文章目录
passwd: Have exhausted maximum number of retries for servic
场景说明
- 新建用户的时候,一般能用一个复杂密码修改一次,后面就修改失败了。
[root@paas-core01 ~]# echo 'xzhuaiweiedgewznjkxtXZ(^^)01' | passwd --stdin xz_tyng
Changing password for user xz_tyng.
passwd: all authentication tokens updated successfully.
[root@paas-core01 ~]#
[root@paas-core01 ~]# echo 'TyNgxzxzXXXJSBorale2' | passwd --stdin xz_tyng
Changing password for user xz_tyng.
passwd: Have exhausted maximum number of retries for service
[root@paas-core01 ~]#
[root@paas-core01 ~]# echo "TyNgxzxzXXXJSBorale2" | passwd --stdin xz_tyng
Changing password for user xz_tyng.
passwd: Have exhausted maximum number of retries for service
[root@paas-core01 ~]# echo root | passwd --stdin xz_tyng
Changing password for user xz_tyng.
passwd: Have exhausted maximum number of retries for service
[root@paas-core01 ~]#
- 网上说,可以用chpass来修改,我这依然也是不行滴。。。
[root@paas-core01 ~]# echo xz_tyng:xz_tyng | chpasswd
BAD PASSWORD: is too simple
BAD PASSWORD: is too simple
BAD PASSWORD: is too simple
chpasswd: (user xz_tyng) pam_chauthtok() failed, error:
Have exhausted maximum number of retries for service
chpasswd: (line 1, user xz_tyng) password not changed
[root@paas-core01 ~]# echo xz_tyng:root123 |chpasswd
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: it is too simplistic/systematic
chpasswd: (user xz_tyng) pam_chauthtok() failed, error:
Have exhausted maximum number of retries for service
chpasswd: (line 1, user xz_tyng) password not changed
[root@paas-core01 ~]#
问题解决
场景1
-
上面这种情况其实就是
/etc/pam.d/system-auth文件中做了限制【比如密码复杂度这样】,导致出现上面的情况,最简单的解决方法就是找一台正常的虚拟机,将/etc/pam.d/system-auth文件中的内容全部拷贝到当前问题虚拟机中的/etc/pam.d/system-auth配置文件中即可【但如果是生产环境不建议这么做,因为合规要求会修改/etc/pam.d/system-auth这个文件。】 -
另外一种情况,确定
/etc/passwd和/etc/shadown文件权限没问题,正常情况如下
如果有-i或-a,执行:chattr -i /etc/shadow这样将其删除。
[root@paas-core01 ~]# lsattr /etc/passwd /etc/shadow
--------------e----- /etc/passwd
--------------e----- /etc/shadow
[root@paas-core01 ~]#
确定没有多余权限,接着往下看
场景2 【万能方法】
- 首先,
/etc/pam.d/system-auth做过修改,一定要保证其要修改的用户密码足够复杂。 passwd: Have exhausted maximum number of retries for servic这个报错其实意思就是你当前设置的密码最近已经使用过,请重新设置。
万能解决方法,其实就是将我们设置过的密码给删了【删除该用户新建同样的效果】,再重新定义密码就行了。- 所有用户历史密码会记录到一个文件中
/etc/security/opasswd,把它清空,再重新设置密码,问题基本上都能得到解决
如我这将xz_tyng用户行信息删除【删除wq保存】,再重新修改密码,问题解决。
[root@paas-core01 ~]# cat /etc/security/opasswd
root:0:1:$6$vgdPSu0RskWF4aAu$kjSw4nhgzfxhg/LynRm2xEHb9YwfDYXv6f./64RNWaA6lmwmATGJ8apTvrMdO3n1yj7dt40Mc7Dh98woLrbbZ.
xz_tyng:5100:1:$6$eC9g3pG4mfaA5wyy$7dy0P.Sj2Ghtz2YenDBxmoIGW.QLYeXx0PFpjRBZl7zQLEBCpm4iUpcbUoIhklT2IRZsN2JhSSKarc7lIzgYY1
[root@paas-core01 ~]#
[root@paas-core01 ~]# echo 'xzhuaiweiedgewznjkxtTyNg(^^)1' |passwd --stdin xz_tyng
Changing password for user xz_tyng.
passwd: all authentication tokens updated successfully.
