Linux 远程登录(telnet ssh)
telnet
[root@rhel6 ~]# rpm -qa | grep telnet
telnet-server-0.17-47.el6.x86_64
telnet-0.17-47.el6.x86_64
[root@rhel6 ~]# vi /etc/xinetd.d/telnet //telnet是依赖于xinetd的
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
instances = 1 //设置服务器最大连接数(即只允许1个用户通过telnet登录)
# bind = 192.168.0.90 //只允许经由该适配器的数据包进来
# only_from = 192.168.0.0/24 //只允许该网段通过telnet访问
# no_access = 192.168.0.100 //不允许该IP通过telnet访问
# access_times = 9:00-18:00 //telnet服务开放的时间
}
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90...
Connected to rhel6.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: root
Password:
Login incorrect //默认禁止root用户通过telnet登录
login: xfcy
Password:
Last login: Wed Dec 26 17:17:08 from rhel6
[xfcy@rhel6 ~]$ who
root pts/0 -12-27 12:01 (192.168.0.90)
xfcy pts/1 -12-27 12:18 (rhel5)
[xfcy@rhel6 ~]$ telnet rhel6
Trying 192.168.0.90...
Connected to rhel6.
Escape character is '^]'.
Connection closed by foreign host. //不允许第2个用户通过telnet登录
[root@rhel6 ~]# netstat -lntp | grep :23 //默认监听23号端口
tcp 0 0 :::23 :::* LISTEN 5169/xinetd
[xfcy@rhel6 ~]$ vi /etc/services //修改telnet服务的监听端口为230
telnet 230/tcp
telnet 230/udp
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@rhel6 ~]# netstat -lntp | grep :23
tcp 0 0 :::230 :::* LISTEN 5319/xinetd
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90... //默认通过23号端口无法访问telnet服务
telnet: connect to address 192.168.0.90: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@rhel5 ~]# telnet rhel6 230 //通过230端口可成功访问telnet服务
Trying 192.168.0.90...
Connected to (192.168.0.90).
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: xfcy
Password:
Last login: Thu Dec 27 12:50:16 from rhel5
[xfcy@rhel6 ~]$ netstat -an | grep :23
tcp 0 0 192.168.0.90:230 192.168.0.89:51147 ESTABLISHED
tcp 0 0 :::230 :::* LISTEN
情况下,linux不允许root用户以telnet方式登录linux主机,若要允许root用户登录,可采取以下3种方法之一:
1.修改login文件
RedHat中对于远程登录的限制体现在/etc/pam.d/login 文件中,如果把限制的内容注销掉,那么限制将不起作用。
[root@rhel5 ~]# vi /etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
2.移除securetty文件
验证规则设置在/etc/securetty 文件中,该文件定义root用户只能在tty1-tty11的终端上记录,移除该文件即可避开验证规则实现root用户远程登录。
[root@rhel5 ~]# mv /etc/securetty /etc/securetty.bak
3.修改securetty文件
[root@rhel5 ~]# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
pts/10
pts/11
