SSH登录报pam_unix(sshd:auth): authentication failure的案例

 

修改一台Linux服务器（RHEL 6.6）的root密码后，然后使用ssh验证测试时，发现其提示“密码验证失败.请检查用户名和密码是否正确”，仔细核对，账号密码确实没有错误。但是检查日志/var/log/secure发现下面错误信息

 

Apr 28 15:22:56 mylnx2 passwd: pam_unix(passwd:chauthtok): password changed for root
Apr 28 15:25:24 mylnx2 sshd[3037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx  user=root
Apr 28 15:25:26 mylnx2 sshd[3037]: Failed password for root from 192.168.103.63 port 51422 ssh2
Apr 28 15:25:41 mylnx2 sshd[3037]: Failed password for root from 192.168.103.63 port 51422 ssh2
Apr 28 15:25:45 mylnx2 sshd[3039]: Received disconnect from 192.168.103.63: 13: The user canceled authentication.
Apr 28 15:25:45 mylnx2 sshd[3037]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxxx.xxx.xxx  user=root
Apr 28 15:26:24 mylnx2 sshd[3058]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxx.xxx.xxx.com  user=root
Apr 28 15:26:27 mylnx2 sshd[3058]: Failed password for root from 192.168.103.63 port 51480 ssh2
Apr 28 15:26:33 mylnx2 sshd[3058]: Failed password for root from 192.168.103.63 port 51480 ssh2
Apr 28 15:26:42 mylnx2 sshd[3058]: Failed password for root from 192.168.103.63 port 51480 ssh2

 

因为当前我是通过JumpServer连接到这台服务器的，验证测试则是直接从我笔记本通过ssh连接测试，之前遇到过“Linux ssh突然连接不了的案例浅析”“，所以检查/etc/ssh/sshd_config设置是否允许我的笔记本ssh访问。发现配置没有错误。

 

然后又检查/etc/hosts.deny是否禁止这台机器访问，发现没有这种配置。

 

[root@mylnx2 log]# more /etc/hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
[root@mylnx2 log]# more /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers

 

实在是有点懵逼了，屡次尝试都没有找到root cause反而激起了我不服输的斗志，一定要搞清楚到底是什么原因，然后仔细一项一项检查，最后发现是因为/etc/ssh/sshd_config的PermitRootLogin选项为no禁止root账号登录，瞬间汗颜了！！！ 平时都是通过JumpServer登录，反而忘记了这台服务器禁止root登录。

 

关于PermitRootLogin，它表示是否允许 root 登录。它有下面几个选项：

            

    "yes"(默认) 表示允许。

  

    "no"表示禁止。

            

    "without-password"   表示禁止使用密码认证登录。只允许root用public key认证方式登录

            

    "forced-commands-only" 表示只有在指定了 command 选项的情况下才允许使用公钥认证登录。同时其它认证方法全部被禁止。这个值常用于做远程备份之类的事情

 

 

 

这篇博客“sshd_config 中 PermitRootLogin 的探讨”对这个参数做了详细深入的介绍，有兴趣移步学习了解：

 

参数类别	是否允许ssh登陆	登录方式	交互shell
yes	允许	没有限制	没有限制
without-password	允许	除密码以外	没有限制
forced-commands-only	允许	仅允许使用密钥	仅允许已授权的命令
no	不允许	N/A	N/A

 

 

参考资料：

 

https://blog.csdn.net/huigher/article/details/52972013