Jephe Wu - http://linuxtechres.blogspot.com
Objective: explain all kinds of ways for disablinig user shell access under Linux and their pros and cons
Environment: CentOS 6.4 64bit
Methods:
1. using /sbin/nologin or /bin/false
useradd jephe -s /sbin/nologin
or
chsh -s /sbin/nologin
pros: disable shell access
cons: doesn't disable SSH tcp port forwarding.
e.g. user can use ssh to server to enable port forwarding as follows without actual shell access:
ssh -N -L 2222:remote:22 server
2. password lock/unlock
passwd -l jephe and passwd -u jephe
usermod -L jephe and usermod -U jephe
Pros: disable shell access with using /etc/shadow password
cons: if user had configured public key authentication before you lock password, user can still ssh in.
related command: chage -d 0 # to make user password expire so that user have to change password immediately upon login, you can run 'chage -l user' to check.
chage -d 0 is different with chage -E0, chage -d 0, make password expire, to force user to change password after login, chage -E0, make account expire, totally disable user for the system.
3. make user account expire totally
chage -E0 jephe and reverse it by chage -E-1 jephe
Pros and cons: totally disable user account, user is unable to ssh anyway
If you need to totally disable user ssh, you should use this way.
[root@server1 ~]# chage -E0 corkroo
[root@server1 ~]# getent shadow corkroo
corkroo:$6$ewLIUEu8$VNk7OC2ybTHDaeXX1xuCI9DHGLig3IhasJ3VbLUwRMt123/kT1NAtshYuq2yQKZab82D1FEPZXnM3zTt5krKl0:15992:0:99999:7::0:
[root@server1 ~]# chage -E-1 corkroo
[root@server1 ~]# getent shadow corkroo
corkroo:$6$ewLIUEu8$VNk7OC2ybTHDaeXX1xuCI9DHGLig3IhasJ3VbLUwRMt123/kT1NAtshYuq2yQKZab82D1FEPZXnM3zTt5krKl0:15992:0:99999:7:::
4. force sftp access only, not ssh
User still have normal shell /bin/bash, but configure /etc/ssh/sshd_config to force user to use sftp only, not shell access
[root@server1 ~]# tail -7 /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match User corkroo
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
[root@server1 ~]# getent passwd corkroo
corkroo:x:504:505::/home/corkroo:/bin/bash
[root@server1 ~]# ssh corkroo@localhost
Password: # then it's hanging here.
How to disable user ssh login under Linux
Retrieve directory data underneath NFS mounted directory
Jephe Wu - http://linuxtechres.blogspot.com
Problem: we need to retrieve data from certain directory before we did NFS mount on the same directory,however, we cannot umount it since it's production environment
Problem: we need to retrieve data from certain directory before we did NFS mount on the same directory,however, we cannot umount it since it's production environment
Concept: use mount --bind / to another directory to retrieve data without umounting NFS
Steps:
1. check the existing files under /u05, for testing purpose, I have copied some archive log files from /u03 to /u05.
root@linuxtechres:/u05# ll
total 420
-rw-r----- 1 root root 229888 Oct 15 10:48 1_21996_817700775.arc
-rw-r----- 1 root root 180736 Oct 15 10:48 1_22005_817700775.arc
2. NFS mount /u05 which is using Netapp NFS storage for controlfile
root@linuxtechres:/# mount /u05
root@linuxtechres:/# cd /u05
root@linuxtechres:/u05# ll
total 4
drwxr-xr-x 3 oracle dba 4096 Jun 28 09:51 control
3. Now we need to retrieve the original files under /u05
root@linuxtechres:/u05# mkdir /tmp/recover
root@linuxtechres:/u05# mount --bind / /tmp/recover # use / since original /u05 content is under / partition
4. check mounted directory
root@linuxtechres:/u05# cd /tmp/recover/
root@linuxtechres:/tmp/recover# ls
appdata boot home lost+found mnt proc selinux sys u01 u04 var
backup dev lib media net root srv tftpboot u02 u05
bin etc lib64 misc opt sbin stage tmp u03 usr
root@linuxtechres:/tmp/recover# cd u05
root@linuxtechres:/tmp/recover/u05# ll
total 420
-rw-r----- 1 root root 229888 Oct 15 10:48 1_21996_817700775.arc
-rw-r----- 1 root root 180736 Oct 15 10:48 1_22005_817700775.arc
5. compare file md5sum
root@linuxtechres:/tmp/recover/u05# md5sum 1_21996_817700775.arc
f0af8a88658071aab2babab74c614159 1_21996_817700775.arc
root@linuxtechres:/tmp/recover/u05# md5sum /u03/oraarch/JEPHE/1_21996_817700775.arc
f0af8a88658071aab2babab74c614159 /u03/oraarch/JEPHE/1_21996_817700775.arc
6. umount /tmp/recover after recovery
root@linuxtechres:/tmp/recover/u05# mount | grep recover
/ on /tmp/recover type none (rw,bind)
root@linuxtechres:/tmp/recover/u05# cd /
root@linuxtechres:/# umount /tmp/recover
root@linuxtechres:/# mount | grep recover
Note: you may also use debugfs to retrieve data
Subscribe to:
Posts (Atom)
Posts
