允许多个用户在没有密码的情况下“su”到多个其他用户

Question 1

据我了解，该代码[success=ignore default=1]意味着如果模块返回除成功以外的任何内容，则跳过 1 个模块。也许您需要跳过 2 步才能进入下一个pam_succeed_if？

Answer

据我了解，该代码[success=ignore default=1]意味着如果模块返回除成功以外的任何内容，则跳过 1 个模块。也许您需要跳过 2 步才能进入下一个pam_succeed_if？

Question 2

您需要更改身份验证顺序，如下所示：

auth       [success=1 default=ignore] pam_succeed_if.so user = user1
auth       [success=ignore default=1] pam_succeed_if.so user = user4
auth       sufficient   pam_succeed_if.so use_uid user in user2:user3

Answer

您需要更改身份验证顺序，如下所示：

auth       [success=1 default=ignore] pam_succeed_if.so user = user1
auth       [success=ignore default=1] pam_succeed_if.so user = user4
auth       sufficient   pam_succeed_if.so use_uid user in user2:user3

Question 3

pam_exec.so我正在使用而不是完成它pam_succeedif.so。

紧接着：/etc/pam.d/supam_rootok.so

auth  sufficient             pam_exec.so quiet /etc/pam.d/check_user.sh

在/etc/pam.d/check_user.sh：

#!/bin/bash
[[ -z $PAM_RUSER ]] && PAM_RUSER=$PAM_USER # under some circumstances pam_exec.so does not pass PAM_RUSER to the script
[[ "$PAM_TYPE" == "auth" ]] || exit 1
case "$PAM_RUSER" in
  user1)        USERS="user1 user2" ; ;;
  user3)        USERS="user3 user4" ; ;;
  *)            exit 1 ; ;;
esac
[[ "$USERS" =~ "$PAM_USER" ]]

Answer

pam_exec.so我正在使用而不是完成它pam_succeedif.so。

紧接着：/etc/pam.d/supam_rootok.so

auth  sufficient             pam_exec.so quiet /etc/pam.d/check_user.sh

在/etc/pam.d/check_user.sh：

#!/bin/bash
[[ -z $PAM_RUSER ]] && PAM_RUSER=$PAM_USER # under some circumstances pam_exec.so does not pass PAM_RUSER to the script
[[ "$PAM_TYPE" == "auth" ]] || exit 1
case "$PAM_RUSER" in
  user1)        USERS="user1 user2" ; ;;
  user3)        USERS="user3 user4" ; ;;
  *)            exit 1 ; ;;
esac
[[ "$USERS" =~ "$PAM_USER" ]]

允许多个用户在没有密码的情况下“su”到多个其他用户

答案1

答案2

答案3

相关内容