我修改了 /etc/pam.d/common-auth,使其在登录失败或登录成功时运行 bash 脚本,并且它适用于成功登录,但不适用于尝试 ssh 时失败的登录尝试。一旦我已经在服务器上并尝试使用 sudo,这两个脚本都会在身份验证失败和成功时运行。为什么 login-failed-notify.sh 在 ssh 登录尝试失败时不会执行?我在默认的 /etc/pam.d/common-auth 文件中添加了以下内容。
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth optional pam_exec.so seteuid /etc/ssh/failed-login-notify.sh
auth requisite pam_deny.so
auth optional pam_exec.so seteuid /etc/ssh/login-notify.sh
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
我的 bash 脚本没有逻辑,它们在运行时只是发送一个获取请求。
这是我的login-notify.sh,failed-login-notify.sh完全相同,但文本中显示失败。
#!/bin/sh
CURL='/usr/bin/curl'
RVMHTTP="http://192.168.1.100/update.php?ip=$PAM_HOST&server=192.168.1.101&status=success"
CURLARGS="-f -s -S -k"
raw="$($CURL $CURLARGS $RVMHTTP)"
这是 /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password