模板
教程
环境
性能
功能
管理
AIX下建立拥有解锁权限的普通帐户的实施过程(原创)
AIX下通过smit failed_logins可以将多次因密码错误引起的被锁定帐号解锁,但这需要root权限。公司不希望因为一个帐号被锁定,而在深夜把AIX管理员从睡梦中叫起来。因此,按照公司的要求我写了下面的脚本,自动建立一个叫“infra”的普通帐户,可以供值夜班的同事使用,用来解锁AIX服务器上被锁定的帐号。
还要说明几点:
1、不用smit,而用chsec的原因是smit中按F9或ESC+9可以打开一个shell,有安全隐患;
2、脚本没有自动解锁所有被锁帐户,是因为有些帐户是特意被锁的,只在特定的时候才被临时解开;
3、脚本是写在/usr/bin/infralogon.sh中,而不是写在$HOME/.profile中的,是因为尊重其他同事的意见,虽然我个人觉得用$HOME/.profile好;
4、假如infra自身被锁,当然只能让root为他解锁,不过这种可能性几乎没有。
下面是整个实施过程:
1.Use root aclearcase/" target="_blank" >ccount to run this shell cript to create a user named infra that can reset failed login counts only.
#!/usr/bin/ksh
#create a user named infra
mkuser -a pgrp='nobody' infra
#change the shell of this user.
#create a backup file /etc/passwd????????????
#command "ed" is safer than "sed".
cp /etc/passwd /etc/passwd`date +"%y%m%d%H%M%S"`
ed /etc/passwd<<!
/^infra:/s/$/ \/usr\/bin\/infralogon.sh/
w
.
!
#cp /etc/passwd /etc/passwd.tmp1
#sed -e '/^infra:/s/$/ \/usr\/bin\/infralogon.sh/' /etc/passwd.tmp1 >/etc/passwd.tmp2
#cat /etc/passwd.tmp2 >/etc/passwd
#rm /etc/passwd.tmp[12]
#change the acl of the three files
aclget /etc/security >/tmp/acl1
sed -n '/^attributes:/,/^extended permissions/' /tmp/acl1 >/tmp/acl2
echo " enabled" >>/tmp/acl2
echo " permit r-x u:infra" >>/tmp/acl2
aclput -i /tmp/acl2 /etc/security
aclget /etc/security/lastlog >/tmp/acl1
sed -n '/^attributes:/,/^extended permissions/' /tmp/acl1 >/tmp/acl2
echo " enabled" >>/tmp/acl2
echo " permit r-- u:infra" >>/tmp/acl2
aclput -i /tmp/acl2 /etc/security/lastlog
aclget `which chsec` >/tmp/acl1
sed -n '/^attributes:/,/^extended permissions/' /tmp/acl1 >/tmp/acl2
echo " enabled" >>/tmp/acl2
echo " permit r-x u:infra" >>/tmp/acl2
aclput -i /tmp/acl2 `which chsec`
rm /tmp/acl[12]
#create the file /usr/bin/infralogon.sh
echo "cat /etc/security/lastlog |grep -vp \"unsuccessful_login_count = [0-4]\"|grep -v ^* |grep -v ^$" >/usr/bin/infralogon.sh
echo "while [ $? = 0 ];do " >>/usr/bin/infralogon.sh
echo " echo Press ctrl+c to logout, or input the account\'s name to reactive it:" >>/usr/bin/infralogon.sh
echo " read username" >>/usr/bin/infralogon.sh
echo " chsec -f /etc/security/lastlog -a \"unsuccessful_login_count=0\" -s \"$username\"" >>/usr/bin/infralogon.sh
echo "done " >>/usr/bin/infralogon.sh
echo "echo No account need to be reactived. bye!" >>/usr/bin/infralogon.sh
chmod a+rx /usr/bin/infralogon.sh
2.Set the password of this account.
For example:
# passwd infra
Changing password for "infra"
infra's New password: (The fastest way is setting the password is NULL. Press "enter" key directly.)
Enter the new password again:
# tn 127.0.0.1
Trying...
Connected to 127.0.0.1.
