我正在使用 Ubuntu 16.04.3 LTS 服务器。我有一个具有 sudo 权限的用户。当我尝试从当前用户切换到 root 用户时,它会要求我输入密码。我输入了正确的密码,但它拒绝我的密码。
username@server:/ sudo su
[sudo] password for username:
Sorry, try again.
[sudo] password for username:
Sorry, try again.
[sudo] password for username:
sudo: 3 incorrect password attempts
幸运的是,我打开了另一个终端窗口,我仍然以 root 身份登录。所以我尝试为我的用户重置密码。它说我已成功更新用户。
root@server:/# passwd username
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
所以我然后再次尝试该sudo su命令。它失败并显示相同的消息。
我为同一用户打开一个新的终端窗口并尝试,sudo su但相同的命令失败并显示相同的消息。
我也尝试解锁用户sudo usermod --expiredate -1 username。这也没有解决问题。
我还尝试授予用户“sudo”权限usermod -aG sudo username。用户仍然遇到这个问题。
我放弃了,只是创建了一个具有 sudo 权限的新用户并开始使用新用户。第二天,我开始与新用户遇到完全相同的问题。
该pwck命令列出了几个系统帐户和有关其主目录的消息,但没有列出其他内容。该grpck命令根本没有给出任何消息。
大约一个月前,我们最近添加了“pam”身份验证。
/etc/pam.d/sudo
#%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
/etc/pam.d/common-auth
auth required pam_tally2.so deny=5 unlock_time=600
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
/etc/pam.d/common-account
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-session-noninteractive
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
# end of pam-auth-update config
感谢@telcoM 和@roaima,我发现 pam 身份验证模块是问题的原因。
root@server:/# pam_tally2
Login Failures Latest failure From
username 53 06/05/18 16:53:42 xxx.xxx.xxx.xxx
虽然我找到了问题的原因,但我不理解这种行为。也许我在 pam 模块中配置不正确。每次我输入sudo su(成功与否)时,都会将失败添加到pam_tally2.我不知道为什么成功输入正确的密码会增加失败尝试的次数,但事实确实如此。下面的例子。
pam_tally2
Login Failures Latest failure From
username 0 06/05/18 16:53:42 xxx.xxx.xxx.xxx
username@server:/ sudo su
[sudo] password for username:
root@server:/#
pam_tally2
Login Failures Latest failure From
username 1 06/05/18 16:54:03 xxx.xxx.xxx.xxx
使用sudo -s或sudo -i还会导致增加 中的故障pam_tally2。
答案1
您提到未经授权的外部用户不断尝试登录。如果这些不需要的远程登录尝试引用root您的用户帐户,则username可能意味着pam_tally2PAM 模块正在锁定其中一个或两个。
运行pam_tally2命令以查看导致失败的原因。 (您可能需要运行pam_tally2 --user=username --reset以重置username.
或者,此问题报告如果 /etc/ssh/sshd_config 文件中设置了“ChallengeResponseAuthentication yes”,pam_tally2 会将正确的密码计为失败的登录尝试可以更准确地描述您的情况。 (我仍在努力寻找解决方案的替代来源。)
顺便说一句,尽管 Canonical 做出了所有最好的(但错误的)努力,但您不应该需要将其用于sudo su任何用途。 (这就像说“给我根吗?好的谢谢。现在我是root了,我需要成为root".) 尝试sudo -s使用 root shell 或sudo -iroot 登录 shell。