![在 Solaris 中,如何验证设置为 /sbin/nologin 的帐户的用户密码?](https://linux22.com/image/736203/%E5%9C%A8%20Solaris%20%E4%B8%AD%EF%BC%8C%E5%A6%82%E4%BD%95%E9%AA%8C%E8%AF%81%E8%AE%BE%E7%BD%AE%E4%B8%BA%20%2Fsbin%2Fnologin%20%E7%9A%84%E5%B8%90%E6%88%B7%E7%9A%84%E7%94%A8%E6%88%B7%E5%AF%86%E7%A0%81%EF%BC%9F.png)
我有一个帐户,仅用于从 WebSphere 应用服务器进行远程调用以访问 DB2 数据库中的表。该帐户设置为 /sbin/nologin,因此我无法登录该帐户来验证密码。我该如何验证密码?
答案1
我最熟悉的是 Linux,但我思考对于这两种操作系统来说,shell 的效果/sbin/nologin
是相似的,而且只会变得明显后密码验证成功,并且即使没有管理员权限,您仍然可以区分密码是否正确。
当您尝试使用 SSH 会话登录并输入错误的密码时,您会收到一条权限被拒绝的消息和一条要求您重试的新密码提示,但输入正确的密码后,您将不会看到新密码提示,但会话将立即关闭(在我的 Linux 主机上,会显示一条消息,提示该帐户当前不可用)。
$ ssh serverfault@localhost
serverfault@localhost's password: ***incorrect password***
Permission denied, please try again.
serverfault@localhost's password: ***incorrect password***
Permission denied, please try again.
ssh serverfault@localhost
serverfault@localhost's password: ***correct password***
Last failed login: Tue Apr 9 08:32:14 CEST 2019 from localhost on ssh:notty
There were 2 failed login attempts since the last successful login.
This account is currently not available.
Connection to localhost closed.
$ su - serverfault
Password: ***incorrect password***
su: Authentication failure
$ su - serverfault
Password:
Last failed login: Tue Apr 9 08:32:14 CEST 2019 from localhost on ssh:notty
There were 2 failed login attempts since the last successful login.
This account is currently not available.
答案2
您知道散列密码。如果您有特权用户,您可以直接在 /etc/shadow 中检查和设置密码。这是一种黑客行为,但这就是 Ansible 在 Solaris 上自动更改密码所做的事情。
Ansible 剧本提示输入密码并确保用户存在该密码:
---
- name: https://serverfault.com/questions/962070/in-solaris-how-can-i-verify-a-user-password-for-an-account-that-is-set-as-sbin
hosts: solaris
vars:
service_user: "app"
vars_prompt:
- name: "ServiceUserPasswordHash"
prompt: "Enter password for user {{service_user}} "
private: True
encrypt: "sha256_crypt"
salt: "{{ 65534 | random(seed=service_user) | string }}"
tasks:
- name: Create service user
become: True
user:
name: "{{service_user}}"
comment: "Service account"
password: "{{ServiceUserPasswordHash}}"
update_password: "always"
shell: "/bin/false"
我在 OpenIndiana 20181023 上找不到 nologin shell。/bin/false 有效,但它不会为用户打印任何内容。
我从用户名中植入的盐。不是很随机,但每次运行时都不会改变。
如果您不希望提示输入密码,而是从某个秘密存储中查找密码,请使用 password_hash 过滤器而不是 vars_prompt 确定哈希值。