First, the phenomenon of failure
Business side colleague Mail, a current network host using the correct username password SSH login (previously normal), the use of other users "Su-this user" input password can normally switch in. It is also normal to use this user for FTP logons.
Host system: SUSE Linux Enterprise Server (x86_64) SP1----system is a little old.
Problem User: Prestat------Other users are normal
Second, the investigation
1, chage instructions to view
First, use the Prestat user and password for SSH login attempts, and found the problem with the business side of the colleague description consistent. Use root directly into the login, first using the chage command to see if the user is locked because the password expires (this step can actually be ignored, because the FTP login and su switch over normal, but on the safe side, or look at the first)
Www.111cn.net: ~ # chage-l Prestat minimum:0 maximum:99999 warning:7 Inactive
: -1 Last
Change:mar, 2015
Password expires:never
Password inactive:never
Ac Count Expires:never
At the same time with the chage command to view a normal user, found that the display consistent.
Note: Next can also look at the next/etc/shadow file, to see if the user is really locked, but here according to the concept of the first not straight to the topic. Because you can locate the root cause directly by following the steps below.
2. Message Log View
Using root login, switch to the/var/log directory, open a terminal through the TAIL-F message to view log changes, use the SCRT again use Prestat User login to view the changes in logon time log. Through this method to see the log has the following error:
Www.111cn.net:/var/log # tail-20000 messages |grep deny
APR 9 16:54:37 www.111cn.net sshd[11911]: pam_tally (Sshd:au TH): User Prestat (310) tally, deny 6
APR 9 17:01:11 www.111cn.net sshd[25582]: pam_tally (sshd:auth): User Prestat (310) Tally, deny 6
From the above, you can see that when the user is logged on, it triggers the PAM.D sshd login Authentication Related module pam_tally, the specific reason is that it exceeds the maximum 6 times input error password limit.
3, Pam File view
To view the PAM profile for the sshd service, a pam_tally policy configuration was found on its 11 lines, as follows:
Www.111cn.net :/var/log # cat /etc/pam.d/sshd #%pam-1.0 auth Include common-auth auth required pam_nologin.so account include common-account password include Common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (See /usr/share/doc/packages/resmgr/readme) #session optional pam_resmgr.so fake_ttyname auth required pam_tally.so deny=6 account required &nbsP;pam_tally.so
The above 11 lines of configuration is a bit overbearing, more than 6 wrong password, the direct forever locked, unless manually removed-----security team of the configuration of colleagues, bad criticism. In fact, you can let it automatically over a period of time to release restrictions, the internet often see the matching method is as follows:
Auth Required pam_tally.so deny=3 unlock_time=300
The above configuration indicates that more than 3 failures, locking 300 seconds, after the time, automatically lifted the limit.
Iii. Problem-solving
Now that you have found the reason, by looking at the/etc/shadow file, you will find that the second example of the encrypted cipher string will be preceded by an exclamation mark! , which means that the user is locked out, and now that the reason is found, you can unlock it in the following way:
Www.111cn.net:/var/log # pam_tally--reset--user prestat for username user
//prestat (prestat) 310
or
FA Illog-r
Note: Because this host uses the system version is somewhat old, uses or the pam_tally module, actually later some new system many starts to use the Pam_tally2 module, the concrete unlock reset times also may simplify:
Pam_tally2-r-u user name
Other extensions:
View the number of user errors logged:
Pam_tally--user
For example, view the number of error logons for work users:
pam_tally--user Work
To clear a user error log number:
pam_tally--user--reset
For example, to empty the work user's error log number,
pam_tally--user Work--reset
More usage and information for this module can also be viewed through man pam_tally or man pam_tally2.