# 查看用户账户
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
user1:x:1000:1000:User One:/home/user1:/bin/bash

# 查看密码文件
$ sudo cat /etc/shadow
root:$6$rounds=5000$salt$hash:19000:0:99999:7:::
user1:$6$rounds=5000$salt$hash:19000:0:99999:7:::

# 创建用户
$ sudo useradd -m -s /bin/bash -G wheel user2

# 设置密码
$ sudo passwd user2
Changing password for user user2.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# 锁定账户
$ sudo usermod -L user2

# 解锁账户
$ sudo usermod -U user2

# 删除用户
$ sudo userdel -r user2

# 修改用户shell
$ sudo usermod -s /sbin/nologin user1

# 设置账户过期
$ sudo chage -E 2026-12-31 user1

# 查看账户信息
$ sudo chage -l user1
Last password change : Apr 04, 2026
Password expires : never
Password inactive : never
Account expires : Dec 31, 2026
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

# 安装密码质量检查工具
$ sudo dnf install -y libpwquality

# 配置密码策略
$ sudo tee /etc/security/pwquality.conf << EOF minlen = 12 minclass = 4 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3 maxclassrepeat = 3 reject_username gecoscheck enforce_for_root EOF # 配置密码过期策略 $ sudo tee /etc/login.defs << EOF PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_MIN_LEN 12 PASS_WARN_AGE 14 EOF # 配置账户锁定策略 $ sudo authselect current Profile ID: sssd Enabled features: - with-faillock $ sudo authselect enable-feature with-faillock # 配置faillock参数 $ sudo tee /etc/security/faillock.conf << EOF dir = /var/log/faillock audit silent deny = 5 fail_interval = 900 unlock_time = 1800 even_deny_root root_unlock_time = 3600 EOF # 查看失败登录记录 $ sudo faillock --user user1 user1: When Type Source Valid 2026-04-04 02:10:00 TTY pts/0 V 2026-04-04 02:10:05 TTY pts/0 V 2026-04-04 02:10:10 TTY pts/0 V # 解锁账户 $ sudo faillock --user user1 --reset # 测试密码强度 $ pwscore 输入密码: MyPassword123! 100

# 查看sudo配置
$ sudo cat /etc/sudoers
Defaults !visiblepw
Defaults always_set_home
Defaults match_group_by_gid
Defaults always_query_group_plugin
Defaults env_reset
Defaults env_keep = “COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS”
Defaults env_keep += “MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”

root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL

# 使用visudo编辑配置
$ sudo visudo

# 配置用户sudo权限
user1 ALL=(ALL) ALL

# 配置组sudo权限
%developers ALL=(ALL) /usr/bin/systemctl, /usr/bin/dnf

# 配置无密码sudo
user1 ALL=(ALL) NOPASSWD: ALL

# 配置命令别名
Cmnd_Alias SOFTWARE = /usr/bin/dnf, /usr/bin/rpm, /usr/bin/yum
Cmnd_Alias SERVICES = /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl restart
Cmnd_Alias PROCESSES = /usr/bin/kill, /usr/bin/killall, /usr/bin/top

%operators ALL = SOFTWARE, SERVICES, PROCESSES

# 配置sudo日志
Defaults logfile=/var/log/sudo.log
Defaults log_year, log_host, syslog=local3

# 查看sudo权限
$ sudo -l
Matching Defaults entries for user1 on rhel10:
!visiblepw, always_set_home, match_group_by_gid,更多视频教程www.fgedu.net.cn always_query_group_plugin, env_reset, env_keep=”COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS”, env_keep+=”MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”, env_keep+=”LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES”, env_keep+=”LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”, logfile=/var/log/sudo.log, log_year, log_host, syslog=local3

User user1 may run the following commands on rhel10:
(ALL) ALL

# 配置bash超时
$ sudo tee -a /etc/profile << EOF export TMOUT=300 readonly TMOUT EOF # 配置SSH超时 $ sudo tee -a /etc/ssh/sshd_config << EOF ClientAliveInterval 300 ClientAliveCountMax 2 EOF $ sudo systemctl restart sshd # 配置PAM会话限制 $ sudo tee /etc/security/limits.conf << EOF * hard maxlogins 5 * hard maxsyslogins 10 * soft nproc 1024 * hard nproc 2048 * soft nofile 1024 * hard nofile 4096 EOF # 配置登录风哥教程风哥教程提示 $ sudo tee /etc/motd << 'EOF' WARNING: Unauthorized access is prohibited. All activities are monitored and logged. EOF $ sudo tee /etc/issue << 'EOF' Authorized access only. All activities are logged. EOF # 配置登录横幅 $ sudo tee /etc/issue.net << 'EOF' WARNING: Unauthorized access is prohibite学习交流加群风哥QQ113257174d. All activities are monitored and logged. EOF $ sudo sed -i 's/#Banner.*/Banner \/etc\/issue.net/' /etc/ssh/sshd_config $ sudo systemctl restart sshd # 查看登录用户 $ who user1 pts/0 2026-04-04 02:15 (192.168.1.10) root pts/1 2026-04-04 02:16 (192.168.1.10) # 查看登录历史 $ last | head -10 user1 pts/0 192.168.1.10 Fri Apr 4 02:15 still logged in root pts/1 192.168.1.10 更多学习教程公众号风哥教from PG视频:www.itpux.com程itpux_com Fri Apr 4 02:16 still logged in reboot system boot 5.14.0-284.11.1 Fri Apr 4 00:00 still running # 查看失败登录 $ sudo lastb | head -10 user1 ssh:notty 192.168.1.10 Fri Apr 4 02:10 - 02:10 (00:00) root ssh:notty 192.168.1.10 Fri Apr 4 02:05 - 02:05 (00:00)