0x01 故障现象
远程SSH无法登录,部分服务正常,故障前在安装软件包依赖。
通过本地登录报错Permission denied
0x02 故障处置
- 重启进入单用户模式
- 重启进入选项启动菜单,按e
- 找到Linux 16的那一行,将ro改为rw init=/sysroot/bin/sh
- 修改完成后Ctrl+x 启动进入单用户模式
# 改变根目录为 /sysroot ,意思说 sysroot就是根目录
chroot /sysroot
#把根文件系统(/)以读写方式重新挂载,再开始单用户模式的交互操作。
mount -o rw,remount /
- 查看日志进行分析
less /var/log/secure
---
Sep 10 15:06:34 localhost login: PAM pam_parse: expecting return value; [...required/lib64/security/pam_limits.so]
Sep 10 15:06:34 localhost login: PAM (login) no module name supplied
Sep 10 15:06:37 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Sep 10 15:06:37 localhost login: Permission denied
---
根据日志分析及大佬的blog,初步判断本地无法登录为PAM问题
- 修改SSH配置
# 修改UsePAM为no
vi /etc/ssh/sshd_config
---
UsePAM no
---
- 修改PAM login配置
# 注释掉最后一行
vi /etc/pam.d/login
---
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
# session required/lib64/security/pam_limits.so
---
- 退出重启
exit
reboot
- 可以本地登录了,但是依然无法SSH远程访问
[root@localhost ~]# systemctl start sshd
[root@localhost ~]# systemctl status sshd
[root@localhost ~]# journalctl -ex
---
/lib64/libkeyutils.so.1: version `KEYUTILS_1.5' not found
---
- 查看安装包中的异常项
[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
[root@localhost ~]# rpm -qa | grep el6
keyutils-libs-1.4-5.el6.x86_64
发现安装了el6的包。。。。这就是导致报错的原因。
- 需要卸载本rpm包,重新安装el7软件包。
挂载光驱
[root@localhost ~]# mkdir -p /mnt/cdrom
[root@localhost ~]# mount -o ro /dev/sr0 /mnt/cdrom/
rpm -e --nodeps keyutils-libs-1.4-5.el6.x86_64
rpm -ivh /mnt/cdrom/Packages/keyutils-libs-1.5.8-3.el7.x86_64.rpm
[root@localhost ~]# systemctl restart sshd
[root@localhost ~]# systemctl status sshd
# 验证测试,成功登录
- 还原配置
[root@localhost ~]# vim /etc/ssh/sshd_config
---
UsePAM yes
---
# 取消注释
[root@localhost ~]# vi /etc/pam.d/login
---
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
session required/lib64/security/pam_limits.so
---
- 重启服务器
[root@localhost ~]# reboot
0x03 问题解决
参考:
https://blog.csdn.net/rznice/article/details/108077790
https://blog.csdn.net/mayifan0/article/details/73293419/
https://blog.csdn.net/oFengYuan123456/article/details/85060676
文档信息
- 本文作者:Minggle
- 本文链接:https://mingsec.com/2021/09/10/Linux-login-Permission-denied/
- 版权声明:自由转载-非商用-非衍生-保持署名(创意共享3.0许可证)