Linuxã®ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒè§£é™¤ã§ããªã„ (2009/10/14)
カテゴリー: OSã«ã¤ã„ã¦
投稿者: shinichi
XDMCP接続ã§Linuxサーãƒãƒ¼ã«æŽ¥ç¶šã—ã¦ã‚‹ã®ã§ã™ãŒã€ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒå®Ÿè¡Œã•ã‚ŒãŸå¾Œã€ãƒ‘スワード解除ãŒå‡ºæ¥ãªã„ã¨ã„ã†å•é¡ŒãŒç™ºç”Ÿã—ã¾ã—ãŸã€‚
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Šã¾ã—ãŸã€‚
パスワードを入力ã—ã¾ã™ã€‚
èªè¨¼ã«å¤±æ•—ã—ã€ãƒ‘スワード入力欄ã«"Sorry!"ã¨è¡¨ç¤ºã•ã‚Œã¾ã™ã€‚
デフォルトã§ã®è¨å®šã¯ã€ã‚¢ã‚¤ãƒ‰ãƒ«æ™‚é–“ãŒ10分ã‚ã‚‹ã¨ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã€è§£é™¤ã™ã‚‹ã«ã¯ãƒ‘スワードを入力ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
スクリーンセーãƒãƒ¼ã®è¨å®šã«ã¤ã„ã¦ã¯/usr/X11R6/lib/X11/app-defaultsã«ã‚ã‚‹XScreenSaverã«è¨˜è¿°ã•ã‚Œã¦ã„ã¾ã™ã€‚
スクリーンセーãƒãƒ¼èµ·å‹•æ™‚é–“ã¯
*timeout:00:10:00
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‹è¨å®šã«ã¤ã„ã¦ã¯
*lock:True
ã“ã®ç¾è±¡ãŒç™ºç”Ÿã—ãŸã¨ãã€
messagesã«ã¯
Oct 13 11:23:31 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname xscreensaver(pam_unix)[30076]: authentication failure; logname= uid=500 euid=500 tty=:0.0 ruser= rhost= user=root
Oct 13 11:23:33 hostname xscreensaver[30076]: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=test-domain,dc=com" (Invalid credentials)
secureã«ã¯
Oct 13 11:23:35 hostname xscreensaver[30076]: FAILED LOGIN 2 ON DISPLAY "123.456.789.123:0.0", FOR "adminuser"
ã¨æ›¸ã‹ã‚Œã¾ã™ã®ã§/var/log/faillog(ãƒã‚°ã‚¤ãƒ³å¤±æ•—回数を記録ã™ã‚‹ãƒ•ã‚¡ã‚¤ãƒ«)ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ã¦ã„ã‚‹ã¨æ€ã‚ã‚Œã¾ã™ã€‚
secureã®"FAILED LOGIN 2 ON"ã®ã‚«ã‚¦ãƒ³ãƒˆã¯å¤±æ•—ã™ã‚‹ã”ã¨ã«å¢—ãˆã¦ã„ãã¾ã™ãŒã€pam_tallyã®ã‚«ã‚¦ãƒ³ãƒˆã¨ã¯é•ã†ã‚ˆã†ã§ã™ã€‚
ã„ã‚ã„ã‚調ã¹ã¦ã¿ã‚‹ã¨system-authã®authã«æ›¸ã„ã¦ã„ã‚‹pam_tally.soã®ä¸ã§ã€"onerr=fail"を消ã™ã¨å‹•ãã¨ã„ã†ã®ã§è©¦ã—ã¦ã¿ã‚‹ã¨ãƒ‘スワード解除ãŒå‡ºæ¥ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã®"onerr=fail"ã¯ãƒ‘スワードファイルç‰ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ãŸå ´åˆã«ã¯èªè¨¼å¤±æ•—ã¨ã™ã‚‹æ„味ã§ã™ã®ã§ã€ä»Šå›žã®äº‹è±¡ã§ã¯ã¾ã•ã«ãƒ‰ãƒ³ã´ã—ゃりï¼
ãŸã ã€ã“れをã¯ãšã—ã¦ãŠãã¨é€šå¸¸ã®ãƒã‚°ã‚¤ãƒ³æ™‚ã«èªè¨¼ãŒå¼±ããªã£ã¦ã—ã¾ã„ãã†ãªã®ã§ã¤ã‘ã¦ãŠããŸã„オプション。
今回ã¯å¯¾å‡¦ç™‚法的ã«ã€ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã®è¨å®šã§ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‰ãªã„よã†ã«ã—ã¾ã™ã€‚å‰è¿°ãƒ•ã‚¡ã‚¤ãƒ«ã®*lockã‚’Falseã«ã™ã‚Œã°ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã¦ã‚‚ãƒãƒƒã‚¯ã¯ã•ã‚Œãªããªã‚Šã¾ã™ã€‚
ã¾ãŸã€Linuxå´ã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒã‹ã‹ã‚‰ãªã„よã†ã«*timeoutã®æ™‚é–“ã‚‚24:00:00ã«ã™ã‚‹ã“ã¨ã«ã—ã¾ã—ãŸã€‚Linuxå´ã§ã¯ãªãã€XDMCPã§æŽ¥ç¶šã—ã¦ã„ã‚‹å…ƒã®Windowsã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã¨ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Œã°è‰¯ã„ã¨ã„ã†è©±ã§ã¾ã¨ã¾ã‚Šã¾ã—ãŸã®ã§ã€‚
