SSH hanya berfungsi setelah kata sandi yang sengaja gagal

13

Jadi, saya mengalami masalah yang agak aneh. Saya memiliki server, yang ketika saya coba masuk SSH, segera menutup koneksi jika saya mengetikkan kata sandi yang benar pada upaya pertama. Namun, jika saya sengaja memasukkan kata sandi yang salah pada upaya pertama, dan kemudian memasukkan kata sandi yang benar pada permintaan kedua atau ketiga, itu berhasil mencatat saya ke komputer. Demikian pula, ketika saya mencoba menggunakan otentikasi kunci publik, saya mendapatkan koneksi tertutup langsung. Namun, jika saya memasukkan kata sandi yang salah untuk file kunci saya, diikuti oleh kata sandi yang salah lagi setelah kembali ke otentikasi kata sandi, saya dapat berhasil masuk selama saya memberikan kata sandi yang benar pada prompt kedua atau ketiga.

Mesin ini menjalankan Red Hat Enterprise Linux Server rilis 6.2 (Santiago), dan menggunakan LDAP dan PAM untuk otentikasi. Ada gagasan tentang di mana mulai debugging yang ini? Biarkan saya tahu file konfigurasi apa yang perlu saya sediakan dan saya akan senang melakukannya.

Inilah beberapa informasi debug. Blok kode berikut mewakili 3 skenario ini, secara berurutan: 1) Benar kata sandi kunci pribadi pada percobaan pertama, 2) lewati kunci pribadi, perbaiki kata sandi reguler pada percobaan pertama, 3) lewati kunci pribadi, sengaja masukkan kata sandi buruk, lalu masukkan masukkan yang bagus ... ini adalah satu-satunya skenario yang benar-benar membiarkan saya terhubung.

OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to [removed for privacy].
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/trevor/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/trevor/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/trevor/.ssh/id_rsa-cert type -1
debug1: identity file /home/trevor/.ssh/id_dsa type -1
debug1: identity file /home/trevor/.ssh/id_dsa-cert type -1
debug1: identity file /home/trevor/.ssh/id_ecdsa type -1
debug1: identity file /home/trevor/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 531/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA cb:1c:78:3f:f7:7d:8a:10:27:86:a3:12:0c:27:f4:19
debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:80
debug3: load_hostkeys: loaded 1 keys
debug1: Host '[removed]' is known and matches the RSA host key.
debug1: Found key in /home/trevor/.ssh/known_hosts:90
debug2: bits set: 541/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/trevor/.ssh/id_rsa (0x7f3a228127d0)
debug2: key: /home/trevor/.ssh/id_dsa ((nil))
debug2: key: /home/trevor/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/trevor/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17
debug3: sign_and_send_pubkey: RSA 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/trevor/.ssh/id_rsa': 
debug1: read PEM private key done: type RSA
Connection closed by [removed_ip]

Sekarang saya melewatkan kunci pribadi, dan menggunakan kata sandi pengguna yang benar pada percobaan pertama:

Enter passphrase for key '/home/trevor/.ssh/id_rsa': 
debug2: no passphrase given, try next key
debug1: Trying private key: /home/trevor/.ssh/id_dsa
debug3: no such identity: /home/trevor/.ssh/id_dsa
debug1: Trying private key: /home/trevor/.ssh/id_ecdsa
debug3: no such identity: /home/trevor/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[user]@[server]'s password: 
debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##])
debug2: we sent a password packet, wait for reply
Connection closed by [removed_ip]

Akhirnya saya melewatkan kunci pribadi, memasukkan kata sandi yang salah, dan kemudian memasukkan kata sandi yang benar pada percobaan ke-2, pendekatan ini akhirnya membuat saya

debug1: Next authentication method: password
[user]@[server]'s password: 
debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##])
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
[user]@[server]'s password: 
debug3: packet_send2: adding [##] (len [##] padlen [##] extra_pad [#])
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to [server] ([[server_ip]]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth  list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request auth-agent-req@openssh.com confirm 0
debug2: client_session2_setup: id 0
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env LANGUAGE
debug3: Ignored env KDE_MULTIHEAD
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env LOGNAME
debug3: Ignored env WINDOWPATH
debug3: Ignored env GTK_MODULES
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env SHLVL
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env PATH
debug3: Ignored env USER
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env GTK_RC_FILES
debug3: Ignored env WINDOWID
debug3: Ignored env XCURSOR_SIZE
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env XDM_MANAGED
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env DM_CONTROL
debug3: Ignored env _
debug3: Ignored env DISPLAY
debug3: Ignored env PWD
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env GS_LIB
debug3: Ignored env COLORFGBG
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env OLDPWD
debug3: Ignored env TERM
debug3: Ignored env PROFILEHOME
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env UBUNTU_MENUPROXY
debug3: Ignored env QT_PLUGIN_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env MANDATORY_PATH
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env HOME
debug3: Ignored env SHELL
debug3: Ignored env GREP_OPTIONS
debug3: Ignored env GREP_COLOR
debug3: Ignored env PAGER
debug1: Sending env LC_CTYPE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LSCOLORS
debug3: Ignored env rvm_prefix
debug3: Ignored env rvm_path
debug3: Ignored env __array_start
debug3: Ignored env rvm_bin_path
debug3: Ignored env escape_flag
debug3: Ignored env _first
debug3: Ignored env _second
debug3: Ignored env rvm_version
debug3: Ignored env RUBY_VERSION
debug3: Ignored env GEM_HOME
debug3: Ignored env GEM_PATH
debug3: Ignored env MY_RUBY_HOME
debug3: Ignored env IRBRC
debug3: Ignored env rvm_alias_expanded
debug3: Ignored env rvm_docs_type
debug3: Ignored env rvm_gemstone_package_file
debug3: Ignored env rvm_gemstone_url
debug3: Ignored env rvm_niceness
debug3: Ignored env rvm_nightly_flag
debug3: Ignored env rvm_proxy
debug3: Ignored env rvm_quiet_flag
debug3: Ignored env rvm_ruby_file
debug3: Ignored env rvm_ruby_make
debug3: Ignored env rvm_ruby_make_install
debug3: Ignored env rvm_ruby_mode
debug3: Ignored env rvm_script_name
debug3: Ignored env rvm_sdk
debug3: Ignored env rvm_silent_flag
debug3: Ignored env rvm_wrapper_name
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: [DateTime removed] from [location removed]

