Ubuntu 16 Sudo SU 密码尝试不正确

Ubuntu 16 Sudo SU 密码尝试不正确

我正在使用 Ubuntu 16.04.3 LTS 服务器。我有一个具有 sudo 权限的用户。当我尝试从当前用户切换到 root 用户时,它会要求我输入密码。我输入了正确的密码,但它拒绝我的密码。

username@server:/ sudo su
[sudo] password for username:
Sorry, try again.
[sudo] password for username:
Sorry, try again.
[sudo] password for username:
sudo: 3 incorrect password attempts

幸运的是,我打开了另一个终端窗口,我仍然以 root 身份登录。所以我尝试为我的用户重置密码。它说我已成功更新用户。

root@server:/# passwd username
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

所以我然后再次尝试该sudo su命令。它失败并显示相同的消息。

我为同一用户打开一个新的终端窗口并尝试,sudo su但相同的命令失败并显示相同的消息。

我也尝试解锁用户sudo usermod --expiredate -1 username。这也没有解决问题。

我还尝试授予用户“sudo”权限usermod -aG sudo username。用户仍然遇到这个问题。

我放弃了,只是创建了一个具有 sudo 权限的新用户并开始使用新用户。第二天,我开始与新用户遇到完全相同的问题。

pwck命令列出了几个系统帐户和有关其主目录的消息,但没有列出其他内容。该grpck命令根本没有给出任何消息。

大约一个月前,我们最近添加了“pam”身份验证。

/etc/pam.d/sudo

#%PAM-1.0

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

/etc/pam.d/common-auth

auth    required        pam_tally2.so deny=5 unlock_time=600
# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

/etc/pam.d/common-account

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

/etc/pam.d/common-session-noninteractive

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
# end of pam-auth-update config

感谢@telcoM 和@roaima,我发现 pam 身份验证模块是问题的原因。

root@server:/# pam_tally2
Login           Failures  Latest    failure     From
username           53    06/05/18   16:53:42    xxx.xxx.xxx.xxx

虽然我找到了问题的原因,但我不理解这种行为。也许我在 pam 模块中配置不正确。每次我输入sudo su(成功与否)时,都会将失败添加到pam_tally2.我不知道为什么成功输入正确的密码会增加失败尝试的次数,但事实确实如此。下面的例子。

pam_tally2
Login           Failures  Latest    failure     From
username           0    06/05/18   16:53:42    xxx.xxx.xxx.xxx

username@server:/ sudo su
[sudo] password for username:
root@server:/#

pam_tally2
Login           Failures  Latest    failure     From
username           1    06/05/18   16:54:03    xxx.xxx.xxx.xxx

使用sudo -ssudo -i还会导致增加 中的故障pam_tally2

答案1

您提到未经授权的外部用户不断尝试登录。如果这些不需要的远程登录尝试引用root您的用户帐户,则username可能意味着pam_tally2PAM 模块正在锁定其中一个或两个。

运行pam_tally2命令以查看导致失败的原因。 (您可能需要运行pam_tally2 --user=username --reset以重置username.

或者,此问题报告如果 /etc/ssh/sshd_config 文件中设置了“ChallengeResponseAuthentication yes”,pam_tally2 会将正确的密码计为失败的登录尝试可以更准确地描述您的情况。 (我仍在努力寻找解决方案的替代来源。)


顺便说一句,尽管 Canonical 做出了所有最好的(但错误的)努力,但您不应该需要将其用于sudo su任何用途。 (这就像说“给我根吗?好的谢谢。现在我是root了,我需要成为root".) 尝试sudo -s使用 root shell 或sudo -iroot 登录 shell。

相关内容