One day a teacher reflects, No. 6 of the engine room can not be logged. First thought was forgotten when configured firewall IP whitelist node added to the list, but then found that this did not whitelist node configuration, passwords have been no changes, then connected on his computer and found inside the terminal display soon the Last login information at this time that should have been carried out successfully connected to the node, but then quoted connection closed, the connection is closed.
All in one building, it is unlikely to be a network problem, then went to the engine room to troubleshoot the problem. After the KVM control platform is connected to the node, we found output error message something like debugging device on the screen, and has been completely stuck, interrupt signal does not accept keyboard, so he had to press and force the shutdown, but after re-boot strange things happen a.
After entering a user name and password root, Shell gives this hint
(Failed login password remember before due)
The password is obviously not a problem, because the Last login information has been displayed to show that the password is correct, but the root user login will be rejected locally, this is a bit scary, the first thought is not experienced hacker, hastened to the Internet search-related question, but the answer mostly the case for SSH login, not to see the local login will be rejected. Some articles mention the use of ordinary users log on, but this node is not provided to other users, you can not try.
Want to carry out repair work, you must first find a way into the system, so try a little single-user mode (single-user mode can be found on https://blog.51cto.com/hqq0000/2177280 ), was found to enter! This time the first sigh of relief, at least it Meizhe can export the data and then reinstall the system, or else you have to dismantle the entire cluster off the hard drive.
In single-user mode, to modify the password down and found useless; when then bash suspect is not a problem, because permission denied common in the implementation of certain files do not have permission, if / bin / bash malicious changed rights, looks like may report such errors, but with lower ls -l read nor bash thing.
Think of the login fails, the log will be recorded, and then view the / var / log / secure, found at the end of the following period of record
The reason seems login failure lies in this pam. Linux PAM is a dynamic authentication module, it is possible to prevent our login behavior. He noted that the last few lines mentioned nofile, this is not Linux that limit the maximum number of open files parameter it? So be adjusted (see https://www.iteye.com/blog/jameswxx-2096461 summary is very good), but failed to solve the problem.
Continue to analyze the log and found that such a line
Indeed, all the user, UID number 6 nodes are less than 1000, then according to the online solution ( https://help.aliyun.com/knowledge_detail/41491.html?spm=a2c6h.13066369.0.0.2edd1479unyVgh ), of the / etc /pam.d file to be modified, the system-auth relevant statements commented out
But after the restart still find useless! The original system-auth configuration is automatically restored after a reboot, manually change is invalid.
So a change in thinking, since the ban uid <user logs in 1000, I used> 1000 can not it? Continue in single-user mode, adduser to create a normal user, passwd to set a password, and the group is added to the root so that it can use sudo, restart, log on ......
......Or not......
Is there no way to bypass pam yet? Ssh_config suddenly thought there seemed to be a parameter related to the PAM, called use_PAM, immediately opened it, really, is set to yes, and quickly changed back no, then back upstairs ssh connection.
Ordinary users, root were successfully! This time can be solved.
to sum up
After some investigation, the final positioning of the PAM is to blame, if they are familiar with PAM, should locate problems more quickly. Currently only restore the root user remote login, why is also denied for root locally, also failed to find the answer.
但另一方面来讲,Linux设置PAM也必然有自己的考量,运行root远程登录,本身就存在一定安全风险,管理员还是应该只允许普通用户远程登录,而后使用su切换或sudo执行命令。