Escape character is '^T'.
telnet (idish1b)
AIX Version 5
(C) Copyrights by IBM and by others 1982, 2000.
login: infra
3004-610 You are required to change your password.
Please choose a new one.
infra's New password: (Set the password that you want really.)
Enter the new password again:
3.How to reset the locked account?
For eaxmple:
*******************************************************************************
* *
* *
* Welcome to AIX Version 4.3! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* IBM's internal systems must only be used for conducting IBM's business or *
* for purposes authorized by IBM MANAGEMENT!!! Use is subject to audit at any*
* time by IBM management. *
* *
*******************************************************************************
renton:
time_last_login = 1097702111
tty_last_login = /dev/pts/0
host_last_login = 9.181.182.157
unsuccessful_login_count = 6
time_last_unsuccessful_login = 1098972888
tty_last_unsuccessful_login = /dev/pts/0
host_last_unsuccessful_login = 9.181.182.155
tony:
time_last_unsuccessful_login = 1111441748
tty_last_unsuccessful_login = /dev/pts/0
host_last_unsuccessful_login = 9.181.186.23
unsuccessful_login_count = 6
time_last_login = 1105545339
tty_last_login = /dev/pts/2
host_last_login = 9.184.83.88 (When you login using infra, you can see all the locked accounts and other information.)
Press ctrl+c to logout, or input the account's name to reactive it:
tony
Press ctrl+c to logout, or input the account's name to reactive it:
renton
Press ctrl+c to logout, or input the account's name to reactive it:
^C
Connection closed.
#
4. All the files impacted by the shell script in step 1.
You can use the following commands to see these files:
cat /etc/passwd |grep ^infra
aclget /etc/security
aclget /etc/security/lastlog
aclget `which chsec`
cat /usr/bin/infralogon.sh
ls -l /usr/bin/infralogon.sh
为了减少在若干台AIX上实施的时间,实施过程也主要利用脚本来完成。通过以上实施过程不难发现,infra的登录脚本其实就是/usr/bin/infralogon.sh,内容如下:
cat /etc/security/lastlog |grep -vp "unsuccessful_login_count = [0-4]"|grep -v ^* |grep -v ^$
while [ $? = 0 ];do
echo Press ctrl+c to logout, or input the account\'s name to reactive it:
read username
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s "$username"
done
echo No account need to be reactived. bye!
如果有必要,还可以增加日志功能,脚本内容修改如下:
echo; echo >> $HOME/infra.log
echo **date >> $HOME/infra.log
date >> $HOME/infra.log
echo **who am i >> $HOME/infra.log
who am i >> $HOME/infra.log
host `who am i |awk '{print }' |tr "()" ""` >> $HOME/infra.log
echo **w >> $HOME/infra.log
w >> $HOME/infra.log
echo **The unlocked user\(s\) >> $HOME/infra.log
cat /etc/security/lastlog |grep -vp "unsuccessful_login_count = [0-4]" |grep -v ^* |grep -v ^$
while [ $? = 0 ];do
echo Press ctrl+c to logout, or input the account\'s name to reactive it:
read username
echo $username >> $HOME/infra.log
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s "$username"
done
echo No account need to be reactived. bye!
这样我们以后看/home/infra/infra.log,就可以知道什么时间、从哪台计算机(IP和全名都有)连到服务器上,解锁了哪几个帐号;同时还知道此时都有哪些帐号登录了服务器,其中可能有要求咱们解锁帐号的其它部门的同事,便于事后查询。节选了/home/infra/infra.log的一段内容,如下:
**date
Thu Apr 7 15:45:37 BEIDT 2005
**who am i
infra pts/1 Apr 07 15:45 (9.181.171.48)
mycomputer.mycompany.com is 9.181.171.48
**w
03:45PM up 52 days, 7:27, 2 users, load average: 0.00, 0.01, 0.01
User tty login@ idle JCPU PCPU what
myname pts/0 02:56PM 1 0 0 -ksh
infra pts/1 03:45PM 0 0 0 w
**The unlocked user(s)
test
test1
========================================================
我也学一下别人,呵呵!
任何形式的转载,请写明出处:
email: beginner@yeah.net
website: http://blog.chinaunix.net/index.php?blogId=739
========================================================
