web-dev-qa-db-ja.com

LinuxユーザーのPAMに関する問題?

Rootの代わりに使用するようにユーザーを設定しました。ユーザー設定で遊び始めるまでは、うまく機能していました。これで、(rootを除く)すべてのユーザーが中断しました。 admin/rootグループに追加した後でも、他のユーザーとログイン(ssh)できません。これらのユーザーとftpすることはできません(vsftpdを使用)。

ユーザーを削除し、/ etc/shadowファイルのエントリをクリアしたため、ユーザーのパスワードを変更できませんでした。次のコマンドを使用して、ユーザーを再度追加しました。

useradd -d /path/to/home -s /path/to/Shell -g admin username

次に、パスワードを変更しました。それ以来、ユーザー(su-username)を切り替えてみたところ、/ var/log /auth.logに次のエントリが見つかりました。

Feb 15 09:37:55 myserve su[26682]: Successful su for username by root
Feb 15 09:37:55 myserve su[26682]: + /dev/pts/0 root:username
Feb 15 09:37:55 myserve su[26682]: pam_unix(su:session): session opened for user username by root(uid=0)
Feb 15 09:37:55 myserve su[26682]: pam_unix(su:session): session closed for user username

この問題はPAMの問題のようですが、PAMの管理方法がわかりません。そのユーザー名がロックアウトされた可能性があると思います。私は本当にそのユーザー名を使用したいのですが(新しいユーザー名を作成する必要はありません)、それが結局のところそうであれば、私はそれを行います。

別のユーザー名がありますが、これも使用できません。同じエラーがauth.logに表示されます

実際に確認したところ、root以外のユーザーは誰もシステムにログインできないことがわかりました。

更新:PAMの詳細を含める

/etc/pam.dのls-l

-rw-r--r-- 1 root root  197 2009-11-23 15:11 atd
-rw-r--r-- 1 root root  384 2011-02-21 00:10 chfn
-rw-r--r-- 1 root root   92 2011-02-21 00:10 chpasswd
-rw-r--r-- 1 root root  581 2011-02-21 00:10 chsh
-rw-r--r-- 1 root root 1208 2011-05-10 07:17 common-account
-rw-r--r-- 1 root root 1221 2011-05-10 07:17 common-auth
-rw-r--r-- 1 root root 1440 2011-05-10 07:17 common-password
-rw-r--r-- 1 root root 1156 2011-05-10 07:17 common-session
-rw-r--r-- 1 root root 1154 2011-05-10 07:17 common-session-noninteractive
-rw-r--r-- 1 root root  531 2011-01-05 10:23 cron
-rw-r--r-- 1 root root   81 2010-11-17 17:58 dovecot
-rw-r--r-- 1 root root 4585 2011-02-21 00:10 login
-rw-r--r-- 1 root root   92 2011-02-21 00:10 newusers
-rw-r--r-- 1 root root  520 2011-04-14 16:40 other
-rw-r--r-- 1 root root   92 2011-02-21 00:10 passwd
-rw-r--r-- 1 root root  145 2010-12-14 17:08 pop3
-rw-r--r-- 1 root root  168 2011-02-04 08:41 ppp
-rw-r--r-- 1 root root 1272 2010-04-07 02:50 sshd
-rw-r--r-- 1 root root 2305 2011-02-21 00:10 su
-rw-r--r-- 1 root root  119 2011-04-15 16:02 Sudo
-rw-r--r-- 1 root root   92 2013-01-19 22:51 vsftpd
-rw-r--r-- 1 root root  139 2013-01-19 22:33 vsftpd.bak

また、ユーザーをsshdおよびrootグループに追加しましたが、それでもそのユーザーとしてログインできません。ただし、エラーは変更されました。

Feb 15 14:11:51 myserve sshd[5433]: Accepted password for username from 81.56.236.66 port 56851 ssh2
Feb 15 14:11:51 myserve sshd[5433]: pam_unix(sshd:session): session opened for user username by (uid=0)
Feb 15 14:11:52 myserve sshd[5447]: Received disconnect from 81.56.236.66: 11: disconnected by user
Feb 15 14:11:52 myserve sshd[5433]: pam_unix(sshd:session): session closed for user username

Pam.d内のすべてのファイルの完全なコンテンツ

File: /etc/pam.d/atd
#
# The PAM configuration file for the at daemon
#

auth    required    pam_env.so
@include common-auth
@include common-account
@include common-session-noninteractive
session    required   pam_limits.so
File: /etc/pam.d/chfn
#
# The PAM configuration file for the Shadow `chfn' service
#

# This allows root to change user infomation without being
# prompted for a password
auth        sufficient  pam_rootok.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session


File: /etc/pam.d/chpasswd
# The PAM configuration file for the Shadow 'chpasswd' service
#

@include common-password

File: /etc/pam.d/chsh
#
# The PAM configuration file for the Shadow `chsh' service
#

# This will not allow a user to change their Shell unless
# their current one is listed in /etc/shells. This keeps
# accounts with special shells from changing them.
auth       required   pam_shells.so

