/etc/pam.d/system-auth我有 RHEL 5.5,并在文件中进行了以下更改:
auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_tally2.so
account required pam_unix.so nullok try_first_pass
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
但这并不像预期的那样工作。在几次登录失败后,我确实看到了消息account locked,但之后它仍然要求输入密码,即使我输入了正确的密码,它也会显示以下内容:
[student@server3 ~]$ su - testuser
Your account is locked. Maximum amount of failed attempts was reached.
Password:
su: incorrect password
但作为root用户我仍然可以登录到用户:
[root@server3 ~]# su - testuser
[testuser@server3 ~]$
这表明用户实际上并未被锁定。这难道不正确吗?我做错了什么?
答案1
没什么不对,这是预期的行为。作为 root,您可以绕过身份验证。
不是每个人都有 root 权限,希望如此...