|
|
vim /etc/pam.d/system-auth
6 ?# E: {- |3 @$ w+ D( @#%PAM-1.0
, Q& T: N( }0 s; w# This file is auto-generated.
; ]) c- `* a$ A& c6 E' b; a% K7 H# User changes will be destroyed the next time authconfig is run.8 }5 \! j5 Q, F" W3 d
auth required pam_env.so
A+ D, y; g1 \5 H7 s$ Nauth sufficient pam_unix.so try_first_pass nullok
# L& i+ |. o j* E4 @% [auth required pam_deny.so. D5 U5 g ~6 C1 D
+ y8 p# G! T' n8 v
account required pam_unix.so; o) Z/ o3 P( H: R% Y1 _
4 A6 v1 Y7 V4 B4 a- g: R
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=) M3 S( R4 r* u0 A% W# k v
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow' k+ E* U" v; Y! e( G! f( l' }
password required pam_deny.so
- Y, r. }: d! g8 ~. G6 n; c
& G! d3 `' j" f7 t% i#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug! m0 d# s9 W6 H& h2 [
#password sufficient pam_unix.so remember=5 use_authtok debug
' k$ `* t. Q4 D" L5 i0 O6 b#password required pam_deny.so debug" B# d) ?! @" J% G! ]9 M$ F
session optional pam_keyinit.so revoke
e6 f: \' A0 T7 l9 c, Q+ Psession required pam_limits.so
. L5 `) L: `; G: u-session optional pam_systemd.so: T/ c5 [! P- {4 |0 _4 c S6 P+ n
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
2 ? B4 U( X/ ^session required pam_unix.so6 X! N. U) q D3 V
~
+ ]2 r+ C6 ?% j3 O$ B. R3 w' D T" Q( x4 C
6 G2 @5 ]2 @+ G3 P! e1 o因配置这些导致
' F+ v, b+ l: c0 Q+ ~ [#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug7 _6 `; P7 p; V7 |
#password sufficient pam_unix.so remember=5 use_authtok debug5 I* \9 n, p! R. Q& v
#password required pam_deny.so debug/ p/ d+ V3 ]6 h/ P3 m
注释即可。还原配置
0 }0 \ }! _. B7 N+ r5 ]password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= B- G% K3 r6 a! t% A3 s) J
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow* {+ F( b5 y8 s. i; c3 B3 W& B
password required pam_deny.so1 v; }& i$ {# h4 s- y+ ^
) X: K! |( k+ M: {) n# G3 H5 u4 r+ C
重置即可。
9 U4 y3 |2 W6 S* i8 ?( z: G9 `7 U ~
5 w. X' A' h X$ cvim /etc/pam.d/login 3 L& d. \4 f# x0 S1 v2 ~' E( \% v! N
( ^ k" w8 O7 i- I: k! Y#%PAM-1.0
- c n& M$ @$ P8 M) _% G#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root w8 s, d" Q$ `* e/ k0 O) f1 E2 W
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
2 C2 L: d+ @* _auth substack system-auth
: F$ Y8 w( Y% d0 `* tauth include postlogin
% k6 P5 Q* A* ^4 {* W5 _account required pam_nologin.so& a: \$ O$ b. K7 K0 R" _, d$ R. D
account include system-auth
# y5 y4 P( v* n5 C7 Bpassword include system-auth8 h) y2 k3 M% V) J; c
# pam_selinux.so close should be the first session rule
) p; f4 R! k& ]) m; A, I9 Esession required pam_selinux.so close/ S: I; V, ]0 k: E. q% f' k8 K" Y# _
session required pam_loginuid.so
# m% o% ]5 I m8 a& Dsession optional pam_console.so
% `7 F6 Q W6 E8 {1 b# pam_selinux.so open should only be followed by sessions to be executed in the user context
5 E4 g$ ^! Q! usession required pam_selinux.so open
+ [7 T+ U1 G8 Q0 e# N6 `4 b& f# Zsession required pam_namespace.so
' O! c" S2 Z y9 asession optional pam_keyinit.so force revoke$ l$ [( K7 ?- m# y3 j# X
session include system-auth- v: l9 a; C9 u$ S- [/ R3 D
session include postlogin
0 H0 Q+ w# O8 n$ r-session optional pam_ck_connector.so
5 o# D) C" W- a9 f, l- u% g, H- @' p. v. @
8 f4 K+ K% Y& p0 ^5 n! w8 D' X
配置文件:. D; b. k4 x9 Q) J
vim /etc/pam.d/sshd
* b+ j6 ~4 K6 h! V. J1 x#%PAM-1.0- H& y& o* I0 q) u) A
#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root3 i5 o) P6 W" e
auth required pam_sepermit.so7 }$ @" @" ]; O' _! w
auth substack password-auth
* N% g) w/ n; i+ d0 b7 N8 Z9 A$ ]auth include postlogin
# e% k% D& G* V# Used with polkit to reauthorize users in remote sessions
, G6 D9 ~9 J0 G-auth optional pam_reauthorize.so prepare
( a, [1 B! ?- _1 e# Kaccount required pam_nologin.so
1 c; {: c& u0 Qaccount include password-auth, t- C8 K$ R/ }# k
password include password-auth
. a. X' D1 K/ S( K3 i# pam_selinux.so close should be the first session rule
$ S% Q& z1 F, n- _session required pam_selinux.so close ]6 ^- I% Q6 n8 E& k2 d
session required pam_loginuid.so/ O3 F" \. a( ^. {
# pam_selinux.so open should only be followed by sessions to be executed in the user context
' X$ c, M* E) f$ O* {0 Dsession required pam_selinux.so open env_params! Y+ ~, d6 O0 h0 @4 c3 v& H
session required pam_namespace.so
; K' J# l+ M, c$ k7 N/ `* isession optional pam_keyinit.so force revoke
! f, R9 Z/ g' r) @) s9 zsession include password-auth8 U6 e# G9 n+ i& S! j f% }' n9 i
session include postlogin4 k g1 Y5 k* y6 q- U
# Used with polkit to reauthorize users in remote sessions i' q* w7 W% g' g, N1 V
-session optional pam_reauthorize.so prepare
3 E: f8 | f7 Z3 T8 D% e
3 F1 [& W; J5 q( H' O即可恢复远程登录。2 ?' `: U: [* _- ]9 z# n& G
! ^ c1 {8 b* x6 T
- q; x- U- X/ \0 a7 B9 y1 a9 s2 J5 Z" f s3 T' x8 l
# P/ A7 ?7 I/ {( g0 v |
|
发表于 2025-1-6 13:25:01