修改一台Linux服務器(RHEL 6.6)的root密碼后,然后使用ssh驗證測試時,發現其提示“密碼驗證失敗.請檢查用戶名和密碼是否正確”,仔細核對,賬號密碼確實沒有錯誤。但是檢查日志/var/log/secure發現下面錯誤信息
Apr 28 15:22:56 mylnx2 passwd: pam_unix(passwd:chauthtok): password changed for root
Apr 28 15:25:24 mylnx2 sshd[3037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=root
Apr 28 15:25:26 mylnx2 sshd[3037]: Failed password for root from 192.168.103.63 port 51422 ssh2
Apr 28 15:25:41 mylnx2 sshd[3037]: Failed password for root from 192.168.103.63 port 51422 ssh2
Apr 28 15:25:45 mylnx2 sshd[3039]: Received disconnect from 192.168.103.63: 13: The user canceled authentication.
Apr 28 15:25:45 mylnx2 sshd[3037]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxxx.xxx.xxx user=root
Apr 28 15:26:24 mylnx2 sshd[3058]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxx.xxx.xxx.com user=root
Apr 28 15:26:27 mylnx2 sshd[3058]: Failed password for root from 192.168.103.63 port 51480 ssh2
Apr 28 15:26:33 mylnx2 sshd[3058]: Failed password for root from 192.168.103.63 port 51480 ssh2
Apr 28 15:26:42 mylnx2 sshd[3058]: Failed password for root from 192.168.103.63 port 51480 ssh2
因為當前我是通過JumpServer連接到這台服務器的,驗證測試則是直接從我筆記本通過ssh連接測試,之前遇到過“Linux ssh突然連接不了的案例淺析”“,所以檢查/etc/ssh/sshd_config設置是否允許我的筆記本ssh訪問。發現配置沒有錯誤。
然后又檢查/etc/hosts.deny是否禁止這台機器訪問,發現沒有這種配置。
[root@mylnx2 log]# more /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
[root@mylnx2 log]# more /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
實在是有點懵逼了,屢次嘗試都沒有找到root cause反而激起了我不服輸的斗志,一定要搞清楚到底是什么原因,然后仔細一項一項檢查,最后發現是因為/etc/ssh/sshd_config的PermitRootLogin選項為no禁止root賬號登錄,瞬間汗顏了!!! 平時都是通過JumpServer登錄,反而忘記了這台服務器禁止root登錄。
關於PermitRootLogin,它表示是否允許 root 登錄。它有下面幾個選項:
"yes"(默認) 表示允許。
"no"表示禁止。
"without-password" 表示禁止使用密碼認證登錄。只允許root用public key認證方式登錄
"forced-commands-only" 表示只有在指定了 command 選項的情況下才允許使用公鑰認證登錄。同時其它認證方法全部被禁止。這個值常用於做遠程備份之類的事情
![clip_image001[4]](/image/aHR0cHM6Ly9pbWcyMDIwLmNuYmxvZ3MuY29tL2Jsb2cvNzM1NDIvMjAyMDA1LzczNTQyLTIwMjAwNTAxMTAyOTQ1MjcxLTEzODMxNDY1My5wbmc=.png "clip_image001[4]")
這篇博客“sshd_config 中 PermitRootLogin 的探討”對這個參數做了詳細深入的介紹,有興趣移步學習了解:
| 參數類別 |
是否允許ssh登陸 |
登錄方式 |
交互shell |
| yes |
允許 |
沒有限制 |
沒有限制 |
| without-password |
允許 |
除密碼以外 |
沒有限制 |
| forced-commands-only |
允許 |
僅允許使用密鑰 |
僅允許已授權的命令 |
| no |
不允許 |
N/A |
N/A |
參考資料:
https://blog.csdn.net/huigher/article/details/52972013