我已经在Centos 7上运行了一个LDAP服务器.ID,getent passwd,用户工作.但’ssh’失败了.从/ var / log / secure看来,身份验证似乎成功了,但是pam不喜欢其他东西.我不确定如何缩小问题所在.
在/ var /日志/安全:
May 11 16:33:40 localhost sshd[45055]: pam_unix(sshd:auth): authentication failure; logname= uID=0 euID=0 tty=ssh ruser= rhost=ldapserver.abc.com user=user1May 11 16:33:40 localhost sshd[45055]: pam_sss(sshd:auth): authentication success; logname= uID=0 euID=0 tty=ssh ruser= rhost=ldapserver.abc.com user=user1May 11 16:33:40 localhost sshd[45055]: pam_sss(sshd:account): Access denIEd for user user1: 6 (Permission denIEd)May 11 16:33:40 localhost sshd[45055]: Failed password for user1 from ldapserver.abc.com port 55185 ssh2May 11 16:33:40 localhost sshd[45055]: fatal: Access denIEd for user user1 by PAM account configuration [preauth]
/etc/sssd/sssd.conf:
[sssd]services = nss,pam,autofs,sshconfig_file_version = 2domains = default[nss]homedir_substring = /homefilter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,newsnsdc,nscd[domain/default]enumerate = Falseldap_tls_reqcert = neverautofs_provIDer = ldapcache_credentials = Truekrb5_realm = #ldap_search_base = dc=abc,dc=comID_provIDer = ldapauth_provIDer = ldapchpass_provIDer = ldapaccess_provIDer = ldapldap_tls_cacert = /etc/openldap/certs/cacert.pemldap_uri = ldaps://ldapserver.abc.com:636ldap_ID_use_start_tls = Falseldap_default_bind_dn = uID=nssproxy,ou=users,dc=abc,dc=comldap_chpass_uri = ldaps://ldapserver.abc.com:636ldap_default_authtok_type = passwordldap_default_authtok = 12345deBUG_level = 4[pam]deBUG_level = 4[sudo][autofs][ssh]deBUG_level = 9[pac][ifp]
/etc/pam.d/password-auth-ac:
#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth sufficIEnt pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uID >= 1000 quIEt_successauth sufficIEnt pam_sss.so use_first_passauth required pam_deny.soaccount required pam_unix.soaccount sufficIEnt pam_localuser.soaccount sufficIEnt pam_succeed_if.so uID < 1000 quIEtaccount [default=bad success=ok user_unkNown=ignore] pam_sss.soaccount required pam_permit.sopassword requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password sufficIEnt pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficIEnt pam_sss.so use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.so-session optional pam_systemd.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quIEt use_uIDsession required pam_unix.sosession optional pam_sss.so
/etc/pam.d/system-auth-ac:
#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth sufficIEnt pam_fprintd.soauth sufficIEnt pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uID >= 1000 quIEt_successauth sufficIEnt pam_sss.so use_first_passauth required pam_deny.soaccount required pam_unix.soaccount sufficIEnt pam_localuser.soaccount sufficIEnt pam_succeed_if.so uID < 1000 quIEtaccount [default=bad success=ok user_unkNown=ignore] pam_sss.soaccount required pam_permit.sopassword requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password sufficIEnt pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficIEnt pam_sss.so use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.so-session optional pam_systemd.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quIEt use_uIDsession required pam_unix.sosession optional pam_sss.so
/etc/nsswitch.conf中:
passwd: files sssshadow: files sssgroup: files sss#initgroups: files#hosts: db files nisplus nis dnshosts: files dnsbootparams: nisplus [NOTFOUND=return] filesethers: filesnetmasks: filesnetworks: filesprotocols: filesrpc: filesservices: files sssnetgroup: files ssspublickey: nisplusautomount: files sssaliases: files nisplus
最佳答案sssd does not support authentication over an unencrypted channel
手册页中的这一行应作为答案专门发布. 总结
以上是内存溢出为你收集整理的linux – 使用LDAP和sssd的Centos 7 ssh登录失败全部内容,希望文章能够帮你解决linux – 使用LDAP和sssd的Centos 7 ssh登录失败所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)