A complete guide to SSH and PAM modules: creating a more secure remote login environment!

Link: https://www.cnblogs.com/civetcat/p/18180295  

.ssh/known_hosts stores ssh fingerprints
sshd server side
/etc/ssh/sshd_config server side configuration file
man 5 sshd_config server side configuration file help
echo root:1111|chapasswd change password
openssl rand -base 64 9 randomly select 9 digits for password (random number is encoded with base and 9 digits are selected)

Common parameters of ssh:

Port  22     #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes   #检查.ssh/文件的所有者，权限等
MaxAuthTries   6     #pecifies the maximum number of authentication 
attempts permitted per connection. Once the number of failures reaches half this 
value, additional failures are logged. The default is 6.
MaxSessions  10         #同一个连接最大会话
PubkeyAuthentication yes     #基于key验证
PermitEmptyPasswords no      #空密码连接
PasswordAuthentication yes   #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups    #未认证连接最大值，默认值10
Banner /path/file
#以下可以限制可登录用户的办法：
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2

Enable root remote ssh login on ubuntu

#修改sshd服务配置文件
vim /etc/ssh/sshd_config 
#PermitRootLogin prohibit-password 注释掉此行
PermitRootLogin yes 修改为下面形式
systemctl restart sshd

ssh (telentPro)
ssh directly connects to the host and stores the other party's public key and fingerprint (the fingerprint is unique. If you need to delete the fingerprint, go to .ssh/known_hosts)
to automatically agree: StrictHostKeyChecking=no or modify the configuration file StrictHostKeyChecking no

sshpass automatic login ssh tool

-p 后跟密码
-f 保存密码的文件名
-e 变量密码
sshpass -p 123465 ssh  StrictHostKeyChecking=no 10.1.1.1 'hostname'

Public key exchange principle

ssh -keygen generates a public and private key pair
ssh -copy-id root@10.1.1.1 sends the public key to other hosts
Enhanced version: (Using the same key pair for each host solves the problem of multiple hosts using ssh to each other and needing to recreate the public and private key pair, which increases the complexity)
ssh -keygen #generate a public and private key pair
sshpass -p $pass ssh-copy-id -o StrictHostKeyChecking=no 127.0.0.1 #copy the public key to your own host
rsync -a .ssh 10.0.0.#id:/root/ #send the host's public and private key pair to other hosts

scp

从本地复制文件到远程主机：
scp file.txt user@remote_host:/path/to/destination
从远程主机复制文件到本地：
scp user@remote_host:/path/to/file.txt /local/destination
从远程主机复制整个目录到本地：
scp -r user@remote_host:/path/to/directory /local/destination
从本地复制整个目录到远程主机
scp -r /local/directory user@remote_host:/path/to/destination
使用自定义 SSH 端口复制文件：
scp -P 2222 file.txt user@remote_host:/path/to/destination
使用 scp 命令同时压缩和加速传输：
scp -C -l 1000 file.txt user@remote_host:/path/to/destination

rsync (scpPro):

-a, --archive：归档模式，以递归方式复制文件，并保持所有文件属性。
示例：rsync -a source/ destination/
-v, --verbose：详细输出模式，显示 rsync 的执行过程。
示例：rsync -av source/ destination/
-r, --recursive：递归复制目录及其内容。
示例：rsync -r source/ destination/
-u, --update：仅复制源文件中更新的部分到目标位置。
示例：rsync -u source/ destination/
-n, --dry-run：模拟执行，显示执行 rsync 命令后会执行的操作，但不实际执行。
示例：rsync -nav source/ destination/
-z, --compress：启用数据压缩传输，减少网络带宽占用。
示例：rsync -az source/ destination/
-P, --partial --progress：显示传输进度，并支持断点续传。
示例：rsync -avP source/ destination/
-e, --rsh=COMMAND：指定远程 shell 命令，用于远程传输。
示例：rsync -av -e "ssh -p 22" source/ user@remote:/destination
--delete：删除目标位置上没有源位置的文件。
示例：rsync -av --delete source/ destination/
--exclude=PATTERN：排除指定的文件或目录。
示例：rsync -av --exclude='*.log' source/ destination/

sudo authorization
/etc/sudoers authorization configuration

user: the identity of the person running the command
host: through which hosts
(runas): as which user
command: which commands to run

