Question

我正在尝试通过PAM使用 Salt（2015.8.10 Beryllium）和“external_auth”。我的最终目标是使用salt-api来验证来自salt-minion的请求，这将允许该minion调用它自己的密钥被接受。作为第一步，建议您首先在salt master上使用“salt -a pam”在本地进行身份验证。那就是我被困住的地方。

我遇到的问题是尝试使用pam会导致Salt请求超时：

[root@saltmaster ~]# salt -a pam 'box603.example.com' test.ping --log-level all
[DEBUG   ] Reading configuration from /etc/salt/master
...
[DEBUG   ] LazyLoaded pam.auth
username: user1
password: 
[DEBUG   ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear')
[TRACE   ] Inserted key into loop_instance_map id 18446604434624361104 for key ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear') and process 11045
[DEBUG   ] SaltReqTimeoutError, retrying. (1/3)
[DEBUG   ] SaltReqTimeoutError, retrying. (2/3)
[DEBUG   ] SaltReqTimeoutError, retrying. (3/3)
[DEBUG   ] LazyLoaded nested.output
[TRACE   ] data = Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.

相关主机box603.example.com处于联机状态，并且在不使用pam身份验证时可以ping通：

[root@saltmaster ~]# salt 'box603.example.com' test.ping
box603.example.com:
    True

我的 saltmaster：/ etc / salt / master 配置文件包含：

external_auth:
  pam:
    user1:
      - .*

并且user1是/ etc / passwd | shadow中的有效用户，它可以通过ssh使用，我可以使用它。

文档表明，当尝试使用pam和salt进行身份验证时，默认情况下是pam的登录服务。这是我的 /etc/pam.d/login ：

auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth required           pam_unix_auth.so.1
auth required           pam_unix_cred.so.1

对于它的价值，salt master正在运行 Solaris 11 。我经常在帖子中看到盐问题请求发布盐 - 版本 - 报告，所以这就是：

Salt Version:
           Salt: 2015.8.10

Dependency Versions:
         Jinja2: 2.8
       M2Crypto: 0.24.0
           Mako: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
         Python: 2.7.11 (default, Mar 24 2016, 22:19:35)
           RAET: 0.6.5
        Tornado: 4.3
            ZMQ: 4.1.4
           cffi: 1.5.2
       cherrypy: 3.2.3
       dateutil: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: 1.5.1
        libgit2: Not Installed
        libnacl: 1.4.4
   msgpack-pure: Not Installed
 msgpack-python: 0.4.7
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
         pygit2: Not Installed
   python-gnupg: Not Installed
          smmap: Not Installed
        timelib: Not Installed

System Versions:
           dist:   
        machine: i86pc
        release: 5.11

Answer 1

此时Salt＆＃34; external_auth＆＃34; pam实现直接绑定到Linux pam二进制文件，并且只能在Linux上运行。不幸的是，这意味着没有Solaris。

使用外部身份验证（PAM）时，salt超时

1 个答案: