启用 pam_faillock 模块后无法登录

tag-icon tag-icon debian ubuntu pam
启用 pam_faillock 模块后无法登录

我正在运行 Ubuntu 20.04 LTS。我pam_faillock通过在文件中添加以下两行来启用该模块/etc/pam.d/common-auth

auth     [default=die]  pam_faillock.so authfail                           
auth     sufficient     pam_faillock.so authsucc

我在下面添加这些行

auth  [success=2 default=ignore]   
pam_unix.so nullok

以上:

auth  [success=1 default=ignore]  
psm_sss.so use_first_pass

下面发布/etc/pam.d/common-auth了我的更改,注释掉了。

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]  pam_unix.so nullok
#auth    [default=die]               pam_faillock.so authfail
#auth    sufficient                  pam_faillock.so authsucc
auth    [success=1 default=ignore]  pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional            pam_cap.so 
auth    required  pam_faildelay.so delay=4000000
# end of pam-auth-update config

添加这些行后,我取消注释以下行/etc/security/faillock.conf

audit
silent
deny = 3
fail_interval = 900
unlock_time = 0

这些更改后,我重新启动,当我重新启动后尝试登录时,它告诉我密码不正确。 (是的,我已经验证这不是一个坏密码)我不是这个领域最强大的,我不确定是什么导致了这种情况的发生。

答案1

我已取消注释您的行并将它们放在我认为现在正确的位置。我还移动了其他一两行来修复身份验证流程。

# here are the per-package modules (the "Primary" block)
auth    [success=4 default=ignore]  pam_unix.so nullok
auth    [success=3 default=ignore]  pam_sss.so use_first_pass
auth    [default=die]               pam_faillock.so authfail
auth    required                    pam_faildelay.so delay=4000000
# here's the fallback if no module succeeds
auth    requisite                   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                    pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                    pam_cap.so 
auth    sufficient                  pam_faillock.so authsucc
# end of pam-auth-update config

请注意,我还更改了前两auth行 -[success=N]告诉 PAM 在成功时跳转 N 条规则,因此从pam_unix或成功pam_sss将跳转到pam_permit,失败将带您到pam_faillockpam_faildelaypam_deny

我无法测试这个,因为我还没有pam_faillock安装。因此,要对此进行测试,请首先在系统上打开 root shell,并且除了更改 PAM 配置文件之外不要触摸它。

使用第二个终端会话,尝试登录等,并测试它是否有效。

如果没有,您将打开第一个会话以准备恢复您的更改。在您完全确定您拥有有效的配置之前,请勿关闭此会话。

相关内容