我想设置 SSH 以在用户现有密码过期时提示输入新密码,但目前它无法登录。我使用 Kerberos 作为身份验证后端。可以看到该用户的密码已过期:
kadmin: getprinc demo
...
Password expiration date: Tue Oct 27 22:25:09 MDT 2020
当我尝试从控制台、登录过程或通过 kinit 登录时,它会提示输入新密码:
root@host2:~# login demo
Password:
Password expired. You must change it now.
Enter new password:
root@host2:~# kinit -p demo
Password for [email protected]
Password expired. You must change it now.
Enter new password:
但是,如果我尝试通过 SSH 登录,就会出现错误:
user1@host1:~$ ssh demo@host2
demo@host2's password:
Permission denied, please try again.
demo@host2's password:
Permission denied, please try again.
demo@host2's password:
demo@host2: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
我可以在auth.log文件中看到它认为密码已过期:
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: receive packet: type 50 [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug1: userauth-request for user demo service ssh-connection method password [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug1: attempt 4 failures 3 [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug2: input_userauth_request: try method password [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_auth_password entering [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_request_send entering: type 12 [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_request_receive entering [preauth]
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_request_receive entering
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: monitor_read: checking request 12
Oct 28 17:41:09 blljmp02 sshd[10439]: debug1: temporarily_use_uid: 199999/199999 (e=0/0)
Oct 28 17:41:09 blljmp02 sshd[10439]: debug1: restore_uid: 0/0
Oct 28 17:41:09 blljmp02 sshd[10439]: debug1: Kerberos password authentication failed: Password has expired
Oct 28 17:41:09 blljmp02 sshd[10439]: debug1: krb5_cleanup_proc called
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_answer_authpassword: sending result 0
Oct 28 17:41:09 blljmp02 sshd[10439]: debug3: mm_request_send entering: type 13
Oct 28 17:41:09 blljmp02 sshd[10439]: Failed password for demo from 172.16.44.18 port 34012 ssh2
如何让 SSH 提示输入新密码?
我使用的是 Ubuntu 18.04。以下是我的 PAM 配置:
root@host2:~# cat /etc/pam.d/common-auth | egrep -v '(^#|^$)'
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
root@host2:~# cat /etc/pam.d/common-account | egrep -v '(^#|^$)'
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
root@host2:~# cat /etc/pam.d/common-password | egrep -v '(^#|^$)'
password requisite pam_pwquality.so retry=3
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass use_authtok
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
password requisite pam_deny.so
password required pam_permit.so
root@host2:~# cat /etc/pam.d/common-session | egrep -v '(^#|^$)'
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
答案1
我认为你的 SSH 声明不正确。应该是:
ssh user@DOMAIN@host而不是ssh user@host
截屏:我设法重现了您的错误,您可以看到,在我的第二次尝试(正确的方法)中,我能够以[email protected]密码已过期的域用户身份登录,并成功更改了密码。