Privileges for remote connection in Linux

Remote connections to a machine running Linux—including those performed by the root user—are established according to authentication policies, which are set up by using Pluggable Authentication Modules for Linux, known as Linux-PAM.

For the authentication policies to work, we recommend installing the latest version of Linux-PAM for your Linux distribution. The latest stable source code of Linux-PAM is available at Linux-PAM source code Web page.

  Remote connection as the root user  

Remote connections by the root user are established according to the Acronisagent authentication policy, which is automatically set up during the installation of Acronis Backup & Recovery 10 Agent for Linux, by creating the file /etc/pam.d/Acronisagent with the following content:

  #%PAM-1.0
auth required pam_unix.so
auth required pam_rootok.so
account required pam_unix.so
  Remote connection as a non-root user  

Since accessing the system as the root user should be restricted, the root user can create an authentication policy to enable remote management under non-root credentials.

The following are two examples of such policies.

Note: As a result, the specified non-root users will be able to connect to the machine remotely as if they were root users. A security best practice is to make sure that the user accounts are hard to compromise—for example, by requiring that they have strong passwords.

  Example 1  

This authentication policy uses the pam_succeed_if module and works with Linux distributions with kernel version 2.6 or later. For an authentication policy which works with kernel version 2.4, see the next example.

Perform the following steps as the root user:

  1. Create the Acronis_Trusted group account, by running the following command:

    groupadd Acronis_Trusted

  2. Add the names of the non-root users, whom you want to allow to connect to the machine remotely, to the Acronis_Trusted group. For example, to add the existing user user_a to the group, run the following command:

    usermod -G Acronis_Trusted user_a

  3. Create the file /etc/pam.d/Acronisagent-trusted with the following content:

    #%PAM-1.0
    auth required pam_unix.so
    auth required pam_succeed_if.so user ingroup Acronis_Trusted
    account required pam_unix.so

  Example 2  

The above authentication policy might not work on Linux distributions with kernel version 2.4—including Red Hat Linux and VMware® ESX™ 3.5 Upgrade 2—because the pam_succeed_if.so module is not supported there.

In this case, you can use the following authentication policy.

  1. As the root user, create the file /etc/pam.d/Acronis_trusted_users
  2. Add the names of the non-root users whom you want to allow to manage the machine, to this file, one user name per line. For example, if you want to add the users user_a, user_b, and user_c, add the following three lines to the file:

    user_a
    user_b
    user_c

    If necessary, also add the root user to the file.

  3. Create the file /etc/pam.d/Acronisagent-trusted with the following content:

    #%PAM-1.0
    auth required pam_unix.so
    auth required pam_listfile.so item=user sense=allow file=/etc/pam.d/Acronis_trusted_users onerr=fail
    account required pam_unix.so

Privileges for remote connection in Linux