今回æ€ã„切ã£ã¦ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã‚’アンインストールã—よã†ã¨ã‚‚考ãˆãŸã®ã§ã™ãŒã€ä¾å˜é–¢ä¿‚ãŒå¤šãã¦ã¡ã‚‡ã£ã¨æ€–ã„ã®ã§ã‚„ã‚ã¾ã—ãŸã€‚本番システムã ã—。
ã¡ãªã¿ã«ã€ä»Šå›žã®äº‹è±¡ã«ã¤ã„ã¦ã¯ä¸‹è¨˜ã«è¨˜è¼‰ãŒã‚ã‚Šã¾ã—ãŸã€‚
Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã®NOTEã§ã™ã€‚以下引用
Since the /var/log/faillog is owned by root and only root can write to the /var/log/faillog file, xscreensaver and vlock won't work correctly. Each time xscreensaver or vlock is executed as a non-root user, you won't be able to do an unlock since these programs can't write to /var/log/faillog. I don't have a good solution for that. I can only think of setting the SUID bits on these programs.
訳:
/var/log/faillogã¯root所有ã§rootã®ã¿ãŒæ›¸ãè¾¼ã¿å¯èƒ½ãªãƒ•ã‚¡ã‚¤ãƒ«ã§ã™ã®ã§ã€xscreensaverã‚‚ã—ãã¯vlockã¯æ£å¸¸ã«å‹•ä½œã—ã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockãŒnon-rootユーザーã§å®Ÿè¡Œã•ã‚ŒãŸå ´åˆã€ãƒãƒƒã‚¯è§£é™¤ã‚’ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã›ã‚“。ã“れらã®ãƒ—ãƒã‚°ãƒ©ãƒ ãŒ/var/log/faillogを変更ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ãªã„為ã§ã™ã€‚ã“ã‚Œã«ã¤ã„ã¦è§£æ±ºç–ã¯ã‚ã‚Šã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockã«SUIDビットをè¨å®šã™ã‚Œã°è‰¯ã„ã®ã§ã¯ãªã„ã‹ã¨è€ƒãˆã¦ã„ã¾ã™ã€‚
今回ã®äº‹è±¡ã¯RHEL3/4ã§ç™ºç”Ÿã—ã¾ã™ã€‚
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Šã¾ã—ãŸã€‚
パスワードを入力ã—ã¾ã™ã€‚
èªè¨¼ã«å¤±æ•—ã—ã€ãƒ‘スワード入力欄ã«"Sorry!"ã¨è¡¨ç¤ºã•ã‚Œã¾ã™ã€‚
デフォルトã§ã®è¨å®šã¯ã€ã‚¢ã‚¤ãƒ‰ãƒ«æ™‚é–“ãŒ10分ã‚ã‚‹ã¨ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã€è§£é™¤ã™ã‚‹ã«ã¯ãƒ‘スワードを入力ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
スクリーンセーãƒãƒ¼ã®è¨å®šã«ã¤ã„ã¦ã¯/usr/X11R6/lib/X11/app-defaultsã«ã‚ã‚‹XScreenSaverã«è¨˜è¿°ã•ã‚Œã¦ã„ã¾ã™ã€‚
スクリーンセーãƒãƒ¼èµ·å‹•æ™‚é–“ã¯
*timeout:00:10:00
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‹è¨å®šã«ã¤ã„ã¦ã¯
*lock:True
ã“ã®ç¾è±¡ãŒç™ºç”Ÿã—ãŸã¨ãã€
messagesã«ã¯
Oct 13 11:23:31 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname xscreensaver(pam_unix)[30076]: authentication failure; logname= uid=500 euid=500 tty=:0.0 ruser= rhost= user=root
Oct 13 11:23:33 hostname xscreensaver[30076]: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=test-domain,dc=com" (Invalid credentials)
secureã«ã¯
Oct 13 11:23:35 hostname xscreensaver[30076]: FAILED LOGIN 2 ON DISPLAY "123.456.789.123:0.0", FOR "adminuser"
ã¨æ›¸ã‹ã‚Œã¾ã™ã®ã§/var/log/faillog(ãƒã‚°ã‚¤ãƒ³å¤±æ•—回数を記録ã™ã‚‹ãƒ•ã‚¡ã‚¤ãƒ«)ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ã¦ã„ã‚‹ã¨æ€ã‚ã‚Œã¾ã™ã€‚