Configuration example:
root ALL=(ALL) ALL
example: wang 10.0.0.1=(root) NOPASSWD:#No password required# /usr/bin/mount /dev/cdrom /mnt
Allows user wang to run specific commands as root on 10.0.1 without entering a password
Alias ​​example:
user_Alias ​​Z=ZZ,LL
USER_Alias ​​D=tom
Host_Alias ​​S=www.1.com
Runas_Alias ​​O=root
Cmnd_Alias ​​SY=/bin/chown,/bin/chmod
ZS=SY
Alias ​​example:
Defaults:wang runas_default=tom
wang ALL=(tom,jerry) ALL
wang$ sudo cmd #Default represents tom to execute cmd
wang$ sudo -u jerry cmd
does not allow access example:
wang 192.168.1.6,192.168.1.8=(root) /usr/sbin/,!/usr/sbin/useradd

PAM (module)
module is part of the Linux kernel, the program only needs to call the module to use the kernel function

/etc/pam.d/
/lib64/security/Module configuration file
/etc/security

PAM configuration format (#A configuration file is needed only if the program is complex)
application type control module-path arguments

application：指服务名，如：telnet、login、ftp等，服务名字“OTHER”代表所有没有在该文件中明确
配置的其它服务
type：指模块类型，即功能
control ：PAM库该如何处理与该服务相关的PAM模块的成功或失败情况，一个关健词实现
module-path：用来指明本模块对应的程序文件的路径名
Arguments：用来传递给该模块的参数

Module Types
auth: A module for user authentication. When a user tries to log in, the specified module will be used for authentication.
account: A module for account management. For example, checking if a user is locked out or if login is allowed.
password: A module for changing a user's password. For example, allowing a user to change their password in a specific way.
session: A module for session management when a user logs in and out. For example, logging user login and logout events.

control
1.required: Successful authentication of the module is required. If authentication fails, PAM will return failure immediately and will not continue to execute subsequent modules. If authentication succeeds, it will continue to execute subsequent modules.
2.sufficient: If the module successfully authenticates, PAM will return success immediately and will not continue to execute subsequent modules. If authentication fails, it will continue to execute subsequent modules. If all sufficient modules fail, authentication fails.
3.requisite: Similar to required, but if authentication fails, PAM will return failure immediately and will not continue to execute subsequent modules. If authentication succeeds, it will continue to execute subsequent modules.
4.optional: Successful authentication of the module is optional. PAM will continue to execute subsequent modules even if authentication fails. Usually used with required or sufficient.
5.include: Include configuration from another PAM configuration file. This allows configuration of other services to be reused in the configuration.

module-path
The absolute path where the module file is located

**Argument **
debug: This module should write debugging information to the system log file using syslog()
no_warn: Indicates that this module should not send warning information to the application
use_first_pass: This module cannot prompt the user to enter a password, and can only get the input password from the previous module
try_first_pass: This module first uses the previous module to get the password from the user. If the password verification fails, it prompts the user
to enter a new password
use_mapped_pass This module cannot prompt the user to enter a password, but uses the mapped password
expose_account allows this module to display the user's account name and other information. It can generally only be used in a secure environment, because leaking
the username will pose a certain degree of threat to security.

Common modules:

pam_nologin.so (ordinary user login restriction)
is enabled. Just create nologin under pamd. Ordinary users cannot log in remotely
. {In Centos7 and above versions, Systemd is used to replace the previous SysV. The configuration
scope of the /etc/security/limits.conf file is narrowed. The configuration of /etc/security/limits.conf is only applicable to the resource restrictions of users who log in through PAM authentication
. It does not take effect on the resource restrictions of systemd services. Therefore, the restrictions on logged-in users
can be set through the files under /etc/security/limits.conf and /etc/security/limits.d.
For the resource settings of systemd services, the global configuration needs to be modified. The global configuration files are placed in /etc/systemd/system.conf
and /etc/systemd/user.conf. At the same time, all .conf files in the two corresponding directories
/etc/systemd/system.conf.d/.conf and /etc/systemd/user.conf.d/.conf will also be loaded. system.conf
is used by the system instance, and user.conf is used by the user instance}

pam_limits.so
pam_limits.so is a module in the PAM (Pluggable Authentication Modules) framework, used to set and manage user resource limits. It controls the resource usage of user processes through the configuration file /etc/security/limits.conf and the files in the /etc/security/limits.d/ directory, thereby helping administrators prevent resource abuse and maintain system stability.

