sshのrootログインを禁止する
「Tera Term」でsshログインする時、rootでのログインを拒否して、特定のユーザのみがrootになれるための設定ファイルを毎回、あれっ?どこだっけ?と忘れるのでメモ(^-^;
設定ファイル、/etc/ssh/sshd_configの初期値は下記
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
# variable in /etc/sysconfig/sshd to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
-----以下、省略-----
46行目 #PermitRootLogin no ←#を消して有効化する。
参考
CentOS Documentation(2.Disable Root Logins)
su – でrootになれるユーザーを制限する
設定ファイル、/etc/pam.d/suの初期値は下記
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
7行目 #auth required pam_wheel.so use_uid ←#を消して有効化する。
5行目 #auth sufficient pam_wheel.so trust use_uidの#を消して有効化するとユーザからsu -でrootになる時に、パスワード入力が不要になる。
su - でrootになれるユーザをwheelグループへ追加する。
hogeユーザをwheelグループに追加!
# usermod -G wheel hoge
# cat /etc/group | grep wheel
wheel:x:10:hoge
sshd サービスを再起動!
systemctl restart sshd.service
「Tera Term」からrootでログインできるか確認。
できない。OK!
「Tera Term」からhogeユーザでログインしてrootになれるか確認!OK!
[hoge@localhost ~]$ su -
パスワード:
[root@localhost ~]#
/var/log/secureのログ確認。
# tail /var/log/secure
Sep 20 10:42:51 localhost unix_chkpwd[1933]: password check failed for user (root)
Sep 20 10:42:51 localhost sshd[1929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.XX.XX user=root
Sep 20 10:42:51 localhost sshd[1929]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Sep 20 10:42:53 localhost sshd[1929]: Failed password for root from 192.168.XX.XX port 53560 ssh2
Sep 20 10:42:58 localhost sshd[1929]: Received disconnect from 192.168.XX.XX port 53560:11: authentication cancelled [preauth]
Sep 20 10:42:58 localhost sshd[1929]: Disconnected from authenticating user root 192.168.XX.XX port 53560 [preauth]
Sep 20 10:43:11 localhost sshd[1934]: Accepted password for hoge from 192.168.XX.XX port 53561 ssh2
Sep 20 10:43:11 localhost sshd[1934]: pam_unix(sshd:session): session opened for user hoge by (uid=0)
Sep 20 10:43:19 localhost su[1965]: pam_systemd(su-l:session): Cannot create session: Already running in a session or user slice
Sep 20 10:43:19 localhost su[1965]: pam_unix(su-l:session): session opened for user root by hoge(uid=1001)
rootでログイン時には「Failed password for root from・・・」拒否って、hogeユーザでログインしてrootになれたことがログからも解る(^^)/