我正在 Red Hat 8 中设置 LDAP 客户端。
设置配置文件后,我进行了 LDAP 用户测试并成功返回:
# id myusername
uid=666(myusername) gid=510(active_users) groups=510(active_users)
如果我运行ldapsearch它将成功返回预期结果:
# ldapsearch -x -ZZ -h ldap.example.com -b dc=example,dc=com
但是如果我尝试ssh从另一台机器访问 Red Hat 8 机器,则会收到此错误:
# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
我尝试了几台不同的机器,使用了不同的用户帐户,得到了相同的结果。
这是我的设置:
/etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = demand
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com/
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/sssd/ca-bundle.crt
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = default
[nss]
homedir_substring = /home
/etc/openldap/ldap.conf
TLS_CACERT /etc/sssd/ca-bundle.crt
#BASE dc=example,dc=com
#URI ldap://ldap.example.com/
SASL_NOCANON on
URI ldaps://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/sssd
/etc/nsswitch.conf
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
# passwd: db files
# shadow: db files
# group: db files
# In order of likelihood of use to accelerate lookup.
shadow: files sss
hosts: files dns myhostname
aliases: files
ethers: files
gshadow: files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks: files dns
protocols: files
publickey: files
rpc: files
/etc/sysconfig/auth配置
USELDAP=yes
USELDAPAUTH=yes
/etc/pam.d/密码验证
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/pam.d/系统身份验证
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM yes
X11Forwarding yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
ClientAliveInterval 600
ClientAliveCountMax 0
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
/var/log/安全
Jan 28 08:35:39 opal sshd[206875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=myusername
Jan 28 08:35:40 opal sshd[206875]: Failed password for myusername from xxx.xxx.xxx.xxx port 60384 ssh2
尝试
我尝试了以下方法:
- 禁用 selinux
/etc/selinux/config - 停止 iptables.service
- 将
PermitRootLogin yes和添加UsePAM yes到 Red Hat 8/etc/ssh/sshd_conf文件 - 反复尝试
authselect select sssd,然后重新启动sssd.service - 添加
FORCELEGACY=yes/etc/sysconfig/authconfig
问题
谁能帮我弄清楚为什么用户无法使用 SSH 登录到该服务器?
答案1
我最终找到了一个解决方案,即创建一个包含自定义、和文件的自定义authselect配置文件。password-authsystem-authnsswitch.conf
1. 根据 sssd 创建自定义配置文件
authselect create-profile user-profile -b sssd
2./etc/authselect/custom/user-profile/password-auth使用/etc/authselect/custom/user-profile/system-auth以下设置覆盖
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_sss.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_sss.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_sss.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
3./etc/authselect/custom/user-profile/nsswitch.conf使用以下设置覆盖
passwd: files sss {exclude if "with-custom-passwd"}
shadow: files sss
group: files sss {exclude if "with-custom-group"}
netmasks: files
networks: files
netgroup: files sss {exclude if "with-custom-netgroup"}
automount: files sss {exclude if "with-custom-automount"}
services: files sss {exclude if "with-custom-services"}
sudoers: files sss {exclude if "with-sudo"}
4. 选择新配置文件
authselect select custom/user-profile
5. 重启 sssd
systemctrl restart sssd