Seperti yang Anda tahu dari kode debug, nama saya Trevor. Terima kasih untuk bantuannya! Biarkan saya tahu file konfigurasi pam apa yang perlu saya sertakan.

Per permintaan dalam komentar, inilah beberapa informasi log / debugging lainnya.

/ var / log / secure (nama pengguna saya adalah twhitney):

Oct  9 12:01:26 [server] sshd[25087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[removed]  user=twhitney
Oct  9 12:01:26 [server] sshd[25087]: pam_krb5[25087]: authentication fails for 'twhitney' (twhitney@[domain]): Authentication failure (Decrypt integrity check failed)
Oct  9 12:01:26 [server] sshd[25087]: pam_ldap: ldap_starttls_s: Operations error
Oct  9 12:01:28 [server] sshd[25087]: Failed password for twhitney from [server_ip] port 47541 ssh2
Oct  9 12:01:32 [server] sshd[25087]: Accepted password for twhitney from [server_ip] port 47541 ssh2
Oct  9 12:01:32 [server] sshd[25087]: pam_unix(sshd:session): session opened for user twhitney by (uid=0)

Petunjuk kunci di sini mungkin adalah "pam_ldap: ldap_starttls_s: Operations error", saya harus melakukan riset tentang itu.

Selanjutnya, adalah konfigurasi pam. Saya akan mulai dengan /etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authok
password    required      pam_deny.so

session     required      pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so

Dan sekarang /etc/pam.d/password-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so

Terima kasih sekali lagi untuk segala cahaya yang bisa Anda lontarkan pada teka-teki saya!

ssh  ldap  authentication  openldap  pam 
pirus
sumber
2
melakukan ssh -vvv menjadi tuan rumah dan memberikan kami hasil (lakukan kedua kasus)
alexus
2
Anda juga harus memberikan konfigurasi pam.
hayalci
Untuk konfigurasi pam, apakah Anda hanya ingin semuanya ada di bawah /etc/pam.d/? Karena mereka banyak.
pyraz
Bisakah Anda mencari di / var / log / secure dan menunjukkan kepada kami informasi login yang relevan? Untuk konfigurasi pam, dapatkah Anda menunjukkan kepada kami sistem-auth dan password-auth untuk memulai?
vicfn
Hai semuanya, saya menambahkan beberapa informasi log / debug, beri tahu saya jika Anda dapat menjelaskan. Terima kasih lagi!
pyraz

Jawaban:

4

Tidak memiliki reputasi untuk menambahkan komentar, tetapi untuk men-debug masalah auth PAM yang Anda cari di sisi yang salah, Anda perlu melakukannya di sisi server.

Untuk melakukannya ssh ke server dan jalankan:

sshd -d -D -p 4000

Itu akan memulai daemon ssh pada port 4000 ( -p 4000) dengan debug diaktifkan ( -d), tanpa melepaskan dari konsol ( -D).

Kemudian coba lagi tetapi terhubung ke port 4000, di sisi server Anda akan melihat banyak output, ada kebenaran dari akar masalah Anda, bukan di sisi klien.

Jika Anda membutuhkan lebih banyak verbose, Anda dapat menambahkan beberapa -d, hingga tiga.

Jika Anda tidak dapat mengetahui dari output, tempel di sini agar kami dapat melihatnya.

Keberanian
sumber
1
Terima kasih Valor, itu saran yang bagus, dan trik yang bagus untuk debugging masalah sshd di masa depan. Itu mengkonfirmasi itu adalah masalah PAM, tapi sayangnya tidak memberikan terlalu banyak petunjuk
pyraz
3

Jadi saya menemukan solusinya, saya tidak tahu apakah itu yang terbaik, tetapi itu membuat saya SSH mencoba pertama. Caranya adalah dengan menyingkirkan semua yang ada password-authdi dalamnya /etc/pam.d/sshd, dan menggantikannya dengan yang system-authtermasuk. Jadi, /etc/pam.d/sshdfile terakhir saya terlihat seperti ini:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      system-auth
#auth      include      password-auth
#account   required     pam_nologin.so
account    required     pam_access.so
account    include      system-auth
password   include      system-auth
#account   include      password-auth
#password  include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
#session   include      password-auth
session    include      system-auth

Seperti yang mungkin Anda tahu, saya sedikit baru di PAM. The system-authdan password-authfile yang termasuk di atas, dalam pertanyaan asli saya. Dapatkah seseorang menjelaskan kepada saya mengapa perubahan di atas memperbaiki? Saya melakukan perbaikan yang sama, mengganti semua include password-authpernyataan include system-auth, /etc/pam.d/crondkarena tidak mengizinkan siapa pun (termasuk root) menggunakan cron / crontab. Apa perbedaan antara konfigurasi ini? Apakah perubahan ini membahayakan keamanan saya?

Sekali lagi terima kasih atas semua bantuan dan sarannya.

pirus
sumber
Dengan menggunakan situs kami, Anda mengakui telah membaca dan memahami Kebijakan Cookie dan Kebijakan Privasi kami.
Licensed under cc by-sa 3.0 with attribution required.