|
|
vim /etc/pam.d/system-auth% }2 N2 z+ f8 |& U4 S, n" T. V
#%PAM-1.0 f2 _, g9 T( N
# This file is auto-generated.
4 Q+ M9 [" E* d3 t& a' X+ D' m$ |9 H# User changes will be destroyed the next time authconfig is run.
; C$ _+ x8 R- I1 x0 u# I& t6 W2 sauth required pam_env.so
* [& ]( z0 i5 e( t Lauth sufficient pam_unix.so try_first_pass nullok. |% d- b. r2 g4 D6 w% c
auth required pam_deny.so
5 R: x5 `9 B: y3 ?
6 u$ U$ ?+ I2 v, [, f* R* U# W& r% @5 eaccount required pam_unix.so
. f/ O; D+ R5 l* }3 G0 i$ Z( Y1 k0 a6 B' Z, z/ G
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=2 h& I$ I- y$ j- ^! R$ L# z3 x
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow9 j% |4 F7 K9 J1 n6 Z& U
password required pam_deny.so8 b/ G+ ` A0 s1 m1 x+ q
' Y8 _* n9 F |8 A' l# U$ S% ]" T& j
#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug
0 @" }; M5 `; z# X, O( O% F#password sufficient pam_unix.so remember=5 use_authtok debug% t& g3 w. ~* {7 r/ r! p
#password required pam_deny.so debug) E) k6 b* a# O
session optional pam_keyinit.so revoke( [9 u u. ^! ~, I/ Q; d
session required pam_limits.so+ B( T' y; c7 S2 s& G% d4 B
-session optional pam_systemd.so2 b; m' I' g+ b1 H, M; a- _; n) Q
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
8 X; I# h& k @8 i+ @5 L: z* c% ysession required pam_unix.so
2 s, \3 _- `( C) y~
! f, }7 c$ C3 { A" s" p, h, [, [; B" Q% M2 K. c
4 o( B p5 I; t& L
因配置这些导致8 T. M4 U& r. ?6 F8 J. I* h/ J
#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug& k2 f# |( w* D9 b" K4 ?( P
#password sufficient pam_unix.so remember=5 use_authtok debug
1 R1 Z+ \) Q3 w9 q7 K0 h#password required pam_deny.so debug
% A2 E5 s5 y9 v5 J) t注释即可。还原配置7 y2 n$ U, n# O; E: `- C7 z
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
; e7 p5 b! i8 ?0 z2 Zpassword sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+ C* l. L$ I1 h7 ]: z$ @4 tpassword required pam_deny.so
! {% n3 L% ^7 \7 ?& `) ?! ]' s% k! w% P* P/ w5 S8 B. g
: a7 {0 c" P- |% n重置即可。
U' T2 A3 G5 Y! ?4 T* v. K5 f
3 _ l2 c2 @, Tvim /etc/pam.d/login 7 ]4 c4 _9 W, T& x$ g9 |9 ]( D& Z
C( s9 C* a0 {
#%PAM-1.0$ k5 u+ a! l2 Q0 u
#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root+ M3 m: M1 X3 q" v; t, Y {- p
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so" j' X0 u+ O6 N D
auth substack system-auth
L5 X( i% l9 e& K; A/ pauth include postlogin
# V6 F3 }. W4 E, {7 M4 i3 jaccount required pam_nologin.so
" s( O% S$ E& A6 \7 N- @account include system-auth' h) y% |1 L. V
password include system-auth
) A0 b( S7 ]# S8 m; ^$ @# I( Z# pam_selinux.so close should be the first session rule6 K R8 h6 O1 F# o* ?
session required pam_selinux.so close9 R7 i N# G) z/ p7 x5 s2 k
session required pam_loginuid.so
0 a8 J2 j/ I* q ssession optional pam_console.so- R. y! p1 j6 D3 J0 u4 I. u9 Q
# pam_selinux.so open should only be followed by sessions to be executed in the user context6 N9 L' f/ w2 s
session required pam_selinux.so open3 E1 |$ w0 H1 S
session required pam_namespace.so
: N# C3 J# j! V$ F! F4 \8 p7 S) Esession optional pam_keyinit.so force revoke. f! F4 \6 y7 u( ]" G
session include system-auth5 k# u; v# t0 [. E( N- U
session include postlogin) Z" p, j D/ V/ Z! v
-session optional pam_ck_connector.so
2 u O1 u' T: N# _) x& [/ ?; ^9 _/ ]' o2 u* N9 @
8 }( }! t; c/ r. F/ |
配置文件:- l3 u! ?+ S/ s1 I8 ]
vim /etc/pam.d/sshd
5 u& ?5 J- }5 b9 t3 o1 u* \4 [#%PAM-1.04 o! o8 K: [6 k* ~9 s+ X
#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root* k' O% d) \, w4 [/ ^0 z$ \
auth required pam_sepermit.so6 n3 w8 P0 A) s! [, f& A
auth substack password-auth9 d6 ]# H A: E, z
auth include postlogin5 S0 k8 h0 ?/ d3 f
# Used with polkit to reauthorize users in remote sessions# z. n+ L5 n' s0 h. s' |% \
-auth optional pam_reauthorize.so prepare
" S; t( E. O* R4 Z( I/ oaccount required pam_nologin.so: Q+ c! B, _& a% ^1 @9 E
account include password-auth
" [/ h- X0 x6 K9 n0 ~/ x5 N* ^* [password include password-auth
- {4 p* r$ U( n$ `2 z# pam_selinux.so close should be the first session rule
/ g2 A$ y2 H M; Vsession required pam_selinux.so close# \3 x. Z5 b# f) E$ z
session required pam_loginuid.so
: f) {2 @. V7 c# pam_selinux.so open should only be followed by sessions to be executed in the user context( R7 U8 g+ `: b/ Q" j
session required pam_selinux.so open env_params
+ w6 ]* i) U- d2 D1 F& T0 T7 X* [4 J' z3 hsession required pam_namespace.so1 A& V5 O$ M+ o9 Z- k6 k; F
session optional pam_keyinit.so force revoke' K, K7 e1 v! `7 J0 ^
session include password-auth
! w2 E. I3 z0 U, fsession include postlogin- h. V* h! h7 S' F# D( o
# Used with polkit to reauthorize users in remote sessions1 c& c9 d/ \5 i1 I' j! S( o. x
-session optional pam_reauthorize.so prepare$ B) O* I L. e& `7 M( d K+ C
% K& W9 M- V8 e. g) ~
即可恢复远程登录。8 G! n" ]6 W S V! R- }8 @
) d5 d, ?" _% W' h0 ^$ O; T& @" k$ e; ?9 {
, [2 Q8 t5 j0 j; b8 @% I/ F
8 z8 q+ k# m X E9 ^$ ?+ W |
|
发表于 2025-1-6 13:25:01