dashboard不能登录虚拟机，工具却可以登录虚拟机【CRT之类的】问题记录待处理、修改密码提示permission denied的绕行方法，tty1的几个配置文件路径。

说明

• 现在有一批虚拟机，通过dashboard底层无法登录，但是可以通过工具登录，做了蛮多修改，也不知道是修改到什么了，也不敢乱动人家虚拟机。。。
  现在就是发现tty1这个进程和正常的有点不一样。 下面分别记录一下，以后搞懂逻辑了再处理吧。。。

报错

控制台登录虚拟机报错1

• 无论密码正确与否，都会提示下面报错内容
  

控制台登录虚拟机报错2

• 也有输入错误密码提示上面内容，输入正确密码提示下面内容的，反正最终都是无法登录进系统的！！！

工具登录信息记录

登录工具是CRT

登录日志查询

每次控制台登录，都会生成这几个日志
tail -f /var/log/messages 记录

May 20 15:10:19 ustc-xzjk-ccloud-1 systemd: [email protected] has no holdoff time, scheduling restart.
May 20 15:10:19 ustc-xzjk-ccloud-1 systemd: Stopped Getty on tty1.
May 20 15:10:19 ustc-xzjk-ccloud-1 systemd: Started Getty on tty1.

vi编辑历史命令

修改配置文件有如下

[root@ustc-xzjk-ccloud-1 ~]# history | grep vi | more
    2  vim  /etc/sysctl.conf
    5  vim  /etc/sysctl.conf
   12  vim /etc/sysconfig/ip6tables
   15  service iptables restart
   16  service iptables status
   17  service ip6tables status
   18  service ip6tables star
   19  service ip6tables status
   20  service ip6tables stop
   21  vim /etc/sysconfig/ip6tables
   22  service ip6tables status
   23  service ip6tables stop
   24  service ip6tables status
   25  service ip6tables stop
   26  service ip6tables status
   27  service iptables stop
   28  service ip6tables status
   29  service iptables status
   30  service ip6tables status
   31  service iptables status
   32  service iptables restart
   33  service iptables status
   34  service ip6tables status
   35  service ip6tables stop
   36  service ip6tables restart
   37  service ip6tables status
   38  service ip6tables stop
   39  service ip6tables status
   40  service iptables status
   41  service iptables stop
   42  service iptables status
   43  service iptables restart
   44  service iptables status
   45  service iptables stop
   46  service iptables status
   47  service iptables restart
   48  service ip6tables restart
   49  service iptables status
   50  service ip6tables status
   51  vim /etc/sysconfig/ip6tables
   52  service ip6tables status
   53  service ip6tables restart
   54  service ip6tables status
   55  vim /etc/sysconfig/ip6tables
   56  service ip6tables restart
   57  service ip6tables status
   58  service iptables status
   59  service iptables stop
   60  service iptables status
   61  service ip6tables status
   62  service ip6tables 
   63  service ip6tables reload
   64  service ip6tables stop
   65  service ip6tables status
   66  service iptables status
   67  service iptables stop
   68  service iptables status
   69  vim /etc/sysconfig/iptables
   70  service iptables reload
   71  service iptables restart
   72  service iptables reload
   73  service iptables status
   74  service iptables stop
   75  service iptables status
   76  service iptables start
   77  service iptables status
   78  service iptables start
   79  service iptables stop
   80  service iptables status
   82  vim  /etc/sysctl.conf
   89  vim docker-compose.yml 
   91  service iptables status
   92  service ip6tables status
   96  vim  /etc/sysctl.conf
   99  vim  /etc/sysctl.conf
  105  service docker restart
  109  service ip6tables status
  110  service iptables status
  111  vim  /etc/sysctl.conf
  114  service iptables status
  115  service iptables start
  116  service iptables status
  122  service docker restart
  125  service iptables status
  126  vim  /etc/sysctl.conf
  129  service iptables restart
  130  service iptables status
  133  service docker restart
  138  service iptables status
  139  service iptables reload
  140  service iptables status
  141  vim /etc/sysconfig/iptables
  142  service iptables status
  143  service ip6tables status
  145  service docker restart
  147  service iptables status
  155  vim harbor.yml 
  165  vim docker-compose.yml 
  166  vim harbor.yml 
  173  service iptables status
  175  service iptables stop
  176  service iptables status
  180  service iptables status
  181  service docker restart
  195  vim /etc/sysconfig/iptables
  196  vi /etc/sysconfig/iptables
  197  vim /etc/sysconfig/iptables
  198  vim /etc/hostname 
  200  vim /etc/hosts
  201  vi /etc/sysconfig/iptables 
  213  vim  /etc/ntp.conf
  229  service ntp start
  257  vim  /etc/shadow
  261  vi shadow
  264  vi shadow
  274  vim shadow
  278  vim shadow
  300  vi /etc/profile
  303  vi /etc/csh.cshrc
  313  vim /etc/ssh/sshd_config
  328  systemctl status sshd.service
  377  if [ $NFSSTATUS = 0 ]  ; then echo "NFS services online:$NFSSTATUS"; echo "Numbers in hosts.allow:$NFSAllowNo"; echo "NFS check result:true"; else      if [ $NFSAllowNo != 0 ]; then echo "NFS services online:$NFSSTATUS"; echo "Num
