liunx用户无法登录、SSH服务器拒绝了密码,但密码是正确的-全面解决无法登录问题

文章目录

  • 前言
  • 一、用户密码过期
  • 二、账户过期
  • 三、用户账户锁定
    • 密码上锁
    • 账户锁定


前言

liunx下用户登录不到操作系统无非就是这么几种情况:
1、没有登录权限(百度一大堆)

2、用户密码过期:Password expires
3、用户账号过期:Account expires
4、用户账号锁定


第一种情况就不再介绍了,大多数童鞋们不太会遇到这个问题。以下文章只是粗略介绍,感兴趣的童鞋们可以解决问题以后深入学习下相关命令以及参数

一、用户密码过期

那么用户密码过期呢,在大家尝试登录时候会提示:

[BEGIN] 2021/12/15 9:43:04
You are required to change your password immediately (password aged)
Last login: Tue Dec 14 18:48:36 CST 2021 on pts/0
Last failed login: Tue Dec 14 18:52:23 CST 2021 from 11.111.111.241 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Wed Dec 15 09:43:03 2021 from 11.111.111.101

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user cxl.
Changing password for cxl.
(current) UNIX password: 

那么这时候大家可以通过提示修改密码就可以,设置密码永不过期:

[root@cxldb01 ~]# chage -M 99999 username
[root@cxldb01 ~]# 
[root@cxldb01 ~]# chage -l username
Last password change					: Dec 04, 2021
Password expires					: never
Password inactive					: never
Account expires						: Jan 31, 2022
Minimum number of days between password change		: 1
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

二、账户过期

通过命令可以查收看到账户的信息:

[root@cxldb01 ~]# chage -l username
Last password change					: Dec 04, 2021 #最后次变更密码的时间
Password expires					: Jan 31, 2022  #密码过期时间
Password inactive					: Jan 31, 2022
Account expires						: Jan 31, 2022  #账户过期时间
Minimum number of days between password change		: 1
Maximum number of days between password change		: 60  #密码有效天数
Number of days of warning before password expires	: 7  #密码到期前的警告天数

如帐户时间过期我们可通过以下命令进行修改:

[root@cxldb01 ~]# chage --help

Usage: chage [options] LOGIN

Options:
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS
  -R, --root CHROOT_DIR         directory to chroot into
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

[root@cxldb01 ~]#chage -E "Jun 15, 2022" username

三、用户账户锁定

这里上锁可能会有2个层面的问题:1、密码上锁;2、账户锁定(提示:ssh服务器拒绝了密码)

密码上锁

可使用 passwd 命令或者usermod 命令 锁定、解锁和检查 Linux 中给定用户帐户的状态
锁定:

# passwd -l username
Locking password for user username.
passwd: Success

查询状态

# passwd -S username# passwd --status username
daygeek LK 2021-12-15 7 90 7 -1 (Password locked.)#grep username/etc/shadow #注释:密码前出现两个感叹号代表已上锁
username:!!$6$FJv0iamG$pJvYvma/mnzMnDEoAxu5XeLEPF53woeK8oCZ3yxFYf6U8ivTSKoiFYip9oUSnfWbBHifNWpdmz605A8J16wjg/:18976:1:99999:7::19023:

解锁:

# passwd -u username
Unlocking password for user username.
passwd: Success

账户锁定

很多情况由于安全策略问题对账户登录身份进行验证,例如密码错误5次后被锁定,就会有个配置文件/etc/pam.d/sshd,检查是否有pam_tally2.so deny=的限制

[root@cxldb01 ~]# 
[root@cxldb01 ~]# cat /etc/pam.d/sshd 
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
auth       required     pam_tally2.so deny=5 onerr=fail lock_time=1 serialize
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
# EXADATA ACCESS CONTROL via /etc/exadata/security/exadata-access.conf
account    required    pam_access.so accessfile=/etc/exadata/security/exadata-access.conf
account    required     pam_nologin.so
account    include      password-auth
account    required     pam_tally2.so
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
session    required     pam_limits.so
[root@cxldb01 ~]# 
[root@cxldb01 ~]# pam_tally2 --user username--reset
Login           Failures Latest failure     From
username         37    12/15/21 10:44:53  11.111.111.101
[root@cxldb01 ~]# 

解锁命令:

[root@cxldb01 ~]# pam_tally2 --user username--reset

你可能感兴趣的:(运维日常,服务器,ssh,运维)