[root@paas-core01 ~]#
ssh用普通用户登录输入密码正确但是登录时却提示被拒绝问题解决
报错说明与测试
-
首先,这是一个定制系统,用户提供的镜像我们创建的虚拟机。
-
我用工具通过普通用户登录,就会报错【和密码错误一样的情况】
-
测试
在虚拟机内部,能通过普通用户su切换到该用户,证明密码没问题。
[root@paas-core01 ~]# su - xz_tyng
Last login: Thu Feb 16 17:17:51 CST 2023 on pts/1
Last failed login: Thu Feb 16 17:29:27 CST 2023 from 4.5.201.126 on ssh:notty
There were 5 failed login attempts since the last successful login.
[xz_tyng@paas-core01 ~]$ su - xz_tyng
Password:
Last login: Thu Feb 16 17:29:30 CST 2023 on pts/1
Last failed login: Thu Feb 16 17:29:30 CST 2023 from 4.5.201.126 on ssh:notty
There was 1 failed login attempt since the last successful login.
[xz_tyng@paas-core01 ~]$
日志报错提示
- 查看日志
一个窗口执行tail -f /var/log/messages,新开一个窗口再次通过该用户登录。
[root@paas-core01 ~]# tail -f /var/log/messages
Feb 16 17:35:18 paas-core01 sshd[57466]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.183.225 user=xz_tyng
Feb 16 17:35:21 paas-core01 sshd[57466]: Failed password for invalid user xz_tyng from 1.2.183.225 port 62640 ssh2
Feb 16 17:35:30 paas-core01 sshd[57466]: error: Received disconnect from 1.2.183.225 port 62640:0: [preauth]
Feb 16 17:35:30 paas-core01 sshd[57466]: Disconnected from invalid user xz_tyng 1.2.183.225 port 62640 [preauth]
Feb 16 17:35:59 paas-core01 su[59454]: (to paas) paas on pts/1
Feb 16 17:35:59 paas-core01 su[59454]: pam_unix(su-l:session): session opened for user paas(uid=1000) by paas(uid=0)
Feb 16 17:36:06 paas-core01 su[59663]: (to xz_tyng) paas on pts/1
Feb 16 17:36:06 paas-core01 su[59663]: pam_unix(su-l:session): session opened for user xz_tyng(uid=5100) by paas(uid=1000)
Feb 16 17:37:10 paas-core01 su[59663]: pam_unix(su-l:session): session closed for user xz_tyng
Feb 16 17:37:11 paas-core01 su[59454]: pam_unix(su-l:session): session closed for user paas
Feb 16 17:37:34 paas-core01 sshd[63415]: User xz_tyng from 1.2.183.225 not allowed because not listed in AllowUsers
Feb 16 17:37:37 paas-core01 sshd[63415]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.183.225 user=xz_tyng
Feb 16 17:37:39 paas-core01 sshd[63415]: Failed password for invalid user xz_tyng from 1.2.183.225 port 59219 ssh2
Feb 16 17:37:51 paas-core01 sshd[63415]: error: Received disconnect from 1.2.183.225 port 59219:0: [preauth]
Feb 16 17:37:51 paas-core01 sshd[63415]: Disconnected from invalid user xz_tyng 1.2.183.225 port 59219 [preauth]
Feb 16 17:38:47 paas-core01 sshd[1058]: Accepted password for paas from 1.2.183.225 port 64970 ssh2
Feb 16 17:38:47 paas-core01 sshd[1058]: pam_unix(sshd:session): session opened for user paas(uid=1000) by (uid=0)
^C
[root@paas-core01 ~]#
-
日志中出现
Failed password for invalid user xz_tyng from 1.2.183.225 port 62640 ssh2
ssh登录有提示invalid user【无效用户】,无效用户,这不是扯犊子嘛,系统内都可以切,这用户怎么可能无效。 -
所以我们现在可以知道原因了,ssh登录有问题,那么肯定是ssh的配置文件中限制死了。
进入ssh配置文件/etc/ssh/sshd_config看看是否有AllowUsers【这个就是限制允许登录用户的行】
问题解决
- 好家伙,可以看到,这个镜像中定制了只允许:
paas和sftpuser用户登录,其他用户一律不能登录。
[root@paas-core01 ~]# cat /etc/ssh/sshd_config | grep AllowUser
AllowUsers paas sftpuser
[root@paas-core01 ~]#
- 解决方法很简单,在该行添加我们创建的普通用户,然后重启sshd服务就行了。
[root@paas-core01 ~]# cat /etc/ssh/sshd_config | grep AllowUser
AllowUsers paas sftpuser xz_tyng
[root@paas-core01 ~]#
[root@paas-core01 ~]# systemctl restart sshd
[root@paas-core01 ~]#