linux环境中,ssh登录报错,Permission denied, please try again.

问题描述:

　　今天早上一个同事反应一个问题,通过ssh登录一台测试机的时候,发现两个账号,都是普通账号,一个账号能够登录,

　　另外一个账号无法登录.问他之前有做过什么变更吗,提到的就是之前有升级过openssh的版本,其他的没有做过什么.

问题处理:

尝试了以下的解决方法:

• 1.首先以普通的用户登录,然后通过su切换到该用户是能够切换的
• 2.修改了sshd_config配置文件中的AllowUser也没有用
• 3.在远程主机上使用ssh -vvv的方法打出调试信息,也没有发现更有用的信息
• 4.试图将pam.d中的login文件都注释掉,但是也没有解决问题.
• 5.通过passwd -S查看账户的状态是正常的

最终解决方法:

1.在sshd_config中将日志级别开启为DEBUG模式

LogLevel DEBUG

2.重启sshd服务

3.然后通过远程登录,收集日志,发现有如下日志

Aug  1 12:32:03 4A-LF-w10 sshd[171843]: debug1: userauth-request for user oracle service ssh-connection method none [preauth]
Aug  1 12:32:03 4A-LF-w10 sshd[171843]: debug1: attempt 0 failures 0 [preauth]
Aug  1 12:32:03 4A-LF-w10 sshd[171843]: Account oracle has expired
Aug  1 12:32:03 4A-LF-w10 sshd[171843]: debug1: userauth_send_banner: sent [preauth]
Aug  1 12:32:03 4A-LF-w10 sshd[171515]: debug1: Forked child 171860.

备注:通过以上信息,显示oracle账户过期了,怎么可能,默认的账号不都是永不过期吗?

4.查看oracle的状态

[root@4A-LF-w10 ssh]# chage -l oracle
Last password change					: Aug 01, 2018
Password expires					: never
Password inactive					: never
Account expires						: Jan 20, 11761191   #这是什么鬼,默认不是never的吗,怎么是这个,年份的时间显示也是不对的啊.
Minimum number of days between password change		: 6
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 30

5.手动将账号过期时间修改为一个月以后,然后进行ssh登录

[root@4A-LF-w10 ssh]# chage -E "2018-09-01" oracle
[root@4A-LF-w10 ssh]# chage -l oracle
Last password change					: Aug 01, 2018
Password expires					: never
Password inactive					: never
Account expires						: Sep 01, 2018
Minimum number of days between password change		: 6
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 30

备注:发现修改为这样的账号过期时间之后,是能够登录的.所以,也就是这个时间导致的啊.那么我想要改为账号永不过期该怎么办呢

6.基于这个时间戳,bing搜了下,有如下文章.

文章地址:

https://bugzilla.redhat.com/show_bug.cgi?id=1183638

描述:

Description of problem:

Issue using chage command to remove Account expiration date. The year format in "Account expires" is wrong.

Version-Release number of selected component (if applicable):

shadow-utils-4.1.4.2-19.el6.x86_64       #查看我的版本,就是这个版本.

How reproducible:
This issue is reproducible with shadow-utils-4.1.4.2-19.el6.x86_64 package on RHEL-6.5 and RHEL-6.6.  #操作系统的版本也是这样的.

Steps to Reproduce:

# chage -l friday
Last password change                                    : Jan 19, 2015
Password expires					: never
Password inactive  					: never
Account expires 					: never
Minimum number of days between password change   	: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires 	: 7

# chage -E -1 friday

Actual results:

# chage -l friday
Last password change					: Jan 19, 2015
Password expires 					: never
Password inactive					: never
Account expires						: Jan 20, 11761191
Minimum number of days between password change 		: 0
Maximum number of days between password change 		: 99999
Number of days of warning before password expires	: 7

Expected results:

# chage -l friday
Last password change					: Jan 19, 2015
Password expires 					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change 		: 0
Maximum number of days between password change 		: 99999
Number of days of warning before password expires	: 7

Additional info:

I have noted the entry "-2" is added in 8th column of "/etc/shadow" file.

# grep friday /etc/shadow
friday:$6$dBs1aWNG$ahInXkaUiM20opsZCGuvjRcUedH3iGVG3Fv3LzfuhR.3qgHvBbgNyyFlhiT/HOo8XRC7ZieHkwCMTMUqHmZdA/:16454:0:99999:7::-2:

The workaround for this is to manually edit the configuration file "/etc/shadow" and remove the entry "-2", it will reset the value for "Account expires" to default.

备注:通过以上的文章中的提示,就是说通过chage -E -1的方式修改账号永不过期的时候,在shadow-utils和redhat6.6中遇到了bug,所以时间戳会有问题.

7.修改这个问题的方法,比如将账号过期时间修改为30年后过期,或者修改/etc/shadow这个文件将-2去掉,修改掉-2之后

[root@4A-LF-w10 tmp]# cat /etc/shadow | grep oracle
oracle:$1$pWh44Lv.$NAdyWSH.ZcYzU6w1JmYVx1:17744:6:99999:30:::

原来:

oracle:$1$pWh44Lv.$NAdyWSH.ZcYzU6w1JmYVx1:17744:6:99999:30::-2:

修改之后,查看账号过期时间:

[root@4A-LF-w10 tmp]# chage -l oracle
Last password change					: Aug 01, 2018
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 6
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 30

备注:同时也能够通过ssh登录了.

文档创建时间:2018年8月1日13:35:56