当前位置: 亚洲城ca88 > 亚洲城 > 正文

CentOS下telnet允许root用户登陆,远程登入亚洲城

时间:2019-07-14 00:36来源:亚洲城
由于单位Linux服务器需要增加监控项目,监控软件偏偏不支持snmp,只能装agent或者使用CLI直接登录取值。只好给每台服务器配置使用Root用户的Telnet登录服务。一般情况下,最好不要使用

由于单位Linux服务器需要增加监控项目,监控软件偏偏不支持snmp,只能装agent或者使用CLI直接登录取值。只好给每台服务器配置使用Root用户的Telnet登录服务。一般情况下,最好不要使用这类方式。

默认情况下,linux不允许root用户以telnet方式登录linux主机,若要允许root用户登录,可采取以下3种方法之一:

Linux 远程登录(telnet ssh)

1、修改/etc/securetty文件,添加pts/0、pts/1......。该操作设置同时登录终端的数量;

1、修改login文件

telnet

2、修改/etc/pam.d/login文件,添加#到pam_securetty.so一行。该操作设置允许root用户登录;

RedHat中对于远程登录的限制体现在/etc/pam.d/login文件中,如果把限制的内容注销掉,那么限制将不起作用。**

[root@rhel6 ~]# rpm -qa | grep telnet
telnet-server-0.17-47.el6.x86_64
telnet-0.17-47.el6.x86_64
[root@rhel6 ~]# vi /etc/xinetd.d/telnet //telnet是依赖于xinetd的
# default: on
# description: The telnet server serves telnet sessions; it uses
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure = USERID
disable = no
instances = 1 //设置服务器最大连接数(即只允许1个用户通过telnet登录)
# bind = 192.168.0.90 //只允许经由该适配器的数据包进来
# only_from = 192.168.0.0/24 //只允许该网段通过telnet访问
# no_access = 192.168.0.100 //不允许该IP通过telnet访问
# access_times = 9:00-18:00 //telnet服务开放的时间
}
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90...
Connected to rhel6.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: root
Password:
Login incorrect //默认禁止root用户通过telnet登录
login: xfcy
Password:
Last login: Wed Dec 26 17:17:08 from rhel6
[xfcy@rhel6 ~]$ who
root pts/0 2012-12-27 12:01 (192.168.0.90)
xfcy pts/1 2012-12-27 12:18 (rhel5)
[xfcy@rhel6 ~]$ telnet rhel6
Trying 192.168.0.90...
Connected to rhel6.
Escape character is '^]'.
Connection closed by foreign host. //不允许第2个用户通过telnet登录
[root@rhel6 ~]# netstat -lntp | grep :23 //默认监听23号端口
tcp 0 0 :::23 :::* LISTEN 5169/xinetd
[xfcy@rhel6 ~]$ vi /etc/services //修改telnet服务的监听端口为230
telnet 230/tcp
telnet 230/udp
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@rhel6 ~]# netstat -lntp | grep :23
tcp 0 0 :::230 :::* LISTEN 5319/xinetd
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90... //默认通过23号端口无法访问telnet服务
telnet: connect to address 192.168.0.90: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@rhel5 ~]# telnet rhel6 230 //通过230端口可成功访问telnet服务
Trying 192.168.0.90...
Connected to rhel6.xfcy.org (192.168.0.90).
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: xfcy
Password:
Last login: Thu Dec 27 12:50:16 from rhel5
[xfcy@rhel6 ~]$ netstat -an | grep :23
tcp 0 0 192.168.0.90:230 192.168.0.89:51147 ESTABLISHED
tcp 0 0 :::230 :::* LISTEN

3、修改root下.bash_profile文件,添加TMOUT=180。该操作设置每个终端的空闲时间,单位秒。

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
~

情况下,linux不允许root用户以telnet方式登录linux主机,若要允许root用户登录,可采取以下3种方法之一:
1.修改login文件
RedHat中对于远程登录的限制体现在/etc/pam.d/login 文件中,如果把限制的内容注销掉,那么限制将不起作用。
[root@rhel5 ~]# vi /etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke

亚洲城 1

2、移除securetty文件

2.移除securetty文件
验证规则设置在/etc/securetty 文件中,该文件定义root用户只能在tty1-tty11的终端上记录,移除该文件即可避开验证规则实现root用户远程登录。
[root@rhel5 ~]# mv /etc/securetty /etc/securetty.bak

验证规则设置在/etc/security文件中,该文件定义root用户只能在tty1-tty6的终端上记录,删除该文件或者将其改名即可避开验证规则实现root用户远程登录。

3.修改securetty文件
[root@rhel5 ~]# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
pts/10
pts/11

[[email protected] ~]# mv /etc/securetty /etc/securetty.bak

亚洲城 2

3、修改securetty文件

[[email protected] ~]# vim /etc/securetty
console
vc/1
....

....

vc/10
tty1
....

tty11

pts/1
pts/2
....
....
....
pts/11

一般不建议直接用root用户远程通过telnet登陆系统,因为telnet在数据传输过程采用明文方式,如果,数据包被人截获,将会很容易获取root用户的登陆口令;还是建议以普通用户通过telnet远程登陆,然后su到root,这样相对比较安全。如果非要用root用户远程连接,建议采用SSH.

1、修改login文件 RedHat中对于远...

编辑:亚洲城 本文来源:CentOS下telnet允许root用户登陆,远程登入亚洲城

关键词: 亚洲城ca88