我正在努力设置一个多用户 Debian 服务器,瘦客户端通过 SSH 隧道的 VNC 连接到该服务器。设置本身并不复杂。在实施一些常识性安全最佳实践的过程中,我们希望在连续身份验证失败后设置自动帐户锁定。这是我第一次接触对 PAM 进行配置更改,因此我是一个 PAM 新手。从我迄今为止为找出实现此自动帐户锁定的最佳方法所做的研究来看,似乎确实有两个 PAM 模块直接用于此目的:pam_tally2.so和pam_faillock.so。我们已经对 RHEL 和 Fedora 上的故障锁有了一定的了解,这就是我们最终决定走的路线。 Debian 的 PAM 配置与 RHEL/Fedora 的非常不同,因此需要进行一些研究,但这就是我们最终得出的结论:
修改的/etc/pam.d/common-auth
# Added faillock preauth
auth required pam_faillock.so preauth
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok
# here's the fallback if no module succeeds
# auth requisite pam_deny.so
# replace the default line commented above, but send the same signal
auth [default=die] pam_faillock.so authfail
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
修改的/etc/pam.d/common-account
# reset the fail record on authentication success
account required pam_faillock.so
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
在迄今为止所做的初步测试中,这似乎完全符合预期。我们是否忽略了任何潜在的“陷阱”?这似乎pam_tally2.so是 Debian 上实现此目的的默认建议。再加上缺乏pam_faillock.so在 RHEL 和 Fedora 之外的任何发行版上实现的参考资料,以及我缺乏 PAM 配置经验,这让我们有点紧张,因为我们忽略了这个 PAM 堆栈配置的逻辑。