Ubuntu 16 Sud SU SU 密碼錯誤嘗試
我正在使用 Ubuntu 16.04.3 LTS 伺服器。我有一個擁有 sudo 權限的使用者。當我嘗試從目前使用者切換到 root 時,它會詢問我的密碼。我輸入了正確的密碼,但它拒絕了我的密碼。
username@server:/ sudo su [sudo] password for username: Sorry, try again. [sudo] password for username: Sorry, try again. [sudo] password for username: sudo: 3 incorrect password attempts幸運的是,我打開了另一個終端視窗,我仍然以 root 身份登錄。所以我試圖為我的使用者重置密碼。它說我已成功更新使用者。
root@server:/# passwd username Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully所以我然後再次嘗試該
sudo su命令。它失敗並顯示相同的消息。我為同一個使用者打開一個新的終端視窗並嘗試
sudo su相同的命令失敗並顯示相同的消息。我也嘗試解鎖使用者
sudo usermod --expiredate -1 username。這也沒有解決問題。我還嘗試授予使用者“sudo”權限
usermod -aG sudo username。使用者仍然有問題。我放棄了,只是創建了一個具有 sudo 權限的新使用者並開始使用新使用者。第二天,我開始遇到與新使用者完全相同的問題。
該
pwck命令列出了幾個系統帳戶和有關其主目錄的消息,但沒有其他內容。該grpck命令根本沒有給出任何消息。大約一個月前,我們最近添加了“pam”身份驗證。
/etc/pam.d/sudo
#%PAM-1.0 session required pam_env.so readenv=1 user_readenv=0 session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 @include common-auth @include common-account @include common-session-noninteractive/etc/pam.d/common-auth
auth required pam_tally2.so deny=5 unlock_time=600 # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config/etc/pam.d/common-account
# here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config/etc/pam.d/common-session-noninteractive
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so # end of pam-auth-update config感謝@telcoM 和@roaima,我發現pam 身份驗證模組是問題的根源。
root@server:/# pam_tally2 Login Failures Latest failure From username 53 06/05/18 16:53:42 xxx.xxx.xxx.xxx雖然我找到了問題的原因,但我不理解這種行為。也許我在 pam 模組中配置不正確。每次我鍵入
sudo su(成功與否)時,都會將失敗添加到pam_tally2. 我不知道為什麼成功輸入正確的密碼會增加失敗嘗試,但確實如此。下面的例子。pam_tally2 Login Failures Latest failure From username 0 06/05/18 16:53:42 xxx.xxx.xxx.xxx username@server:/ sudo su [sudo] password for username: root@server:/# pam_tally2 Login Failures Latest failure From username 1 06/05/18 16:54:03 xxx.xxx.xxx.xxx使用
sudo -sorsudo -i還會導致pam_tally2.
您提到未經授權的外部使用者不斷嘗試登錄。如果這些不需要的遠端登錄嘗試引用
root或您的username使用者帳戶,則可能意味著pam_tally2PAM 模組正在鎖定其中一個或兩個。執行
pam_tally2命令以查看導致故障的原因。(您可能需要執行pam_tally2 --user=username --reset以重置username.或者,此問題報告如果在 /etc/ssh/sshd_config 文件中設置了“ChallengeResponseAuthentication yes”,則 pam_tally2 將正確的密碼計為失敗的登錄嘗試,這可能更準確地描述了您的場景。(我仍在努力尋找解決方案的替代來源。)
順便說一句,儘管 Canonical 做出了所有最好的(但錯誤的)努力,但您永遠不需要使用
sudo su任何東西。(這就像說“給我root?好的,謝謝。現在我是root,我需要成為root ”。)嘗試sudo -s使用root shell 或sudo -iroot 登錄shell。