用户的密码已过期,并在 freeipa 网站上重置了密码。用户收到channel 0: open failed: administratively prohibited: open failed stdio forwarding failed错误,无法进入主机。我已尝试unlock从 Web 门户访问该用户,并已在 中刷新了该用户的缓存sss_cache。除了密码外,没有任何变化。我无法绕过此错误。
这是安全日志
Feb 26 09:15:36 xxxx-mng-bh-01 sshd[8665]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=a.b.c.d user=serverfault
Feb 26 09:15:36 xxxx-mng-bh-01 sshd[8665]: pam_sss(sshd:auth): received for user serverfault: 12 (Authentication token is no longer valid; new one required)
Feb 26 09:15:36 xxxx-mng-bh-01 sshd[8665]: Accepted password for serverfault from a.b.c.d port 63562 ssh2
Feb 26 09:15:37 xxxx-mng-bh-01 sshd[8665]: pam_unix(sshd:session): session opened for user serverfault by (uid=0)
Feb 26 09:15:37 xxxx-mng-bh-01 sshd[8665]: pam_unix(sshd:session): session closed for user serverfault
答案1
此消息 ( administratively prohibited) 由 OpenSSH 发出。有两种情况可能从服务器端发出:
- 配置中不允许打开端口
sshd_config(PermitOpen选项) sshd_config配置中不允许或禁用 tcp 转发(AllowTcpForwarding例如,选项)
无论如何,它与 FreeIPA 和密码过期无关。