我正在 Red Hat 8 中设置 LDAP 客户端。
设置配置文件后,我做了一个 LDAP 用户测试,它成功返回:
# id myusername
uid=666(myusername) gid=510(active_users) groups=510(active_users)
如果我运行ldapsearch
它,它会成功返回预期的结果:
# ldapsearch -x -ZZ -h ldap.example.com -b dc=example,dc=com
但是,如果我尝试ssh
从另一台机器访问 Red Hat 8 机器,则会收到以下错误:
# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
我用不同的用户帐户尝试了几台不同的机器,并得到了相同的结果。
这是我的设置:
/etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = demand
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com/
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/sssd/ca-bundle.crt
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = default
[nss]
homedir_substring = /home
/etc/openldap/ldap.conf
TLS_CACERT /etc/sssd/ca-bundle.crt
#BASE dc=example,dc=com
#URI ldap://ldap.example.com/
SASL_NOCANON on
URI ldaps://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/sssd
/etc/nsswitch.conf
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
# passwd: db files
# shadow: db files
# group: db files
# In order of likelihood of use to accelerate lookup.
shadow: files sss
hosts: files dns myhostname
aliases: files
ethers: files
gshadow: files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks: files dns
protocols: files
publickey: files
rpc: files
/etc/sysconfig/authconfig
USELDAP=yes
USELDAPAUTH=yes
/etc/pam.d/password-auth
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/pam.d/system-auth
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM yes
X11Forwarding yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
ClientAliveInterval 600
ClientAliveCountMax 0
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
/var/log/安全
Jan 28 08:35:39 opal sshd[206875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=myusername
Jan 28 08:35:40 opal sshd[206875]: Failed password for myusername from xxx.xxx.xxx.xxx port 60384 ssh2
尝试
我尝试了以下方法:
- 在中禁用 selinux
/etc/selinux/config
- 停止 iptables.service
- 添加
PermitRootLogin yes
和UsePAM yes
到 Red Hat 8/etc/ssh/sshd_conf
文件 - 反复尝试
authselect select sssd
,然后重启sssd.service - 加入
FORCELEGACY=yes
_/etc/sysconfig/authconfig
问题
谁能帮我弄清楚为什么用户不能使用 SSH 登录到这个服务器?
我终于找到了一个解决方案,通过使用 custom 、和files创建自定义
authselect
配置文件。password-auth
system-auth
nsswitch.conf
1. 基于 sssd 创建自定义配置文件
2.覆盖
/etc/authselect/custom/user-profile/password-auth
并/etc/authselect/custom/user-profile/system-auth
使用以下设置/etc/authselect/custom/user-profile/nsswitch.conf
3.用以下设置覆盖4.选择新的个人资料
5.重启sssd