Restricting direct login and su access

On critical systems it is usually considered a bad practice to allow direct remote logins to system users, such as root or other application owners, and shared users, such as oracle. As a method for better control and from the user audit point of view, it is recommended to create different login users that will be allowed to connect and perform switches (su) to users considered critical. No other users should be exposed to the external world to allow direct, remote, or local connections.

In this recipe, we will create a group log and a user named loguser1, and we will disable direct logins for all others.

Getting ready

All steps will be performed on nodeorcl1.

How to do it...

  1. Create a designated group for users allowed to log in:
    [root@nodeorcl1 ~]# groupadd logingrp
  2. Create an user and assign it to logingrp group as follows:
    [root@nodeorcl1 ~]# useradd -g logingrp loginuser1
  3. To disable direct login for all users add the following line to /etc/pam.d/system-auth:
    account     required       pam_access.so
  4. Uncomment and modify the following line from /etc/security/access.conf:
    :ALL EXCEPT logingrp :ALL
  5. All logins excepting users from the logingrp group will be denied. If we try to connect from nodeorcl5 the connection will be closed:
    [loguser1@nodeorcl5 ~]$ ssh -l oracle nodeorcl1
oracle@nodeorcl1's password:
Connection closed by 10.241.132.218
[loguser1@nodeorcl5 ~]$
  6. The connection succeeds as loginuser1:
    [loguser1@nodeorcl5 ~]$ ssh -l loginuser1 nodeorcl1
loguser1@nodeorcl1's password:
[loguser1@nodeorcl1 ~]$
  7. To disable the su capabilities for all users exempting loginuser1, open /etc/pam.d/su and uncomment the following line as instructed in the file:
    # Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
  8. At this moment all users that don't belong to the wheel group are not allowed to switch to an other user. Add loginuser1 to the wheel group as follows. In this way the only user that may execute su command will be loginuser1:
    [root@nodeorcl1 etc]# usermod -G wheel loginuser1
  9. If you try to execute an su command with the oracle user, you will get incorrect password message, and the switch cannot be performed:
    [oracle@nodeorcl1 ~]$ su -
Password: 
su: incorrect password
[oracle@nodeorcl1 ~]$
  10. But as user loguser1 it succeeds:
    [loguser1@nodeorcl1 ~]$ su - 
Password: 
[root@nodeorcl1 ~]#

How it works...

The PAM module that performs the login check is pam_access.so, with the control flag set to required and the module type account. The control of su command is performed by the pam_wheel.so module.

There's more...

At this moment all users who do not belong to the group logusers are not allowed to log in locally or remotely. The only exemption is root login using ssh. We will see how to deny remote root logins with ssh in the following recipe, Securing SSH login.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.185.96