78
Copyright © Acronis, Inc., 2000-2010
Remote connection as a non-root user
Since accessing the system as the root user should be restricted, the root user can create an
authentication policy to enable remote management under non-root credentials.
The following are two examples of such policies.
Note:
As a result, the specified non-root users will be able to connect to the machine remotely as if they were
root users. A security best practice is to make sure that the user accounts are hard to compromise—for
example, by requiring that they have strong passwords.
Example 1
This authentication policy uses the pam_succeed_if module and works with Linux distributions with
kernel version 2.6 or later. For an authentication policy which works with kernel version 2.4, see the
next example.
Perform the following steps as the root user:
1.
Create the
Acronis_Trusted
group account, by running the following command:
groupadd Acronis_Trusted
2.
Add the names of the non-root users, whom you want to allow to connect to the machine
remotely, to the
Acronis_Trusted
group. For example, to add the existing user user_a to the
group, run the following command:
usermod -G Acronis_Trusted user_a
3.
Create the file
/etc/pam.d/Acronisagent-trusted
with the following content:
#%PAM-1.0
auth required pam_unix.so
auth required pam_succeed_if.so user ingroup Acronis_Trusted
account required pam_unix.so
Example 2
The above authentication policy might not work on Linux distributions with kernel version 2.4—
including Red Hat Linux and VMware
®
ESX™ 3.5 Upgrade 2—because the pam_succeed_if.so module
is not supported there.
In this case, you can use the following authentication policy.
1.
As the root user, create the file
/etc/pam.d/Acronis_trusted_users
2.
Add the names of the non-root users whom you want to allow to manage the machine, to this
file, one user name per line. For example, if you want to add the users user_a, user_b, and
user_c, add the following three lines to the file:
user_a
user_b
user_c
If necessary, also add the root user to the file.
3.
Create the file
/etc/pam.d/Acronisagent-trusted
with the following content:
#%PAM-1.0
auth required pam_unix.so
auth required pam_listfile.so item=user sense=allow
file=/etc/pam.d/Acronis_trusted_users onerr=fail
account required pam_unix.so