为什么日志显示pam_unix(sshd:auth):身份验证失败,但登录正常?或有人可以告诉我该如何解决。
Jun 27 09:46:31 [localhost] sshd[16341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=ope_fptsoft01
Jun 27 09:46:31 [localhost] sshd[16341]: Accepted password for ope_fptsoft01 from 192.168.56.1 port 55087 ssh2
Jun 27 09:46:31 [localhost] sshd[16341]: pam_unix(sshd:session): session opened for user ope_fptsoft01 by (uid=0)
我的系统身份验证:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_ldap.so minimum_uid=1000 try_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so minimum_uid=1000
答案 0 :(得分:0)
您的PAM堆栈配置列出了两个足以用于身份验证的模块:
auth sufficient pam_unix.so
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
因此,首先通过 pam_unix.so 尝试用户,该用户失败,因为它很可能是LDAP用户管理中的远程用户。因此,该用户可能已通过 pam_ldap.so 成功认证。
通常会设置选项try_first_pass:
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
另请参阅:pam_unix(8)
答案 1 :(得分:0)
我的解决方法是:
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_ldap.so