Linux办事器一向就是以不变、高效、安但是著称。安然是比较首要的一个环节,这关系到商业奥秘,更关系到企业的存亡。本文介绍了若何利用optw生成一次性口令及只承诺履行特定号令,以下为译文:
我想承诺我的伴侣登录我的办事器下载一些资料,可是只承诺他登录10次,登岸后只承诺履行scp号令,不准干别的工作,该如何办呢?
回纳起来,完成以下2件工作:
生成一次性口令
只承诺用户履行scp任务
实现方针1:生成一次性口令
安装otpw
sudo apt-get install otpw-bin libpam-otpw
建设common-auth
nano /etc/pam.d/common-auth
查找以下行:
auth [success=1 default=ignore] pam_unix.so nullok_secure
在上述行上加进:
auth sufficient pam_otpw.so
session optional pam_otpw.so
用户登录时,起首测验测验利用一次性口令登录,掉败后,利用正常登录编制。
建设sshd办事
增加一个otpw建设文件:
nano /etc/pam.d/otpw
内容以下:
auth sufficient pam_otpw.so
session optional pam_otpw.so
建设sshd建设文件包含otpw建设文件:
nano /etc/pam.d/sshd
查找:
@include common-auth
在上述行上增加一行:
@include otpw
点窜sshd建设文件后,确保以下3个参数设置为yes:
UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
UsePAM yes
从头启动sshd办事
service ssh restart
这是根基的otpw建设. 确保用户home目次下存在文件建设文件 (~/.otpw) 的用户才会启用一次性口令认证. 所有其它用户不受影响。
以下号令产生4个一次性口令:
otpw-gen -h 5 -w 64
以下号令产生10个一次性口令:
otpw-gen -h 6 -w 79
号令输出以下:
Generating random seed ...
If your *** password list is stolen, the thief should not gain
access to your account with this information alone. Therefore, you
need to memorize and enter below a prefix password. You will have to
enter that each time directly before entering the one-time password
(on the same line).
When you log in, a 3-digit password number will be displayed. It
identifies the one-time password on your list that you have to append
to the prefix password. If another login to your account is in progress
at the same time, several password numbers may be shown and all
corresponding passwords have to be appended after the prefix
password. Best generate a new password list when you have used up half
of the old one.
Overwrite existing password list '~/.otpw' (Y/n)?
Enter new prefix password:
Reenter prefix password:
Creating '~/.otpw'.
Generating new one-time passwords ...
OTPW list generated 2014-02-27 01:31 on kali
000 IT4U V3Bk 002 cfFE g=Gj 004 +2ML Ff92 006 kaag Ar:Y 008 VZY8 iGsp
001 9H7n aPhV 003 fcIJ zf/P 005 Qxqf OhgF 007 zPY/ QJOV 009 :N7K 3zEu
!!! REMEMBER: Enter the PREFIX PASSWORD first !!!
SSH登录:
login as: test
Using keyboard-interactive authentication.
Password 003:
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686
The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 9 20:03:23 2013 from 192.168.200.10
test@debian:~$
假定你的前缀口令是 "pass" 实际输进的003号暗码是:
passfcIJ zf/P
(前缀暗码后不需要输进空格)。
成立optw一次性口令的用户组并添加用户:
addgroup optw
adduser test optw
点窜文件权限:
chown root:optw /home/test/.otpw
chmod 640 /home/test/.otpw
避免其它用户重置口令:
chmod 750 /usr/bin/otpw-gen
方针2.限制用户只承诺履行scp任务:
apt-get install rssh
apt-get install scponly
2个定制的shell别离完成以下任务:
rssh限制用户的行动
scponly时独一scp号令的一个shell.
此刻,可以点窜用户的shell:
usermod -s /usr/sbin/scponly test
usermod -s /usr/sbin/rssh test
And you can confiure rssh quite descent:
nano /etc/rssh.conf
Content:
# Leave these all commented out to make the default action for rssh to lock
# users out completely...
allowscp
#allowsftp
#allowcvs
#allowrdist
#allowrsync
#allowsvnserve
# if your chroot_path contains spaces, it must be quoted...
# In the following examples, the chroot_path is "/usr/local/my chroot"
user=test:011:000010:"/opt/scpspace/test chroot" # scp with chroot
译者注:
1、optw是linux上的一次性口令的开源实现,近似于RSA公司Secure ID功能。
2、rssh是受限的shell,供给良多合用的功能。建设简单。
[译自vpsboard]