# This allows root to change user Shell without being
# prompted for a password
auth        sufficient  pam_rootok.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

File: /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so 
# here's the fallback if no module succeeds
account requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
File: /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]  pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
File: /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password    [success=1 default=ignore]  pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
File: /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required    pam_unix.so 
# end of pam-auth-update config
File: /etc/pam.d/common-session-noninteractive
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of all non-interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required    pam_unix.so 
# end of pam-auth-update config
File: /etc/pam.d/cron
#
# The PAM configuration file for the cron daemon
#

@include common-auth

# Read environment variables from pam_env's default files, /etc/environment
# and /etc/security/pam_env.conf.
session       required   pam_env.so

# In addition, read system locale information
session       required   pam_env.so envfile=/etc/default/locale

@include common-account
@include common-session-noninteractive 
# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session    required   pam_limits.so


File: /etc/pam.d/dovecot
#%PAM-1.0

@include common-auth
@include common-account
@include common-session

File: /etc/pam.d/login
#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login Prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
File: /etc/pam.d/newusers
# The PAM configuration file for the Shadow 'newusers' service
#

@include common-password

File: /etc/pam.d/other
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron  specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used.  If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
# 

@include common-auth
@include common-account
@include common-password
@include common-session
File: /etc/pam.d/passwd
#
# The PAM configuration file for the Shadow `passwd' service
#

@include common-password

File: /etc/pam.d/pop3
# PAM configuration file for Courier POP3 daemon

@include common-auth
@include common-account
@include common-password
@include common-session

File: /etc/pam.d/ppp
#%PAM-1.0
# Information for the PPPD process with the 'login' option.
auth    required    pam_nologin.so
@include common-auth
@include common-account
@include common-session
File: /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
File: /etc/pam.d/su
#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session    optional   pam_mail.so nopen

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session


File: /etc/pam.d/Sudo
#%PAM-1.0

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so
File: /etc/pam.d/vsftpd
auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd
account required pam_permit.so
File: /etc/pam.d/vsftpd.bak
auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash 
account required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash 
2
tadywankenobi

短い答え:

コマンドが正しくありませんでした:

_useradd -d /path/to/home -s /path/to/Shell -g admin username
_

使用する

_useradd -d /home/username -s /bin/sh -g admin username
_

通常のユーザーを作成します。

Tadyはチャットにいくつかの情報を投稿しました:

tady:$:15750:0:99999:7 :::

squarepeg:$:15751:0:99999:7 :::それは/ etc/shadowです

および/ etc/passwd

tady:x:5001:5001 ::/var/www:/ bin/false

squarepeg:x:5003:109:square peg design:/ var/www:/ bin/false

/ bin/falseホームディレクトリが存在するので、ユーザーが使用したことがなくてもどこかに行くことができるように作成しました(それを見ると、所有者とグループはroot:rootです。これは問題になりますか?)/ var/www Shell彼らがログインするときに私が彼らに行きたいところです

「passwdファイルの形式はかなり標準的です。」

はい、そうです。そしてフォーマットはここで非公式に説明されています: Wikipedia:Passwd(file) ;または、より規範的な _man 5 passwd_ (ubuntuから)

例を確認してください。

_ jsmith:.......:/home/jsmith:/bin/sh
_

Wikiはそれを次のようにデコードします。

6番目のフィールドは、ユーザーのホームディレクトリへのパスです。 7番目のフィールドは、ユーザーがシステムにログインするたびに開始されるプログラムです。 ...これは通常、システムのコマンドラインインタープリター(シェル)の1つです。

したがって、jmsithにはホームディレクトリ_/home/jsmith_と有効なシェルであるシェルプログラム_/bin/sh_があります(すべての有効なシェルはファイル_/etc/shells_にリストされています)。 _man shells_を確認してください。

/ etc/shellsは、有効なログインシェルのフルパス名を含むテキストファイルです。

このファイルを参照して、ユーザーが通常のユーザーであるかどうかを確認するプログラムがあることに注意してください。例:ftpデーモンは、従来、このファイルに含まれていないシェルを持つユーザーへのアクセスを許可していません。

私のLinuxでは、_/bin/false_は有効なシェルとしてここにリストされていません。

Passwdの引用によると、tadyとsquarepegのホームディレクトリは_/var/www_で、_/bin/false_はシェルプログラムです。ログインすると、シェルが起動します。シェルの終了後、セッションは閉じられます。 _/bin/false_は、...短時間で終了する単純なUNIXプログラムです(チェック Wikipedia:False(Unix) または単にmain(){return 1;}と考えてください)。

Normal Shellは、ユーザー入力を読み取り、それを無限ループで実行する対話型プログラムです。コンピューターにsshを実行すると、シェルが開始されます。また、_/bin/false_シェルを使用しているユーザーにはftpを使用できません。

PS:誰かがsshを使用することを禁止したいが、vsftpdの使用を許可したい場合は、ハックがあります

2
osgx