|
|
vim /etc/pam.d/system-auth* y( i6 Z* \( R$ `2 Y" t; Y9 E
#%PAM-1.0
9 @( R. |( _: U- r# This file is auto-generated.
' F4 S0 g2 V% U ~. |# User changes will be destroyed the next time authconfig is run.# U+ P5 i, ]; I' y
auth required pam_env.so; ?& [) `+ D) \, Z0 f% o+ V
auth sufficient pam_unix.so try_first_pass nullok
2 X- F9 t! z0 Vauth required pam_deny.so" L5 r3 A4 i: ]2 ~, Y) f: J
, ^ B4 L, T5 |- o8 H9 r
account required pam_unix.so
* t$ l" X; O3 N3 P1 n# a! {" L# {7 v1 y# o7 W
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=, _, G) L, f. p6 V
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
, S( p* p1 y* h% i) }password required pam_deny.so
/ c" O( \9 e8 F/ y! _
% w4 p2 w( O6 p, q#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug% K2 V1 b6 u1 \2 z' s5 j. k/ I
#password sufficient pam_unix.so remember=5 use_authtok debug/ q) A0 E% L; U: D7 t) C/ {
#password required pam_deny.so debug
# j5 T+ h V: `* r; t3 Y& Tsession optional pam_keyinit.so revoke/ M0 K0 F' M0 h6 N& t' r* j
session required pam_limits.so
5 J) { f% g$ ]# a9 e- e i! }2 u-session optional pam_systemd.so
4 N" z% `- }$ z/ z. ^% e8 Y3 y! Hsession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid5 T v' Z q2 j: p0 x: z
session required pam_unix.so
% I# I* \. V2 D- e. o3 l~ 3 d+ m( x& [( A& U
$ K, X$ D; D9 _1 s0 R& k
7 o& ]5 F3 h- ?2 h) I/ Y! b因配置这些导致) Y/ j2 O9 r2 `5 Z& k9 m) T- D0 w1 u
#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug
+ c( A4 t1 K6 z% H. p' a( c- d( i#password sufficient pam_unix.so remember=5 use_authtok debug
9 ?) v8 m0 \! G/ U7 A. K( A#password required pam_deny.so debug' O/ {2 S# T2 u8 _
注释即可。还原配置% q& S. g# |5 P% `. C8 y, E
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
2 u% Q3 E- d- [0 hpassword sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow# ]/ t G* e: t v" X+ l- {
password required pam_deny.so( w1 f' c! R5 Z. s3 q* C O( n1 P! N& J
) i0 u" Q/ E s3 j# S, @( M' d: O* A2 R! x8 }4 P
重置即可。
! W- E1 i- o- D: _" H! ?
- k4 V5 \2 ^% ~" `# ^+ z0 y- t0 N; Y9 bvim /etc/pam.d/login / g1 Y: G) r: ~8 Z8 y
4 }# V }! S: D+ @
#%PAM-1.0
^! a1 O. @3 H$ x#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root: s. W) N: T: ]5 H9 @) _/ z
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
- {( ^% i. o5 x) u7 y! m0 ` bauth substack system-auth
) x+ Z4 t; A8 l2 U: R2 @auth include postlogin. z. ]- X% U) c' E3 @2 j+ L
account required pam_nologin.so x4 H- X/ U; I( | c) q7 W# r
account include system-auth
; ?' j7 ]6 S t: ]. u% npassword include system-auth8 q |& y F# B, ?* f$ M& C- i5 V
# pam_selinux.so close should be the first session rule
9 E( h0 @" g4 D7 p$ V1 l4 \session required pam_selinux.so close
6 d- v# r! Z. c% _8 o9 `8 Z1 w6 Asession required pam_loginuid.so# a: y( {/ b6 i
session optional pam_console.so
# K. G' j* l+ q3 D# S# pam_selinux.so open should only be followed by sessions to be executed in the user context
3 v: Z: r) }9 I% E# W6 Fsession required pam_selinux.so open" ?8 [+ a* b/ x9 V0 j! ]( Z2 N, q
session required pam_namespace.so
% e2 `1 K: H9 x4 Y7 qsession optional pam_keyinit.so force revoke
3 [% x) r) A/ Q9 o! m# H; N! esession include system-auth' G( t* x1 \' e* j$ |3 c' F
session include postlogin
# l2 V( x; |4 N2 x. w-session optional pam_ck_connector.so
* d& q3 O2 M* l% `
8 O6 @ Y8 r( O2 \6 [ l% }) v# g2 b% A5 i4 E( F
配置文件:( ^% o2 F1 r3 e$ z6 I4 C
vim /etc/pam.d/sshd . c" o% t0 r" [
#%PAM-1.0
: m; s0 [, O, g# Q! {; ~) w#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root" G& |. s8 P( Z4 y* l. ~2 R+ g7 B
auth required pam_sepermit.so
8 I! c/ S, ?4 x: t, @9 Vauth substack password-auth
8 w3 ^# ?6 P* g6 u! ^9 |* F/ }auth include postlogin
6 X3 m: |: P4 i. t" L# Used with polkit to reauthorize users in remote sessions
/ |3 S- w# U' i' y. d6 I-auth optional pam_reauthorize.so prepare
7 @( c8 |2 o) W2 L1 m) b5 v$ Zaccount required pam_nologin.so8 D' R1 Z% y, P5 R, y) k6 Y& p
account include password-auth
y! F9 R; G% W8 {1 w( j$ c; ]2 fpassword include password-auth
* } a' w$ S: y; W. h' L# pam_selinux.so close should be the first session rule% a, i* m/ X+ K1 {9 M: k/ N u
session required pam_selinux.so close
! ~- g: ^0 ]5 S5 ~! T j) p3 ]session required pam_loginuid.so
8 r) O; U! f6 B8 i. ]# pam_selinux.so open should only be followed by sessions to be executed in the user context7 L! U0 r+ z: x* g- n
session required pam_selinux.so open env_params4 g( a4 F( @9 y2 f" I# s
session required pam_namespace.so
, e3 H, Y: \" p9 n3 O4 j, ]+ Msession optional pam_keyinit.so force revoke3 y0 ]9 [* R7 i1 v6 z1 d# {
session include password-auth
/ w3 Q/ J7 @) ^session include postlogin
( R' C1 [% }( b0 I# A# Used with polkit to reauthorize users in remote sessions
4 \! W. o% v* w0 m, m-session optional pam_reauthorize.so prepare
# b+ ]4 U; q! w
+ Y1 z) o( z" Q& \* a即可恢复远程登录。$ Z: k/ T: J$ ]1 k/ v% T5 ~% |
# K) E$ R5 U# D1 u& t7 t0 n3 U
3 K5 t9 H J& x1 l; S- U: S" l# g' V7 F- T; Y$ e1 E
8 E( r! @* Q. r2 [2 q7 |- i |
|
发表于 2025-1-6 13:25:01