PAM:远程用户密码验证失败

PAM:远程用户密码验证失败

我正在从 server1 执行一个命令,该命令将通过远程 ssh 连接到 server2 并以 olcne 用户身份执行某些命令。我在 /var/log/secure 文件中看到一些与 pam 相关的异常。有人能帮我看看可能是什么问题吗!

[root@server1~]#  olcnectl --api-server 127.0.0.1:8091 module validate --environment-name dev   --name dev


server2.com:8090 enountered error with crio.service for: crio.conf
  We trust you have received the usual lecture from the local System
  Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

  Password: (no password promted and exited with error)
  Password:

[root@server2 pam.d]# cat sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

cat ./system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 900 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 900 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 900 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_ldap.so
[root@server2 pam.d]#

这是从 server-1 到 server-2 调用的 ssh 操作之一。手动检查是否成功

[root@server2 pam.d]# sudo su olcne -c "sudo /etc/olcne/scripts/olcne-systemctl status crio.service"
● crio.service - Open Container Initiative Daemon
   Loaded: loaded (/usr/lib/systemd/system/crio.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/crio.service.d
           └─crio-proxy.conf
   Active: active (running) since Tue 2020-04-14 00:21:34 PDT; 2 days ago
     Docs: https://github.com/cri-o/cri-o
 Main PID: 24249 (crio)
   CGroup: /system.slice/crio.service
           └─24249 /usr/bin/crio

Apr 14 00:21:34 server2 systemd[1]: Starting Open Container Initiative Daemon...
Apr 14 00:21:34 server2 systemd[1]: Started Open Container Initiative Daemon.

==> /var/log/secure <==
Apr 17 06:03:39 server2 sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=olcne
Apr 17 06:03:39 server2 sudo: pam_sss(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=olcne
Apr 17 06:03:39 server2 sudo: pam_sss(sudo:auth): received for user olcne: 10 (User not known to the underlying authentication module)

==> /var/log/messages <==
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] out: [{"error":"","States":[{"property":"containerd.service","user_action":"","state":"not enabled/not running","error":"","message":"","Command":"","returncode":0,"data":"","children":null},{"property":"crio.service","user_action":"","state":"enabled/running","error":"","message":"","Command":"","returncode":0,"data":"","children":[{"property":"crio.conf","user_action":"","state":"","error":"We trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these two things:\n\n\t#1) Respect the privacy of others.\n\t#2) Think before you type.\n\nPassword:\nPassword:","message":"","Command":"","returncode":65542,"data":"","children":null}]},{"property":"kubelet.service","user_action":"systemctl enable kubelet.service","state":"not enabled/not running","error":"","message":"","Command":"","returncode":0,"data":"","children":null}]}] , stdErr: [] , err: %!s(<nil>)
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] Gathering state on the agent running package
Apr 17 06:03:41 server2 automount[1712]: key "olcne" not found in map source(s).
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] out: [{"error":"","States":[{"property":"kubeadm","user_action":"","state":"not installed","error":"","message":"","Command":"","returncode":0,"data":"","children":null},{"property":"kubectl","user_action":"","state":"not installed","error":"","message":"","Command":"","returncode":0,"data":"","children":null},{"property":"kubelet","user_action":"","state":"not installed","error":"","message":"","Command":"","returncode":0,"data":"","children":null}]}] , stdErr: [] , err: %!s(<nil>)
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] Gathering state on the agent running container-images

==> /var/log/secure <==
Apr 17 06:03:41 server2 sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=olcne
Apr 17 06:03:41 server2 sudo: pam_sss(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=olcne



Apr 17 06:03:12 server1 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Apr 17 06:03:12 server1 sudo: pam_ldap(sudo:session): error opening connection to nslcd: No such file or directory
Apr 17 06:03:12 server1 su: pam_unix(su:session): session opened for user olcne by root(uid=0)
Apr 17 06:03:12 server1 su: pam_ldap(su:session): error opening connection to nslcd: No such file or directory
Apr 17 06:03:12 server1 sudo: pam_unix(sudo:auth): conversation failed
Apr 17 06:03:12 server1 sudo: pam_unix(sudo:auth): auth could not identify password for [olcne]
Apr 17 06:03:12 server1 sudo: pam_sss(sudo:auth): authentication failure; logname= uid=1001 euid=0 tty= ruser=olcne rhost= user=olcne
Apr 17 06:03:12 server1 sudo: pam_sss(sudo:auth): received for user olcne: 10 (User not known to the underlying authentication module)
Apr 17 06:03:12 server1 sudo: pam_ldap(sudo:auth): failed to get password: Authentication failure
Apr 17 06:03:14 server1 su: pam_unix(su:session): session closed for user olcne

相关内容