020 on pts/1 [user3@MyVm] 17:57:55 ~ $ logout
PAM資料:
https://www.cnblogs.com/kevingrace/p/8671964.html
找到這個方法之前,發現一種用利用把ssh免密加入到user1的 .bashrc 來實現自動跳轉user2的方法,勉強滿足需求,但是有點繞遠,而且user1差不多是廢了。