Function and Purpose
The pam_limits.so module is mainly used to set the following resource limits:

core：最大核心文件大小（以块为单位）。
data：进程数据段的最大大小（以 KB 为单位）。
fsize：文件的最大大小（以 KB 为单位）。
memlock：进程可锁定的内存大小（以 KB 为单位）。
nofile：每个进程可打开的最大文件描述符数。
rss：进程常驻集的最大大小（以 KB 为单位）。
stack：进程堆栈的最大大小（以 KB 为单位）。
cpu：进程的最大 CPU 时间（以分钟为单位）。
nproc：每个用户可拥有的最大进程数。
as：进程的地址空间限制（以 KB 为单位）。
maxlogins：用户可同时登录的最大会话数。
priority：进程调度优先级。
locks：进程可拥有的最大文件锁数。
sigpending：进程可排队的最大信号数。
msgqueue：消息队列的最大大小（以字节为单位）。
nice：进程的调度优先级。
rtprio：实时调度优先级。

Configuration file
/etc/security/limits.conf
This is the main configuration file used to define resource limits. The file format is as follows:

<domain>    <type>    <item>    <value>

domain：可以是用户名、用户组名（前面加 @），或者 *（表示所有用户）。
type：可以是 soft（软限制）或 hard（硬限制）。
item：要限制的资源类型。
value：限制值。

# 限制所有用户最大打开文件数为 1024

*        soft    nofile          1024
*        hard    nofile          4096

# 限制用户 foo 的最大进程数为 50
foo      soft    nproc           50
foo      hard    nproc           100

# 限制用户组 admin 的最大核心文件大小为 0
@admin   hard    core            0

# 限制所有用户的最大虚拟内存大小为 500000 KB
*        soft    as              500000
*        hard    as              1000000
/etc/security/limits.d/ 目录
在这个目录下，管理员可以添加更多的配置文件，这些文件会被 pam_limits.so 模块读取并应用。这种方式便于分离和组织不同的限制规则。

For the resource settings of systemd service, you need to modify the global configuration. The global configuration files are placed in /etc/systemd/system.conf
and /etc/systemd/user.conf. At the same time, all .conf files in the two corresponding directories /etc/systemd/system.conf.d/.conf and /etc/systemd/user.conf.d/.conf will also be loaded
. system.conf is used by the system instance, and user.conf is used by the user instance.

ulimit Command

-H 设置硬件资源限制.
-S 设置软件资源限制.
-a 显示当前所有的资源限制.
-c size:设置core文件的最大值.单位:blocks
-d size:设置数据段的最大值.单位:kbytes
-f size:设置创建文件的最大值.单位:blocks
-l size:设置在内存中锁定进程的最大值.单位:kbytes
-m size:设置可以使用的常驻内存的最大值.单位:kbytes
-n size:设置内核可以同时打开的文件描述符的最大值.单位:n
-p size:设置管道缓冲区的最大值.单位:kbytes
-s size:设置堆栈的最大值.单位:kbytes
-t size:设置CPU使用时间的最大上限.单位:seconds
-u size:最大用户进程数
-v size:设置虚拟内存的最大值.单位:kbytes
unlimited 是一个特殊值，用于表示不限制
#说明
查询时，若不加H或S参数，默认显示的是软限制
修改时，若不加H或S参数，两个参数一起改变

chrony (ntp time synchronization)

/etc/chrony.conf configure
server ntp.alicyuncom iburst #Set synchronization server
allow 0.0.0.0/0 #Set anyone can synchronize
local stratum 10 allows synchronization without external network

chronyc sources -v or ntpdate $ip (not used after cento8) Time synchronization

Autumn The recruitment has already begun. If you are not well prepared, Autumn It's hard to find a good job.

Here is a big employment gift package for everyone. You can prepare for the spring recruitment and find a good job!