Reference from: allow user1 to “Su – user2” without password
Execute: Su – user2 password free login under user1.
My experimental system version:
CentOS Linux release 7
# vim /etc/pam.d/su #In PAM_ rootok.so Add the following two lines after that line. auth [success=ignore default=1] pam_succeed_if.so user = user2 auth sufficient pam_succeed_if.so use_uid user = user1
It can be understood as: for the account named user2, if the user name of the Su program is user1, it can be password free login
PAM module documentation:
# less /usr/share/doc/pam-1.1.8/txts/README.pam_succeed_if
First, use_ Uid part
Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated.
Then look at the fields format
Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service field > number Field has a value numerically greater than number. field in item:item:... Field is contained in the list of items separated by colons.
According to this, it is also possible to implement theSecret free Su to uid are multiple system users in a certain range
[[email protected]] 17:56:55 ~ # id user1 uid=1004(user1) gid=1004(user1) groups=1004(user1) [[email protected]] 17:56:59 ~ # id user2 uid=1005(user2) gid=1005(user2) groups=1005(user2) [[email protected]] 17:57:00 ~ # id user3 uid=1006(user3) gid=1006(user3) groups=1006(user3)
Modify / etc / pam.d/su:
auth [success=ignore default=1] pam_succeed_if.so uid >= 1005 auth sufficient pam_succeed_if.so use_uid user = user1
It can be understood as follows: for the account with uid > = 1005, if the user name of the Su program is user1, you can log in without password
[[email protected]] 17:57:49 ~ # su - user1 Last login: Thu Sep 3 17:55:47 CST 2020 on pts/1 [[email protected]] 17:57:50 ~ $ su - user2 [[email protected]] 17:57:52 ~ $ logout [[email protected]] 17:57:53 ~ $ su - user3 Last login: Thu Sep 3 17:55:54 CST 2020 on pts/1 [[email protected]] 17:57:55 ~ $ logout
On the contrary, multiple accounts are allowed to be su secret free to a certain account (s), which can be configured as follows:
auth [success=ignore default=1] pam_succeed_if.so uid = 1001 auth sufficient pam_succeed_if.so use_uid uid > 1001
PAM module information:
Before finding this method, we found a method to automatically jump to user2 by using. Bashrc that adds SSH password free to user1. It barely meets the demand, but it is a bit far away, and user1 is almost abandoned.