将用户添加到 PAM 部分后出现“无法启动 OpenBSD 安全 Shell 服务器”错误

tag-icon tag-icon ssh pam
将用户添加到 PAM 部分后出现“无法启动 OpenBSD 安全 Shell 服务器”错误

当我在 sshd_config 的 PAM 部分添加用户时:

UsePAM yes
Match User employee_1
PasswordAuthentication yes

我无法重新启动 SSH 服务并收到以下消息(为什么?请帮忙):

root@ip-xxxxxxx:/etc/ssh# systemctl status ssh


● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2019-04-23 18:19:00 UTC; 19s ago
  Process: 895 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=0/SUCCESS)
  Process: 2183 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=255)
 Main PID: 895 (code=exited, status=0/SUCCESS)

Apr 23 18:19:00 ip-publicip systemd[1]: ssh.service: Control process exited, code=exited status=255
Apr 23 18:19:00 ip-publicip systemd[1]: ssh.service: Failed with result 'exit-code'.
Apr 23 18:19:00 ip-publicip systemd[1]: Failed to start OpenBSD Secure Shell server.
Apr 23 18:19:00 ip-publicip systemd[1]: ssh.service: Service hold-off time over, scheduling restart.
Apr 23 18:19:00 ip-publicip systemd[1]: ssh.service: Scheduled restart job, restart counter is at 5.
Apr 23 18:19:00 ip-publicip systemd[1]: Stopped OpenBSD Secure Shell server.
Apr 23 18:19:00 ip-publicip systemd[1]: ssh.service: Start request repeated too quickly.
Apr 23 18:19:00 ip-publicip systemd[1]: ssh.service: Failed with result 'exit-code'.
Apr 23 18:19:00 ip-publicip systemd[1]: Failed to start OpenBSD Secure Shell server.

答案1

文件中实际上没有“部分” sshd_config

在默认文件中,UsePAM恰好是文件的最后一行,因此您通常会看到Match紧随其后的块。块的规则Match如下所述man sshd_config

     Match   Introduces a conditional block.  If all of the criteria on the
             Match line are satisfied, the keywords on the following lines
             override those set in the global section of the config file,
             until either another Match line or the end of the file.  If a
             keyword appears in multiple Match blocks that are satisfied, only
             the first instance of the keyword is applied.

正如我们在调试模式下运行服务器时发现的那样sshd -d,你至少有一行额外的代码 UsePAM在您的sshd_config文件中,并通过将您的 Match 块放在此行前面,sshd试图将其应用于块内部 - 这是不允许的(Match再次参考手册页的部分以查看允许的关键字的子集):

/etc/ssh/sshd_config line 94: Directive 'PrintMotd' is not allowed within a Match block

解决方案应该很简单,只需将您的Match块移动到文件的真实末尾即可。

相关内容