The root user is the super administrator in our Linux. If the root user is hijacked by brute force cracking of the password, it is very insecure for our business, so we generally prohibit the root user from logging in remotely at work.
Idea:
Create an ordinary user, prohibit the root user from logging in remotely, only allow ordinary users to log in, and then use the su command to switch to the root user when the root user is needed, or use the sudo command to obtain root privileges to execute commands
1. The method of restricting the remote login of root users:
Open the /etc/ssh/sshd_config file, find the PermitRootLogin parameter, and change yes to no. Different system versions may have different positions for this PermitRootLogin parameter, but the operation is the same, and they are all changed. Is no.
vim /etc/ssh/sshd_config
Before modification:
The field after the PermitRootLogin parameter is yes, indicating that the root user can log in remotely. Now it is changed to no, which means that the root user cannot log in remotely, that is, the root user is prohibited from logging in remotely.
After modifying /etc/ssh/sshd_config, remember to restart the sshd service, the modified configuration will take effect after restarting the service
systemctl restart sshd
2. Turn on ordinary users to switch to root user without password
Open the /etc/sudoers file or run the visudo command directly, find %wheel ALL=(ALL) NOPASSWD: ALLthis line, it
%wheel ALL=(ALL) NOPASSWD: ALLmeans that all users in the wheel group have the permission to switch users without password,
so there are three ways to use ordinary users Have the permission to switch users without password. The
first method: modify the group of ordinary users to wheel
usermod -g wheel ordinary users
The second method: Add a line in / etc / sudoers file inside
username ALL=(ALL) NOPASSWD: ALL
the third method, although it could be, but it is recommended to use caution:
will %wheel ALL=(ALL) NOPASSWD: ALLthis line belongs to the group name was changed to the wheel of your regular user, for example, your users are test, the group belongs to test, at this time change wheel to test, as shown in the figure below:
Use one of the above three methods to switch your ordinary users to root without password, the command is as follows:
sudo su-root
At this time, it was successful to make ordinary users switch to root without password, but there is a problem, as shown in the figure below:
Look at the red box and you can see that there are actually two more lines. In fact, the reason is very simple. The system has told us sudo: /etc/sudo.conf is group writable, Because there are write permissions in the group permissions of the /etc/sudo.conf file, check the permissions as shown in the figure below:
Solution: remove the write permissions of the group permissions in the /etc/sudo.conf file.
chmod 440 /etc/ sudo.conf
Log in again after modifying permissions: a
perfect solution! ! !