Minggle'Blog

Linux 本地及远程 SSH Login Permission denied 故障处置

2021/09/10 CentOS 共 3017 字,约 9 分钟
闷骚的程序员

0x01 故障现象

远程SSH无法登录,部分服务正常,故障前在安装软件包依赖。

通过本地登录报错Permission denied

image-20210910171901026

0x02 故障处置

  1. 重启进入单用户模式
-   重启进入选项启动菜单,按e
-   找到Linux 16的那一行,将ro改为rw init=/sysroot/bin/sh
-   修改完成后Ctrl+x 启动进入单用户模式

# 改变根目录为 /sysroot ,意思说 sysroot就是根目录
chroot  /sysroot
#把根文件系统(/)以读写方式重新挂载,再开始单用户模式的交互操作。
mount -o rw,remount /
  1. 查看日志进行分析
less /var/log/secure
---
Sep 10 15:06:34 localhost login: PAM pam_parse: expecting return value; [...required/lib64/security/pam_limits.so]
Sep 10 15:06:34 localhost login: PAM (login) no module name supplied
Sep 10 15:06:37 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Sep 10 15:06:37 localhost login: Permission denied
---

根据日志分析及大佬的blog,初步判断本地无法登录为PAM问题

  1. 修改SSH配置
# 修改UsePAM为no
vi /etc/ssh/sshd_config
---
UsePAM no
---
  1. 修改PAM login配置
# 注释掉最后一行
vi /etc/pam.d/login  
---
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
# session required/lib64/security/pam_limits.so
---
  1. 退出重启
exit
reboot
  1. 可以本地登录了,但是依然无法SSH远程访问
[root@localhost ~]# systemctl start sshd
[root@localhost ~]# systemctl status sshd
[root@localhost ~]# journalctl -ex

---
/lib64/libkeyutils.so.1: version `KEYUTILS_1.5' not found
---
  1. 查看安装包中的异常项
[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)

[root@localhost ~]# rpm -qa | grep el6
keyutils-libs-1.4-5.el6.x86_64

发现安装了el6的包。。。。这就是导致报错的原因。

  1. 需要卸载本rpm包,重新安装el7软件包。

挂载光驱

[root@localhost ~]# mkdir -p /mnt/cdrom
[root@localhost ~]# mount -o ro /dev/sr0 /mnt/cdrom/
rpm -e --nodeps keyutils-libs-1.4-5.el6.x86_64
rpm -ivh /mnt/cdrom/Packages/keyutils-libs-1.5.8-3.el7.x86_64.rpm
[root@localhost ~]# systemctl restart sshd
[root@localhost ~]# systemctl status sshd

# 验证测试,成功登录
  1. 还原配置
[root@localhost ~]# vim /etc/ssh/sshd_config

---
UsePAM yes
---

# 取消注释
[root@localhost ~]# vi /etc/pam.d/login

---
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
session required/lib64/security/pam_limits.so
---
  1. 重启服务器
[root@localhost ~]# reboot

0x03 问题解决

参考:

https://blog.csdn.net/rznice/article/details/108077790

https://blog.csdn.net/mayifan0/article/details/73293419/

https://blog.csdn.net/oFengYuan123456/article/details/85060676

文档信息

Search

    Table of Contents