有效的 root/用户密码在 EC2 上不起作用

tag-icon tag-icon sudo root authentication su amazon-ec2
有效的 root/用户密码在 EC2 上不起作用

使用更新后尝试输入任何帐户的密码时,身份验证失败。我的身份验证被破坏了,而其他一切都正常。

这些更新主要来自现有的 AWS 来源,但我也包含了一个外部来源。我想知道发生了什么,是否有办法修复它并可能回滚更改。

我仍然可以使用 ssh(通过 pem 文件)登录到我的 AWS EC2 实例,但这就是我所能做的。我无法使用旧密码通过 ssh root@ipaddress 登录。将其更改为安全凭证页面 -> 密码也没有帮助。我发现了一个类似的问题

我的/var/log/secure

sshd[1184]: Server listening on 0.0.0.0 port 22.
sshd[1184]: Server listening on :: port 22.
runuser: pam_unix(runuser:session): session opened for user mongod by (uid=0)
runuser: pam_unix(runuser:session): session closed for user mongod
sshd[1576]: Accepted publickey for ec2-user from xxx.xxx.xxx.xxx port xxxxx ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
sshd[1576]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
sudo: pam_unix(sudo:auth): authentication failure; logname=ec2-user uid=500 euid=0 tty=/dev/pts/0 ruser=ec2-user rhost=  user=ec2-user
sudo: ec2-user : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/su -
su: pam_unix(su:auth): authentication failure; logname=ec2-user uid=500 euid=0 tty=pts/0 ruser=ec2-user rhost=  user=root
sudo: pam_unix(sudo:auth): authentication failure; logname=ec2-user uid=500 euid=0 tty=/dev/pts/0 ruser=ec2-user rhost=  user=ec2-user
sudo: ec2-user : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/ls
sshd[1184]: Received signal 15; terminating.
sshd[1576]: pam_unix(sshd:session): session closed for user c2-user

我的/etc/ssh/sshd_config

#   $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#
# Uncomment this if you want to use .local domain
# Host *.local
#   CheckHostIP no

Host *
    GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
    ForwardX11Trusted yes
# Send locale-related environment variables
    SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    SendEnv XMODIFIERS
# Don't show actual hostnames in .ssh/known_hosts
    HashKnownHosts yes

调用ls -l /etc/passwd /etc/shadow /etc/sudoers结果如下:

-rw-r--r-- 1 root  root 1402 Oct  7 10:58 /etc/passwd
---------- 1 root  root  838 Oct  7 10:58 /etc/shadow
-r--r----- 1 root wheel 2299 Oct  7 10:58 /etc/sudoers

我的操作系统配置:

NAME="Amazon Linux AMI"
VERSION="2015.09"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2015.09"
PRETTY_NAME="Amazon Linux AMI 2015.09"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2015.09:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Amazon Linux AMI release 2015.09

命令aws ec2 get-password-data --instance-id XXXXXXXXXX结果(不确定是否适用于非 Windows 实例):

{
    "InstanceId": "XXXXXXXXXX", 
    "Timestamp": "2015-10-12T21:02:51.000Z", 
    "PasswordData": ""
}

答案1

最终,我通过启动一个新实例并从现有实例安装卷来恢复对 root 帐户的丢失访问权限。

sudo mount /dev/sdf /mnt/my-data

sudo vi /mnt/my-data/etc/ssh/sshd_config我改变了以下内容:

PermitRootLogin yes
#PermitRootLogin forced-commands-only

然后我将卷放回原始实例并通过 ssh 以 root 身份登录。

sudo ssh -i /key.pem [email protected]

以 root 身份登录时,我运行passwd username更改每个用户的密码。

相关内容