LDAP 身份验证失败日志
LDAP authentication fail log
为什么日志显示 pam_unix(sshd:auth): 身份验证失败但登录正常?或者谁能告诉我如何解决这个问题。
Jun 27 09:46:31 [localhost] sshd[16341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=ope_fptsoft01
Jun 27 09:46:31 [localhost] sshd[16341]: Accepted password for ope_fptsoft01 from 192.168.56.1 port 55087 ssh2
Jun 27 09:46:31 [localhost] sshd[16341]: pam_unix(sshd:session): session opened for user ope_fptsoft01 by (uid=0)
我的系统授权:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_ldap.so minimum_uid=1000 try_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so minimum_uid=1000
您的 PAM 堆栈配置列出了两个足以进行身份验证的不同模块:
auth sufficient pam_unix.so
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
因此,首先通过 pam_unix.so 尝试用户,但失败了,因为它可能是 LDAP 用户管理中的远程用户。因此,用户可能已通过 pam_ldap.so.
成功验证
通常会设置选项 try_first_pass
:
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
另请参阅:pam_unix(8)
我的解决方案是:
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_ldap.so
为什么日志显示 pam_unix(sshd:auth): 身份验证失败但登录正常?或者谁能告诉我如何解决这个问题。
Jun 27 09:46:31 [localhost] sshd[16341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=ope_fptsoft01
Jun 27 09:46:31 [localhost] sshd[16341]: Accepted password for ope_fptsoft01 from 192.168.56.1 port 55087 ssh2
Jun 27 09:46:31 [localhost] sshd[16341]: pam_unix(sshd:session): session opened for user ope_fptsoft01 by (uid=0)
我的系统授权:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_ldap.so minimum_uid=1000 try_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so minimum_uid=1000
您的 PAM 堆栈配置列出了两个足以进行身份验证的不同模块:
auth sufficient pam_unix.so
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
因此,首先通过 pam_unix.so 尝试用户,但失败了,因为它可能是 LDAP 用户管理中的远程用户。因此,用户可能已通过 pam_ldap.so.
成功验证通常会设置选项 try_first_pass
:
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
另请参阅:pam_unix(8)
我的解决方案是:
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_ldap.so