rootfiles
Description:
root 홈디렉토리에 필요한 기본 파일
Changes on AnNyung:
serial console로 접속시 LANG 환경 변수를 en_US.UTF-8로 변경
ISMS 인증 관련 정책 적용
root login 정책 제한
기본적으로 root로 login을 제한
사설 IP에서의 접근의 경우, tty console 만(non-intercative shell) 접속 가능
ssh root@host접속 불가ssh root@host "ls -al"가능
/root/.bashrc 에서 사용자 정의 가능
if [ -n "${SSH_CLIENT}" ]; then
NETWORK_A_CLASS="${SSH_CLIENT%%.*}."
# console type
# non-interactive mode => serial
# interactive mode (login shell) => pty
contype="$(/sbin/consoletype 2> /dev/null)"
#
# allow with A class
#
if [ -z "${LOGIN_ACCESS}" ]; then
case "${NETWORK_A_CLASS}" in
"10.")
#
# Allow non-interactive shell from private network range
#
# If you want to allow only interactive shell
# [ "${contype}" = "pty" ] && LOGIN_ACCESS="yes"
#
# If you want to allow both interactive and non-interactive shell
# LOGIN_ACCESS="yes"
#
[ "${contype}" != "pty" ] && LOGIN_ACCESS="yes"
;;
esac
fi
#
# allow with B Class
#
if [ -z "${LOGIN_ACCESS}" ]; then
# ssh_client format: IP_ADDRESS:CONNECT_PORT
ssh_client=$(echo ${SSH_CLIENT} | /bin/awk '{print $1":"$3'})
NETWORK_B_CLASS=$(echo ${ssh_client} | /bin/sed -e 's/\(\([0-9]\+\.\)\{2\}\).*/\1/g' 2> /dev/null)
NETWORK_C_CLASS=$(echo ${ssh_client} | /bin/sed -e 's/\(\([0-9]\+\.\)\{3\}\).*/\1/g' 2> /dev/null)
case "${NETWORK_B_CLASS}" in
"172.16."|"192.168.")
#
# Allow non-interactive shell from private network range
#
[ "${contype}" != "pty" ] && LOGIN_ACCESS="yes"
;;
esac
fi
#
# allow with C Class
#
if [ -z "${LOGIN_ACCESS}" ]; then
case "${NETWORK_C_CLASS}" in
#"211.37.6.")
# [ "${contype}" != "pty" ] && LOGIN_ACCESS="yes"
# ;;
*)
#
# allow per host
#
case "${ssh_client}" in
#"1.1.1.1:22")
# [ "${contype}" != "pty" ] && LOGIN_ACCESS="yes"
# ;;
#"143.1.1.1:2020")
# [ "${contype}" != "pty" ] && LOGIN_ACCESS="yes"
# ;;
*)
LOGIN_ACCESS=""
esac
;;
esac
fi
[ -z "$LOGIN_ACCESS" ] && \
echo -en "* \\033[1;31mNotice:\\033[0;39m" && \
echo " You can't access root privileges with remote access!" && \
exit
fiSub packages:
Last updated
Was this helpful?