RH413企业安全加固 第13章 管理 CA 中心
2016-01-25 22:31
399 查看
第13章 管理 CA 中心
环境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、修改密码策略
2、更改IPA用户密码
[root@student ~]# kinit user01
Password for user01@EXAMPLE.COM:
[root@student ~]# kpasswd user01
Password for user01@EXAMPLE.COM:
Enter new password:
Enter it again:
Password change rejected: Current password's minimum life has not expired
以上提示是密码策略没有超出1个小时
Password not changed.
3、命令行查看密码策略
[root@teachers ~]# ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
4、通过游览器配置服务的访问策略
以上是基于用户的策略允许所有用户从任何主机访问任何主机
5、访问控制策略设置成disable
6、策略设完后通过user01用户连接ssh
[root@student ~]# ssh user01@student
Connection closed by UNKNOWN
7、 添加新的用户访问策略
① 添加访问策略
② 设置能访问的用户
③ 设置指定用户能访问的地址
④ 设置指定用户能访问的服务
⑤ 设置指定用户能访问的源地址
8、使用user01、user02远程登录teachers服务器
[root@student ~]# ssh user02@teachers
user02@teachers's password:
Your password will expire in 89 day(s).
Connection closed by UNKNOWN
[root@student ~]# ssh user01@teachers
user01@teachers's password:
Your password will expire in 88 day(s).
Last login: Mon Jan 25 08:22:33 2016 from student.example.com
Could not chdir to home directory /home/user01: No such file or directory
-sh-4.1$
以上这个错误是家目录是/bin/sh
9、配置权限控制之sudo
如下:访问messages文件没有权限
-sh-4.1$ tail /var/log/messages
tail: cannot open `/var/log/messages' for reading: Permission denied
IPA配置sudo
① 添加sudo策略可执行的命令
② 配置sudo策略
③ 配置sudo选项
④ 配置sudo策略访问的用户
⑤ Sudo策略你能访问的主机
⑥ Sudo策略允许它访问什么命令
⑦ Sudo策略使用什么用户身份登录,设置为NULL(注意:这里不能设置问admin)
10、重新配置IPA的密码
[root@teachers ~]# ldappasswd -Y GSSAPI -S -h teachers.example.com uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
New password:
Re-enter new password:
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
11、查询IPA的uid信息的sudo
[root@teachers ~]# ldapsearch -x uid=sudo
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=sudo
# requesting: ALL
#
# sudo, sysaccounts, etc, example.com
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: sudo
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
以上都是SERVER端设置
12、设置客户端10.10.10.223的/etc/nsswitch.conf 名称切换服务配置文件
[root@student ~]# cat /etc/nsswitch.conf |grep sudoers
sudoers: files ldap
13、配置/etc/sssd/sssd.conf加入一行debug调试信息
[root@student ~]# cat /etc/sssd/sssd.conf |grep debug*
debug_level = 6
14、配置/etc/sudo-ldap.conf 的文件
[root@student ~]# sed -e '/^#/d' /etc/sudo-ldap.conf ---查询不带#号的所有内容
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw redhat123
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
uri ldap://teachers.example.com
sudoers_base ou=SUDOers,dc=example,dc=com
bind_timelimit 5
timelimit 30
sudoers_debug 1
15、选择user01的用户登录
[root@student ~]# kinit user01
Password for user01@EXAMPLE.COM:
[root@student ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user01@EXAMPLE.COM
Valid starting Expires Service principal
01/25/16 15:00:12 01/26/16 15:00:08 krbtgt/EXAMPLE.COM@EXAMPLE.COM
16、使用登录的用户user01远程链接teachers服务器查看信息,这时候不需要密码了
[root@student ~]# ssh user01@teachers
Last login: Mon Jan 25 08:42:33 2016 from student.example.com
Could not chdir to home directory /home/user01: No such file or directory
-sh-4.1$ sudo less /var/log/messages
Jan 25 08:32:02 student rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1563" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Jan 25 08:32:25 student rhsmd: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date.
Jan 25 14:32:10 student kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 25 14:32:10 student rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1590" x-info="http://www.rsyslog.com"] start
Jan 25 14:32:10 student kernel: Initializing cgroup subsys cpuset
Jan 25 14:32:10 student kernel: Initializing cgroup subsys cpu
Jan 25 14:32:10 student kernel: Linux version 2.6.32-358.el6.x86_64 (mockbuild@x86-022.build.eng.bos.redhat.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) ) #1 SMP Tue Jan 29 11:47:41 EST 2013
Jan 25 14:32:10 student kernel: Command line: ro root=UUID=918ef4ea-cbc8-4f97-b362-5b74b203465c rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
Jan 25 14:32:10 student kernel: KERNEL supported cpus:
Jan 25 14:32:10 student kernel: Intel GenuineIntel
Jan 25 14:32:10 student kernel: AMD AuthenticAMD
Jan 25 14:32:10 student kernel: Centaur CentaurHauls
环境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、修改密码策略
2、更改IPA用户密码
[root@student ~]# kinit user01
Password for user01@EXAMPLE.COM:
[root@student ~]# kpasswd user01
Password for user01@EXAMPLE.COM:
Enter new password:
Enter it again:
Password change rejected: Current password's minimum life has not expired
以上提示是密码策略没有超出1个小时
Password not changed.
