Linux ssh can not log in to the problem of SU switching solution

First, the phenomenon of failure

Business side colleague Mail, a current network host using the correct username password SSH login (previously normal), the use of other users "Su-this user" input password can normally switch in. It is also normal to use this user for FTP logons.

Host system: SUSE Linux Enterprise Server (x86_64) SP1----system is a little old.

Problem User: Prestat------Other users are normal

Second, the investigation

1, chage instructions to view

First, use the Prestat user and password for SSH login attempts, and found the problem with the business side of the colleague description consistent. Use root directly into the login, first using the chage command to see if the user is locked because the password expires (this step can actually be ignored, because the FTP login and su switch over normal, but on the safe side, or look at the first)

Www.111cn.net: ~ # chage-l Prestat minimum:0 maximum:99999 warning:7 Inactive

: -1 Last

Change:mar, 2015

Password expires:never

Password inactive:never

Ac Count Expires:never

At the same time with the chage command to view a normal user, found that the display consistent.

Note: Next can also look at the next/etc/shadow file, to see if the user is really locked, but here according to the concept of the first not straight to the topic. Because you can locate the root cause directly by following the steps below.

2. Message Log View

Using root login, switch to the/var/log directory, open a terminal through the TAIL-F message to view log changes, use the SCRT again use Prestat User login to view the changes in logon time log. Through this method to see the log has the following error:

Www.111cn.net:/var/log # tail-20000 messages |grep deny

APR 9 16:54:37 www.111cn.net sshd[11911]: pam_tally (Sshd:au  TH): User Prestat (310) tally, deny 6

APR 9 17:01:11 www.111cn.net sshd[25582]: pam_tally (sshd:auth): User Prestat (310) Tally, deny 6

From the above, you can see that when the user is logged on, it triggers the PAM.D sshd login Authentication Related module pam_tally, the specific reason is that it exceeds the maximum 6 times input error password limit.

3, Pam File view

To view the PAM profile for the sshd service, a pam_tally policy configuration was found on its 11 lines, as follows:

Www.111cn.net :/var/log # cat /etc/pam.d/sshd #%pam-1.0 auth      Include        common-auth auth     required        pam_nologin.so account  include         common-account password include         Common-password session  include        common-session #  Enable the following line to get resmgr support for # ssh  sessions  (See /usr/share/doc/packages/resmgr/readme) #session   optional       pam_resmgr.so fake_ttyname auth    required         pam_tally.so deny=6 account required        &nbsP;pam_tally.so 

The above 11 lines of configuration is a bit overbearing, more than 6 wrong password, the direct forever locked, unless manually removed-----security team of the configuration of colleagues, bad criticism. In fact, you can let it automatically over a period of time to release restrictions, the internet often see the matching method is as follows:

Auth Required pam_tally.so deny=3 unlock_time=300

The above configuration indicates that more than 3 failures, locking 300 seconds, after the time, automatically lifted the limit.

Iii. Problem-solving
Now that you have found the reason, by looking at the/etc/shadow file, you will find that the second example of the encrypted cipher string will be preceded by an exclamation mark! , which means that the user is locked out, and now that the reason is found, you can unlock it in the following way:

Www.111cn.net:/var/log # pam_tally--reset--user prestat for username user

//prestat (prestat) 310

or

FA Illog-r

Note: Because this host uses the system version is somewhat old, uses or the pam_tally module, actually later some new system many starts to use the Pam_tally2 module, the concrete unlock reset times also may simplify:

Pam_tally2-r-u user name

Other extensions:

View the number of user errors logged:

Pam_tally--user

For example, view the number of error logons for work users:

pam_tally--user Work

To clear a user error log number:

pam_tally--user--reset

For example, to empty the work user's error log number,

pam_tally--user Work--reset

More usage and information for this module can also be viewed through man pam_tally or man pam_tally2.