|
|
vim /etc/pam.d/system-auth
5 C/ m% I y0 _6 S: O#%PAM-1.0
$ I1 W8 `/ E: e' A& P# This file is auto-generated.: p8 i" g9 N4 R( P" v( u' _
# User changes will be destroyed the next time authconfig is run.- h R1 |( e5 Q; v. A. i% ?0 D
auth required pam_env.so2 S# z! x- y3 `& w- P( G
auth sufficient pam_unix.so try_first_pass nullok
% n4 R( q* E! |& f5 ?/ W. H1 `auth required pam_deny.so5 s& u {; U/ }9 c
( n5 e G& w* y- G
account required pam_unix.so
; B7 M: S: g" i& A/ h( r8 y- Q- y2 g& }( K
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
8 l$ ~+ C6 G. t) w7 F& wpassword sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow1 ?6 R+ c( T$ u- Y& p+ x
password required pam_deny.so
7 x: y5 U4 z& @* _( `3 Z8 \ P9 _) |' L# ~ }
#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug
" x0 q2 R6 B) g0 h( e#password sufficient pam_unix.so remember=5 use_authtok debug- j+ @) u6 N/ o! h0 l
#password required pam_deny.so debug# {3 E5 O: l0 Q9 ~
session optional pam_keyinit.so revoke p' _1 y2 U' n: v
session required pam_limits.so: Y* |, r" E# H
-session optional pam_systemd.so0 d5 d' W5 e6 {. P, c+ ?
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
6 C# T$ h2 g: [- isession required pam_unix.so7 C2 @8 J3 Q& w( _0 \: a6 Z
~ / P# X$ [ V R! U" R# h0 m
/ Q/ P: d% }( u% G) E
6 S/ A3 p- Y& {+ Z; |; m* N5 V因配置这些导致
; v! a$ P8 f& c2 }, T+ y7 s3 K+ x#password requisite pam_cracklib.so minlen=8 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 enforce_root debug7 O+ T# B3 _: n% J8 F
#password sufficient pam_unix.so remember=5 use_authtok debug
# A; [# `! c1 Y9 ?- q#password required pam_deny.so debug
$ }7 j$ l5 b4 G6 l( Y% f, E' X+ h( c注释即可。还原配置) J! ~6 u/ w7 c! ^6 n
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
5 p4 H* F+ W* Apassword sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
: j: y2 U' K7 _( cpassword required pam_deny.so f3 w4 J& U3 ~+ X1 F3 h1 c" O
9 X; k! e2 h( j; h# l
: A2 Q/ p! ]1 ?- \5 Q' K0 t重置即可。
0 k) v' i& k* ~2 ~( h2 N/ d# w5 ^6 _+ I( o
vim /etc/pam.d/login
- Q2 W) f$ E, M h1 R( @# A/ d2 Z4 c# J
#%PAM-1.01 W. ?$ X% x# v q* v5 L# v) B0 J
#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root$ U- O" T# |0 y# C- L) ~) r# @* |
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so; \! M- a/ O2 f4 ~( W, q7 U4 K, F; {
auth substack system-auth6 |. V L6 h) Q3 K a1 D3 o
auth include postlogin
4 f2 F" `2 d% }1 M$ x& m! w3 E5 ^account required pam_nologin.so
5 p9 G) l' D! c) k0 ?account include system-auth
9 {2 I: w# w0 U$ k4 Ypassword include system-auth/ w) w& H+ s2 V$ _2 t3 r
# pam_selinux.so close should be the first session rule( }" x' I( c& Z% O( m0 v
session required pam_selinux.so close
' A* j" `# F% x/ _% qsession required pam_loginuid.so
+ x4 h( \- I; ~session optional pam_console.so$ @5 u" U4 b2 X
# pam_selinux.so open should only be followed by sessions to be executed in the user context! n9 e/ L7 v& t; w
session required pam_selinux.so open5 ~; o5 Q4 @# P! d A0 y4 H( m
session required pam_namespace.so( Q6 C# {$ V3 I8 v% p0 [
session optional pam_keyinit.so force revoke
+ Z% A/ L5 d6 |8 y$ d1 Csession include system-auth
2 I/ f( A8 z9 g( b, I& Ysession include postlogin
4 w/ y/ \/ o0 ?+ e7 g-session optional pam_ck_connector.so5 y9 R" X; F; T2 {3 E( X7 e
/ W/ S; M6 S9 F3 T9 ?% y9 ]% H0 O% G$ c! Q# z
配置文件:
4 u/ Q/ p' x: j( R& K" F# \" p! b, `& ^vim /etc/pam.d/sshd
7 h) r: L3 O2 Q$ [1 ?) N" c#%PAM-1.0
) @ _5 A( Y# Y6 b#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root! {4 \" k8 P* i- @& p1 ^' ^
auth required pam_sepermit.so, l n0 q0 l6 ]
auth substack password-auth
3 |6 l A( H V* V- k; Nauth include postlogin( U# v) q) [( x
# Used with polkit to reauthorize users in remote sessions# U6 z; c$ s5 Y a+ D4 r. P' m
-auth optional pam_reauthorize.so prepare
! _; s) C. H# h! ?, z qaccount required pam_nologin.so
2 z4 C8 w/ ^6 e- O3 q' Baccount include password-auth7 w0 F: Z% c' k: K
password include password-auth' f7 J& \- L$ m8 E
# pam_selinux.so close should be the first session rule8 _* I1 |0 l Y2 v; D* e! B2 a/ `8 s' a
session required pam_selinux.so close' z& k7 S+ \% ?+ e# O5 s+ E
session required pam_loginuid.so9 B s# z$ ^' ?3 l+ Q$ s
# pam_selinux.so open should only be followed by sessions to be executed in the user context
. A3 g5 L* o" bsession required pam_selinux.so open env_params+ A; t, F( p: ?4 V. f1 w
session required pam_namespace.so
" w2 [$ L5 y3 Osession optional pam_keyinit.so force revoke; g1 [0 J+ l% O/ q
session include password-auth
, n% M0 u# \$ psession include postlogin: U: a, X- U6 i* d4 u" j- _
# Used with polkit to reauthorize users in remote sessions0 f3 I5 p7 x3 i* f- V
-session optional pam_reauthorize.so prepare
# l& z [# M5 w1 v3 O# C: y; y8 M# j
$ h9 O Y4 ^ K" h1 v3 x即可恢复远程登录。! l4 `9 E+ [9 K- v
, e! O8 |- F# X- M* m) o+ L
& [3 f; |& X; a% w% Y( z4 o u+ e' A% P/ j' x% R
1 b% u% @- H5 e# S3 }$ ^
|
|
发表于 2025-1-6 13:25:01