参考自:Allow user1 to “su - user2” without password
https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password
需求:
在user1用户下执行: su - user2 免密登录。
我的实验系统版本:
CentOS Linux release 7
方法:
# vim /etc/pam.d/su #在pam_rootok.so那一行之后添加如下两行。 auth [success=ignore default=1] pam_succeed_if.so user = user2 auth sufficient pam_succeed_if.so use_uid user = user1
可以理解为:对于名为user2的账号,如果使用su程序的用户名为user1,即可以免密登录
PAM模块文档:
# less /usr/share/doc/pam-1.1.8/txts/README.pam_succeed_if
首先是 use_uid部分
Evaluate conditions using the account of the user whose UID the application
is running under instead of the user being authenticated.
然后看fields格式
Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service
field > number
Field has a value numerically greater than number.
field in item:item:...
Field is contained in the list of items separated by colons.
据此,还可以实现从user1免密su到uid 为某个范围的多个系统用户
实验:
[root@MyVm] 17:56:55 ~ # id user1 uid=1004(user1) gid=1004(user1) groups=1004(user1) [root@MyVm] 17:56:59 ~ # id user2 uid=1005(user2) gid=1005(user2) groups=1005(user2) [root@MyVm] 17:57:00 ~ # id user3 uid=1006(user3) gid=1006(user3) groups=1006(user3)
修改/etc/pam.d/su:
auth [success=ignore default=1] pam_succeed_if.so uid >= 1005 auth sufficient pam_succeed_if.so use_uid user = user1
可以理解为:对于UID>=1005的账号,如果使用su程序的用户名为user1,即可以免密登录
[root@MyVm] 17:57:49 ~ # su - user1 Last login: Thu Sep 3 17:55:47 CST 2020 on pts/1 [user1@MyVm] 17:57:50 ~ $ su - user2 [user2@MyVm] 17:57:52 ~ $ logout [user1@MyVm] 17:57:53 ~ $ su - user3 Last login: Thu Sep 3 17:55:54 CST 2020 on pts/1 [user3@MyVm] 17:57:55 ~ $ logout
反之,允许多个账号su免密到某个(些)账号,可以配置为:
auth [success=ignore default=1] pam_succeed_if.so uid = 1001
auth sufficient pam_succeed_if.so use_uid uid > 1001
PAM模块资料:
https://www.cnblogs.com/kevingrace/p/8671964.html
找到这个方法之前,发现一种用利用把ssh免密加入到user1的 .bashrc 来实现自动跳转user2的方法,勉强满足需求,但是有点绕远,而且user1差不多是废了。
附:利用pam认证模块实现一个免密登陆后门
https://cloud.tencent.com/developer/article/1047280