bers in hosts.allow:$NFSAllowNo"; echo "NFS check result:true"; else echo "NFS services online:$NFSSTATUS"; echo "Numbers in hosts.allow:$NFSAllowNo"; echo "NFS check result:false"; fi; fi;
  389  telnet_port=`cat /etc/services | grep -w "^telnet" | awk '{print $2}' | awk -F/ 'NR==1 {print $1}'`
  401  if [ x"$SSHSTATUS" != "x0" ]; then  if [[ `grep "^PermitRootLogin no" /etc/ssh/sshd_config|wc -l` != 0 ]];       then  grep "^PermitRootLogin no" /etc/ssh/sshd_config;             echo "This device does not permit root to ssh logi
n,check result:true";       else  echo "This device permits root  to ssh login,check result:false" ;       fi;  else  echo "The ssh service of device is not running,check result:true"; fi
  403  if [ x"$TELSTATUS" != "x0" ]; then  if ([ -f /etc/securetty ] && [ `grep -i "^pts" /etc/securetty|wc -l` = 0  ]);        then  echo "This device does not permit root to telnet login,check result:true";        else  echo "This devi
ce permits root to telnet login,check result:false";       fi;  else  echo "The telnet service of device is not running,check result:true" ; fi
  480  service iptables status
  484  service iptables status
  485  service iptables stop
  486  service iptables status
  517  cd backservice_usercenter/
  552  vim repositories.json 
  626  vim docker-compose.yml 
  627  service iptables stop
  628  service iptables status
  629  echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
  630  echo " Authorized users only. All activity may be monitored and reported " > /etc/issue.net
  631  echo " Authorized users only. All activity may be monitored and reported " > /etc/issue
  651  echo " Authorized users only. All activity may be monitored and reported " > /etc/issue.net
  656  echo " Authorized users only. All activity may be monitored and reported "   >/etc/sshbanner
  658  vi /etc/ssh/sshd_config
  662  vi /etc/login.defs
  669  vi /etc/profile
  670  vi /etc/csh.cshrc
  671  vi /etc/bashrc
  672  vi /etc/csh.login
  673  vi /root/.bashrc
  674  vi /root/.cshrc
  677  vi /etc/hosts.allow
  678  vi /etc/hosts.deny
  683  vi /etc/pam.d/system-auth
  691  vim /etc/hosts.deny 
  739  if [ $NFSSTATUS = 0 ]  ; then echo "NFS services online:$NFSSTATUS"; echo "Numbers in hosts.allow:$NFSAllowNo"; echo "NFS check result:true"; else      if [ $NFSAllowNo != 0 ]; then echo "NFS services online:$NFSSTATUS"; echo "Num
bers in hosts.allow:$NFSAllowNo"; echo "NFS check result:true"; else echo "NFS services online:$NFSSTATUS"; echo "Numbers in hosts.allow:$NFSAllowNo"; echo "NFS check result:false"; fi; fi;
  751  telnet_port=`cat /etc/services | grep -w "^telnet" | awk '{print $2}' | awk -F/ 'NR==1 {print $1}'`
  763  if [ x"$SSHSTATUS" != "x0" ]; then  if [[ `grep "^PermitRootLogin no" /etc/ssh/sshd_config|wc -l` != 0 ]];       then  grep "^PermitRootLogin no" /etc/ssh/sshd_config;             echo "This device does not permit root to ssh logi
n,check result:true";       else  echo "This device permits root  to ssh login,check result:false" ;       fi;  else  echo "The ssh service of device is not running,check result:true"; fi
  765  if [ x"$TELSTATUS" != "x0" ]; then  if ([ -f /etc/securetty ] && [ `grep -i "^pts" /etc/securetty|wc -l` = 0  ]);        then  echo "This device does not permit root to telnet login,check result:true";        else  echo "This devi
ce permits root to telnet login,check result:false";       fi;  else  echo "The telnet service of device is not running,check result:true" ; fi
  836  service iptables status
  838  vim /etc/sysconfig/iptables
  840  vi /etc/sysconfig/iptables
  841  service iptables status
  842  service iptables restart
  843  service iptables status
  844  service iptables stop
  845  service iptables status
  852  vi iptables
  855  service iptables status
  856  service iptables restart
  857  service iptables status
  859  vi iptables
  861  vi iptables
  863  vi iptables
  864  service iptables restart
  871  vi iptables
  872  service iptables status
  873  service iptables restart
  874  service iptables status
  875  vi iptables
  880  service iptables restart
  881  service iptables status
  883  vi iptables
  886  vi iptables
  888  vim iptables
  891  vim /etc/sysconfig/iptables
  893  vim /etc/docker/daemon.json 
  895  vim /etc/sysconfig/iptables
  909  service iptables status
  930  service iptalbes restart
  932  vi /etc/sysconfig/iptables
  933  service iptables restart
  939  vi iptables
  943  vi /etc/sysconfig/iptables
  949  service iptables status
  957  vi iptables
  960  vi /etc/pam.d/su
  981  vi /usr/bin/tty
  992  vi /etc/grub.conf 
  993  vi /etc/inittab 
  998  vi /etc/securetty
  999  vi /etc/grub.conf 
 1000  history | grep vi | more
[root@ustc-xzjk-ccloud-1 ~]# 

