使用PAM模块实现普通用户之间su免密切换

  • A+
所属分类:linux技术
摘要

https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password在user1用户下执行: su – user2 免密登录。


参考自:Allow user1 to “su - user2” without password

https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password

需求:

在user1用户下执行: su - user2 免密登录。

我的实验系统版本:

CentOS Linux release 7

方法:

# vim /etc/pam.d/su #在pam_rootok.so那一行之后添加如下两行。 auth            [success=ignore default=1]      pam_succeed_if.so user = user2 auth            sufficient      pam_succeed_if.so use_uid user = user1 

可以理解为:对于名为user2的账号,如果使用su程序的用户名为user1,即可以免密登录

PAM模块文档:

# less /usr/share/doc/pam-1.1.8/txts/README.pam_succeed_if 

 

首先是 use_uid部分

    Evaluate conditions using the account of the user whose UID the application     is running under instead of the user being authenticated. 

 然后看fields格式

Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service  field > number      Field has a value numerically greater than number.  field in item:item:...      Field is contained in the list of items separated by colons. 

 

据此,还可以实现从user1免密su到uid 为某个范围的多个系统用户

实验:

[root@MyVm] 17:56:55 ~ # id user1 uid=1004(user1) gid=1004(user1) groups=1004(user1) [root@MyVm] 17:56:59 ~ # id user2 uid=1005(user2) gid=1005(user2) groups=1005(user2) [root@MyVm] 17:57:00 ~ # id user3 uid=1006(user3) gid=1006(user3) groups=1006(user3) 

 

修改/etc/pam.d/su:

auth            [success=ignore default=1]      pam_succeed_if.so uid >= 1005 auth            sufficient      pam_succeed_if.so use_uid  user = user1 

 可以理解为:对于UID>=1005的账号,如果使用su程序的用户名为user1,即可以免密登录

[root@MyVm] 17:57:49 ~ # su - user1 Last login: Thu Sep  3 17:55:47 CST 2020 on pts/1 [user1@MyVm] 17:57:50 ~ $ su - user2 [user2@MyVm] 17:57:52 ~ $ logout [user1@MyVm] 17:57:53 ~ $ su - user3 Last login: Thu Sep  3 17:55:54 CST 2020 on pts/1 [user3@MyVm] 17:57:55 ~ $ logout 

 

反之,允许多个账号su免密到某个(些)账号,可以配置为:

auth            [success=ignore default=1]      pam_succeed_if.so uid = 1001 auth            sufficient      pam_succeed_if.so use_uid  uid > 1001

 

PAM模块资料:

https://www.cnblogs.com/kevingrace/p/8671964.html

 

找到这个方法之前,发现一种用利用把ssh免密加入到user1的 .bashrc 来实现自动跳转user2的方法,勉强满足需求,但是有点绕远,而且user1差不多是废了。