使用外部身份验证 (PAM) 时盐超时
Salt times out when using external authentication (PAM)
我正在尝试通过 PAM 使用 Salt (2015.8.10 Beryllium) 和 "external_auth"。我的最终目标是使用 salt-api 来验证来自 salt-minion 的请求,这将允许该 minion 调用它自己的密钥来接受。作为第一步,建议您首先在 salt master 上使用 "salt -a pam" 在本地进行身份验证。这就是我被困的地方。
我遇到的问题是尝试使用 pam 导致 Salt 请求超时:
[root@saltmaster ~]# salt -a pam 'box603.example.com' test.ping --log-level all
[DEBUG ] Reading configuration from /etc/salt/master
...
[DEBUG ] LazyLoaded pam.auth
username: user1
password:
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear')
[TRACE ] Inserted key into loop_instance_map id 18446604434624361104 for key ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear') and process 11045
[DEBUG ] SaltReqTimeoutError, retrying. (1/3)
[DEBUG ] SaltReqTimeoutError, retrying. (2/3)
[DEBUG ] SaltReqTimeoutError, retrying. (3/3)
[DEBUG ] LazyLoaded nested.output
[TRACE ] data = Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
有问题的主机 box603.example.com 在线并且在不使用 pam 身份验证时可 ping 通:
[root@saltmaster ~]# salt 'box603.example.com' test.ping
box603.example.com:
True
我的 saltmaster:/etc/salt/master 配置文件包含:
external_auth:
pam:
user1:
- .*
并且 user1 是 /etc/passwd|shadow 中的有效用户,它可以通过 ssh 使用,我可以 su 访问它。
文档指出,当尝试使用 pam 和 salt 进行身份验证时,它默认使用 pam 的登录服务。这是我的 /etc/pam.d/login:
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
无论如何,salt master 是 运行 Solaris 11。我经常在 posts 看到盐问题请求 post salt --versions-report,所以这里是:
Salt Version:
Salt: 2015.8.10
Dependency Versions:
Jinja2: 2.8
M2Crypto: 0.24.0
Mako: Not Installed
PyYAML: 3.11
PyZMQ: 15.2.0
Python: 2.7.11 (default, Mar 24 2016, 22:19:35)
RAET: 0.6.5
Tornado: 4.3
ZMQ: 4.1.4
cffi: 1.5.2
cherrypy: 3.2.3
dateutil: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: 1.5.1
libgit2: Not Installed
libnacl: 1.4.4
msgpack-pure: Not Installed
msgpack-python: 0.4.7
mysql-python: Not Installed
pycparser: 2.14
pycrypto: 2.6.1
pygit2: Not Installed
python-gnupg: Not Installed
smmap: Not Installed
timelib: Not Installed
System Versions:
dist:
machine: i86pc
release: 5.11
此时 Salt 的 "external_auth" pam 实现直接绑定到 Linux pam 二进制文件,并且仅适用于 Linux。不幸的是,这意味着没有 Solaris。
我正在尝试通过 PAM 使用 Salt (2015.8.10 Beryllium) 和 "external_auth"。我的最终目标是使用 salt-api 来验证来自 salt-minion 的请求,这将允许该 minion 调用它自己的密钥来接受。作为第一步,建议您首先在 salt master 上使用 "salt -a pam" 在本地进行身份验证。这就是我被困的地方。
我遇到的问题是尝试使用 pam 导致 Salt 请求超时:
[root@saltmaster ~]# salt -a pam 'box603.example.com' test.ping --log-level all
[DEBUG ] Reading configuration from /etc/salt/master
...
[DEBUG ] LazyLoaded pam.auth
username: user1
password:
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear')
[TRACE ] Inserted key into loop_instance_map id 18446604434624361104 for key ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear') and process 11045
[DEBUG ] SaltReqTimeoutError, retrying. (1/3)
[DEBUG ] SaltReqTimeoutError, retrying. (2/3)
[DEBUG ] SaltReqTimeoutError, retrying. (3/3)
[DEBUG ] LazyLoaded nested.output
[TRACE ] data = Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
有问题的主机 box603.example.com 在线并且在不使用 pam 身份验证时可 ping 通:
[root@saltmaster ~]# salt 'box603.example.com' test.ping
box603.example.com:
True
我的 saltmaster:/etc/salt/master 配置文件包含:
external_auth:
pam:
user1:
- .*
并且 user1 是 /etc/passwd|shadow 中的有效用户,它可以通过 ssh 使用,我可以 su 访问它。
文档指出,当尝试使用 pam 和 salt 进行身份验证时,它默认使用 pam 的登录服务。这是我的 /etc/pam.d/login:
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
无论如何,salt master 是 运行 Solaris 11。我经常在 posts 看到盐问题请求 post salt --versions-report,所以这里是:
Salt Version:
Salt: 2015.8.10
Dependency Versions:
Jinja2: 2.8
M2Crypto: 0.24.0
Mako: Not Installed
PyYAML: 3.11
PyZMQ: 15.2.0
Python: 2.7.11 (default, Mar 24 2016, 22:19:35)
RAET: 0.6.5
Tornado: 4.3
ZMQ: 4.1.4
cffi: 1.5.2
cherrypy: 3.2.3
dateutil: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: 1.5.1
libgit2: Not Installed
libnacl: 1.4.4
msgpack-pure: Not Installed
msgpack-python: 0.4.7
mysql-python: Not Installed
pycparser: 2.14
pycrypto: 2.6.1
pygit2: Not Installed
python-gnupg: Not Installed
smmap: Not Installed
timelib: Not Installed
System Versions:
dist:
machine: i86pc
release: 5.11
此时 Salt 的 "external_auth" pam 实现直接绑定到 Linux pam 二进制文件,并且仅适用于 Linux。不幸的是,这意味着没有 Solaris。