我有一台 Centos-7.6 系统,使用 PAM 来验证 LDAP 用户。我设法通过将 shadowLastChange 设置为 0 来强制 LDAP 用户更改其密码,因此必须更改其密码。
但是如果我以该用户身份登录,或者在欢迎界面登录,它会在“当前(UNIX)密码:提示符”下接受任何密码。当然,这个提示符会出现后已经输入了用户密码,这在使用 su 或欢迎程序时很自然。
Password:
You are required to change your password immediately (root enforced)
need a new password
Changing password for test_user.
(current) UNIX password: <--------- anything you type here will be accepted
New password:
如果使用 ssh test_user@centos7server,我仍然被迫更改密码,但在这种情况下,密码经过正确检查,不允许使用错误的密码。
You are required to change your password immediately (root enforced)
need a new password
Last login: Tue Sep 3 15:42:36 2019
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test_user.
Changing password for test_user.
(current) UNIX password: <---------- password is properly verified
passwd: Authentication token manipulation error
注意:在 Centos-6.10 系统上使用类似的设置不允许错误密码,因此它可以正常工作。
这是我在 Centos-7 机器上的 /etc/pam.d 设置:
/etc/pam.d/系统身份验证:
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
/etc/pam.d/password-auth 与 system-auth (上面的)相同
/etc/pam.d/sshd:
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
/etc/pam.d/登录:
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
/etc/pam.d/su:
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
任何帮助都将不胜感激。谢谢