secureã®"FAILED LOGIN 2 ON"ã®ã‚«ã‚¦ãƒ³ãƒˆã¯å¤±æ•—ã™ã‚‹ã”ã¨ã«å¢—ãˆã¦ã„ãã¾ã™ãŒã€pam_tallyã®ã‚«ã‚¦ãƒ³ãƒˆã¨ã¯é•ã†ã‚ˆã†ã§ã™ã€‚
ã„ã‚ã„ã‚調ã¹ã¦ã¿ã‚‹ã¨system-authã®authã«æ›¸ã„ã¦ã„ã‚‹pam_tally.soã®ä¸ã§ã€"onerr=fail"を消ã™ã¨å‹•ãã¨ã„ã†ã®ã§è©¦ã—ã¦ã¿ã‚‹ã¨ãƒ‘スワード解除ãŒå‡ºæ¥ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã®"onerr=fail"ã¯ãƒ‘スワードファイルç‰ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ãŸå ´åˆã«ã¯èªè¨¼å¤±æ•—ã¨ã™ã‚‹æ„味ã§ã™ã®ã§ã€ä»Šå›žã®äº‹è±¡ã§ã¯ã¾ã•ã«ãƒ‰ãƒ³ã´ã—ゃりï¼
ãŸã ã€ã“れをã¯ãšã—ã¦ãŠãã¨é€šå¸¸ã®ãƒã‚°ã‚¤ãƒ³æ™‚ã«èªè¨¼ãŒå¼±ããªã£ã¦ã—ã¾ã„ãã†ãªã®ã§ã¤ã‘ã¦ãŠããŸã„オプション。
今回ã¯å¯¾å‡¦ç™‚法的ã«ã€ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã®è¨å®šã§ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‰ãªã„よã†ã«ã—ã¾ã™ã€‚å‰è¿°ãƒ•ã‚¡ã‚¤ãƒ«ã®*lockã‚’Falseã«ã™ã‚Œã°ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã¦ã‚‚ãƒãƒƒã‚¯ã¯ã•ã‚Œãªããªã‚Šã¾ã™ã€‚
ã¾ãŸã€Linuxå´ã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒã‹ã‹ã‚‰ãªã„よã†ã«*timeoutã®æ™‚é–“ã‚‚24:00:00ã«ã™ã‚‹ã“ã¨ã«ã—ã¾ã—ãŸã€‚Linuxå´ã§ã¯ãªãã€XDMCPã§æŽ¥ç¶šã—ã¦ã„ã‚‹å…ƒã®Windowsã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã¨ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Œã°è‰¯ã„ã¨ã„ã†è©±ã§ã¾ã¨ã¾ã‚Šã¾ã—ãŸã®ã§ã€‚
今回æ€ã„切ã£ã¦ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã‚’アンインストールã—よã†ã¨ã‚‚考ãˆãŸã®ã§ã™ãŒã€ä¾å˜é–¢ä¿‚ãŒå¤šãã¦ã¡ã‚‡ã£ã¨æ€–ã„ã®ã§ã‚„ã‚ã¾ã—ãŸã€‚本番システムã ã—。
ã¡ãªã¿ã«ã€ä»Šå›žã®äº‹è±¡ã«ã¤ã„ã¦ã¯ä¸‹è¨˜ã«è¨˜è¼‰ãŒã‚ã‚Šã¾ã—ãŸã€‚
Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã®NOTEã§ã™ã€‚以下引用
Since the /var/log/faillog is owned by root and only root can write to the /var/log/faillog file, xscreensaver and vlock won't work correctly. Each time xscreensaver or vlock is executed as a non-root user, you won't be able to do an unlock since these programs can't write to /var/log/faillog. I don't have a good solution for that. I can only think of setting the SUID bits on these programs.
訳:
/var/log/faillogã¯root所有ã§rootã®ã¿ãŒæ›¸ãè¾¼ã¿å¯èƒ½ãªãƒ•ã‚¡ã‚¤ãƒ«ã§ã™ã®ã§ã€xscreensaverã‚‚ã—ãã¯vlockã¯æ£å¸¸ã«å‹•ä½œã—ã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockãŒnon-rootユーザーã§å®Ÿè¡Œã•ã‚ŒãŸå ´åˆã€ãƒãƒƒã‚¯è§£é™¤ã‚’ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã›ã‚“。ã“れらã®ãƒ—ãƒã‚°ãƒ©ãƒ ãŒ/var/log/faillogを変更ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ãªã„為ã§ã™ã€‚ã“ã‚Œã«ã¤ã„ã¦è§£æ±ºç–ã¯ã‚ã‚Šã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockã«SUIDビットをè¨å®šã™ã‚Œã°è‰¯ã„ã®ã§ã¯ãªã„ã‹ã¨è€ƒãˆã¦ã„ã¾ã™ã€‚
今回ã®äº‹è±¡ã¯RHEL3/4ã§ç™ºç”Ÿã—ã¾ã™ã€‚
