更改 LDAP 密码时,PAM 接受任何当前密码

更改 LDAP 密码时,PAM 接受任何当前密码

我有一台 Centos-7.6 系统,使用 PAM 来验证 LDAP 用户。我设法通过将 shadowLastChange 设置为 0 来强制 LDAP 用户更改其密码,因此必须更改其密码。

但是如果我以该用户身份登录,或者在欢迎界面登录,它会在“当前(UNIX)密码:提示符”下接受任何密码。当然,这个提示符会出现已经输入了用户密码,这在使用 su 或欢迎程序时很自然。

Password: 
You are required to change your password immediately (root enforced)
need a new password
Changing password for test_user.
(current) UNIX password: <--------- anything you type here will be accepted
New password:

如果使用 ssh test_user@centos7server,我仍然被迫更改密码,但在这种情况下,密码经过正确检查,不允许使用错误的密码。

You are required to change your password immediately (root enforced)
need a new password
Last login: Tue Sep  3 15:42:36 2019
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test_user.
Changing password for test_user.
(current) UNIX password: <---------- password is properly verified
passwd: Authentication token manipulation error

注意:在 Centos-6.10 系统上使用类似的设置不允许错误密码,因此它可以正常工作。

这是我在 Centos-7 机器上的 /etc/pam.d 设置:

/etc/pam.d/系统身份验证:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so accessfile=/etc/security/access.netgroup.conf
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

/etc/pam.d/password-auth 与 system-auth (上面的)相同

/etc/pam.d/sshd:

auth     required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

/etc/pam.d/登录:

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

/etc/pam.d/su:

auth     sufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth    sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth    required pam_wheel.so use_uid
auth     substack system-auth
auth     include     postlogin
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password include     system-auth
session     include     system-auth
session     include     postlogin
session     optional pam_xauth.so

任何帮助都将不胜感激。谢谢

相关内容