tty1进程记录【重要】

• 我怀疑就是这个的问题导致的控制台不能登录【该主机运行了很多docker容器，不知道是不是容器占用了这个tty1】
  • 可以看到不能通过控制台登录的tty1 的进程是 /sbin/agetty --noclear tty1 linux，我不知道这个是啥意思，也替换不了。。。
  • 而正常的tty1的进程是-bash。。。。
    

/etc/sysctl.conf

• 下面三行均为新增
  不知道他这是啥意思【好像是启用ipv6？，1是禁用，0好像是启用】，但我注释了，再控制台登录依然不行，和这应该没关系。

[root@ustc-xzjk-ccloud-1 ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
[root@ustc-xzjk-ccloud-1 ~]# 

/etc/pam.d/system-auth

• 我简单对比了下配置文件，发现下面新增了一行内容 auth required pam_deny.so
  翻译: 对所有不满足上述任意条件的登录请求直接拒绝。required表示一个错误则全返回错误，只不过最后返回错误
• 我有把该行注销再控制台尝试登录，并没有解决，应该和这没关系【我注销没有重启啥服务，这个好像也不需要重启啥服务】

[root@ustc-xzjk-ccloud-1 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth    required     pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120
uth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
# 下面行是新增的
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=8
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so remember=5

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@ustc-xzjk-ccloud-1 ~]# 

/etc/profile

• 这个文件被跑脚本，里面的内容基本上都被改了，至于有没有影响无重验证。
  下面是无法登录的虚拟机文件内容。

[root@ustc-xzjk-ccloud-1 ~]# cat -n /etc/profile
     1  # /etc/profile
     2
     3  # System wide environment and startup programs, for login setup
     4  # Functions and aliases go in /etc/bashrc
     5
     6  umask 027
     7
     8  # It's NOT a good idea to change this file unless you know what you
     9  # are doing. It's much better to create a custom.sh shell script in
    10  # /etc/profile.d/ to make custom changes to your environment, as this
    11  # will prevent the need for merging in future updates.
    12
    13  pathmunge () {
    