3、命令行查看密码策略
[root@teachers ~]# ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
4、通过游览器配置服务的访问策略
以上是基于用户的策略允许所有用户从任何主机访问任何主机
5、访问控制策略设置成disable
6、策略设完后通过user01用户连接ssh
[root@student ~]# ssh user01@student
Connection closed by UNKNOWN
7、 添加新的用户访问策略
① 添加访问策略
② 设置能访问的用户
③ 设置指定用户能访问的地址
④ 设置指定用户能访问的服务
⑤ 设置指定用户能访问的源地址
8、使用user01、user02远程登录teachers服务器
[root@student ~]# ssh user02@teachers
user02@teachers's password:
Your password will expire in 89 day(s).
Connection closed by UNKNOWN
[root@student ~]# ssh user01@teachers
user01@teachers's password:
Your password will expire in 88 day(s).
Last login: Mon Jan 25 08:22:33 2016 from student.example.com
Could not chdir to home directory /home/user01: No such file or directory
-sh-4.1$
以上这个错误是家目录是/bin/sh
9、配置权限控制之sudo
如下:访问messages文件没有权限
-sh-4.1$ tail /var/log/messages
tail: cannot open `/var/log/messages' for reading: Permission denied
IPA配置sudo
① 添加sudo策略可执行的命令
② 配置sudo策略
③ 配置sudo选项
④ 配置sudo策略访问的用户
⑤ Sudo策略你能访问的主机
⑥ Sudo策略允许它访问什么命令
⑦ Sudo策略使用什么用户身份登录,设置为NULL(注意:这里不能设置问admin)
10、重新配置IPA的密码
[root@teachers ~]# ldappasswd -Y GSSAPI -S -h teachers.example.com uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
New password:
Re-enter new password:
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
11、查询IPA的uid信息的sudo
[root@teachers ~]# ldapsearch -x uid=sudo
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=sudo
# requesting: ALL
#
# sudo, sysaccounts, etc, example.com
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: sudo
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
以上都是SERVER端设置
12、设置客户端10.10.10.223的/etc/nsswitch.conf 名称切换服务配置文件
[root@student ~]# cat /etc/nsswitch.conf |grep sudoers
sudoers: files ldap
13、配置/etc/sssd/sssd.conf加入一行debug调试信息
[root@student ~]# cat /etc/sssd/sssd.conf |grep debug*
debug_level = 6
14、配置/etc/sudo-ldap.conf 的文件
[root@student ~]# sed -e '/^#/d' /etc/sudo-ldap.conf ---查询不带#号的所有内容
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw redhat123
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
uri ldap://teachers.example.com
sudoers_base ou=SUDOers,dc=example,dc=com
bind_timelimit 5
timelimit 30
sudoers_debug 1
15、选择user01的用户登录
[root@student ~]# kinit user01
Password for user01@EXAMPLE.COM:
[root@student ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user01@EXAMPLE.COM
Valid starting Expires Service principal
01/25/16 15:00:12 01/26/16 15:00:08 krbtgt/EXAMPLE.COM@EXAMPLE.COM
16、使用登录的用户user01远程链接teachers服务器查看信息,这时候不需要密码了
[root@student ~]# ssh user01@teachers
Last login: Mon Jan 25 08:42:33 2016 from student.example.com
Could not chdir to home directory /home/user01: No such file or directory
-sh-4.1$ sudo less /var/log/messages
Jan 25 08:32:02 student rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1563" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Jan 25 08:32:25 student rhsmd: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date.
Jan 25 14:32:10 student kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 25 14:32:10 student rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1590" x-info="http://www.rsyslog.com"] start
Jan 25 14:32:10 student kernel: Initializing cgroup subsys cpuset
Jan 25 14:32:10 student kernel: Initializing cgroup subsys cpu
Jan 25 14:32:10 student kernel: Linux version 2.6.32-358.el6.x86_64 (mockbuild@x86-022.build.eng.bos.redhat.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) ) #1 SMP Tue Jan 29 11:47:41 EST 2013
Jan 25 14:32:10 student kernel: Command line: ro root=UUID=918ef4ea-cbc8-4f97-b362-5b74b203465c rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
Jan 25 14:32:10 student kernel: KERNEL supported cpus:
Jan 25 14:32:10 student kernel: Intel GenuineIntel
Jan 25 14:32:10 student kernel: AMD AuthenticAMD
Jan 25 14:32:10 student kernel: Centaur CentaurHauls
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- hdu-1394-Minimum Inversion Number(线段树 || 树状数组)
- 大数据教父Micheal Stonebraker告诉你大数据的秘密
- 什么是带内管理 带外管理?
- php将一个字符串转变成键值对数组的效率问题
- HLS科普5 播放列表
- 84. Largest Rectangle in Histogram
- Record linkage
- 如何设置滚动条样式
- Golang初级系列教程-接口多态性
- webpack 自动发现 entry 的配置和引用方式
- 从grub rescue> 问题解决,温习操作系统中文件系统的相关内容
- UVA 11624 Fire!
- CodeForces 614A Link/Cut Tree
- 91. String to Integer (atoi)
- NIO
- HDU 5613 Baby Ming and Binary image
- 【YouXue 1266.5】回文正整数
- ZJU1005-Jugs
- 二值化区分前景和背景
- Android的DiskLruCache硬盘缓存技术