    
    14      case ":${
     
     PATH}:" in
    15          *:"$1":*)
    16              ;;
    17          *)
    18              if [ "$2" = "after" ] ; then
    19                  PATH=$PATH:$1
    20              else
    21                  PATH=$1:$PATH
    22              fi
    23      esac
    24  }
    25
    26
    27  if [ -x /usr/bin/id ]; then
    28      if [ -z "$EUID" ]; then
    29          # ksh workaround
    30          EUID=`/usr/bin/id -u`
    31          UID=`/usr/bin/id -ru`
    32      fi
    33      USER="`/usr/bin/id -un`"
    34      LOGNAME=$USER
    35      MAIL="/var/spool/mail/$USER"
    36  fi
    37
    38  # Path manipulation
    39  if [ "$EUID" = "0" ]; then
    40      pathmunge /usr/sbin
    41      pathmunge /usr/local/sbin
    42  else
    43      pathmunge /usr/local/sbin after
    44      pathmunge /usr/sbin after
    45  fi
    46
    47  HOSTNAME=`/usr/bin/hostname 2>/dev/null`
    48  HISTSIZE=1000
    49  if [ "$HISTCONTROL" = "ignorespace" ] ; then
    50      export HISTCONTROL=ignoreboth
    51  else
    52      export HISTCONTROL=ignoredups
    53  fi
    54
    55  export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
    56
    57  # By default, we want umask to get set. This sets it for login shell
    58  # Current threshold for system reserved uid/gids is 200
    59  # You could check uidgid reservation validity in
    60  # /usr/share/doc/setup-*/uidgid file
    61  if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
    62      umask 027
    63  else
    64      umask 032
    65  fi
    66
    67  for i in /etc/profile.d/*.sh /etc/profile.d/sh.local ; do
    68      if [ -r "$i" ]; then
    69          if [ "${-#*i}" != "$-" ]; then 
    70              . "$i"
    71          else
    72              . "$i" >/dev/null
    73          fi
    74      fi
    75  done
    76
    77  TMOUT=180
    78  export TMOUT
    79
    80  unset i
    81  unset -f pathmunge
    82  export PATH=/home/tcloud/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin

/etc/login.defs

• 我对比了下，这里面就更新了一些失效而已，不存在影响。
  

/etc/csh.cshrc

umask一般是文件权限，和用户登录应该没关系。

tty1相关的几个配置文件

我对比了能登录的虚拟机配置，这些都是正常的，没有做啥改动。

[root@ustc-xzjk-ccloud-1 ~]# cat /etc/grub.conf 
default=0
timeout=0


title CentOS Linux 7 (3.10.0-957.1.3.el7.x86_64)
        root (hd0)
        kernel /boot/vmlinuz-3.10.0-957.1.3.el7.x86_64 ro root=UUID=f856d385-fe64-4188-b4f8-51f6089b75e6 console=hvc0 LANG=en_US.UTF-8
        initrd /boot/initramfs-3.10.0-957.1.3.el7.x86_64.img
[root@ustc-xzjk-ccloud-1 ~]# 
[root@ustc-xzjk-ccloud-1 ~]# cat /etc/inittab 
# inittab is no longer used when using systemd.
#
# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
#
# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target
#
# systemd uses 'targets' instead of runlevels. By default, there are two main targets:
#
# multi-user.target: analogous to runlevel 3
# graphical.target: analogous to runlevel 5
#
# To view current default target, run:
# systemctl get-default
#
# To set a default target, run:
# systemctl set-default TARGET.target
#
[root@ustc-xzjk-ccloud-1 ~]# 
[root@ustc-xzjk-ccloud-1 ~]# cat /etc/securetty 
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
ttyS0
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
ttysclp0
sclp_line0
3270/tty1
hvc0
hvc1
hvc2
hvc3
hvc4
hvc5
hvc6
hvc7
hvsi0
hvsi1
hvsi2
xvc0
[root@ustc-xzjk-ccloud-1 ~]# 

修改密码提示 permission denied

• 报错如下，网上有很多方法，都照着弄了，没用。

[root@ustc-xzjk-ccloud-1 ~]# passwd root
Changing password for user root.
passwd: Permission denied
[root@ustc-xzjk-ccloud-1 ~]# 

• 我们可以绕过这个报错，换一种语法来修改
  echo user:newpasswd | chpasswd

[root@ustc-xzjk-ccloud-1 ~]# passwd root
Changing password for user root.
passwd: Permission denied
[root@ustc-xzjk-ccloud-1 ~]# 
[root@ustc-xzjk-ccloud-1 ~]# echo root:root | chpasswd 
[root@ustc-xzjk-ccloud-1 ~]#