1.故障分类:
Linux用户登录异常
2.故障现象
某日收到业务侧报障,Linux操作系统root用户可以正常登录,普通用户appuser无法登录,登录时提示密码错误,测试其他普通用户可正常登录。
3.原因分析:
-
root账号登录目标主机,并打开用户登录日志文件/var/log/secure
-
新打开一个窗口,利用业务侧提供的账号及密码进行登录,同时监测日志文件。
-
日志报错如下,为了便于分析,日志前面加了数字作为行号。
[root@aiserver01 ~]# tail -f /var/log/secure 1 Nov 16 16:25:20 aiserver01 sshd[83500]: Failed password for appuser from 10.12.25.161 port 56142 ssh2 2 Nov 16 16:44:16 aiserver01 sshd[89236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.12.25.161 user=appuser 3 Nov 16 16:44:18 aiserver01 sshd[89236]: Failed password for appuser from 10.12.25.161 port 41498 ssh2 4 Nov 16 17:11:09 aiserver01 sshd[97280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.12.25.161 user=appuser 5 Nov 16 17:11:11 aiserver01 sshd[97280]: Failed password for appuser from 10.12.25.161 port 42614 ssh2 6 Nov 16 17:11:39 aiserver01 sshd[97280]: Connection closed by 10.12.25.161 port 42614 [preauth] 7 Nov 16 17:13:33 aiserver01 sshd[97506]: Accepted password for root from 10.12.80.33 port 64585 ssh2 8 Nov 16 17:13:33 aiserver01 sshd[97506]: pam_unix(sshd:session): session opened for user root by (uid=0) 9 Nov 16 17:13:37 aiserver01 su: pam_unix(su-l:session): session opened for user appuser by root(uid=0) 10 Nov 16 17:14:52 aiserver01 su: pam_unix(su-l:session): session closed for user appuser 11 Nov 16 17:15:11 aiserver01 sshd[98519]: pam_tally2(sshd:auth): user appuser (1001) tally 20720, deny 10 12 Nov 16 17:15:11 aiserver01 sshd[98519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.12.80.33 user=appuser 13 Nov 16 17:15:14 aiserver01 sshd[98519]: Failed password for appuser from 10.12.80.33 port 65490 ssh2 14 Nov 16 17:15:23 aiserver01 sshd[98519]: error: Received disconnect from 10.12.80.33 port 65490:13: The user canceled authentication. [preauth] 15 Nov 16 17:15:23 aiserver01 sshd[98519]: Disconnected from 10.12.80.33 port 65490 [preauth]
-
1-8行明显提示了密码错误的问题,关键字Failed password for appuser。
-
继续往下看,重点来了,第11行 pam_tally2(sshd:auth): user appuser (1001) tally 20720, deny 10 ,用户错误登录次数记录20720次,默认10次密码输入错误锁定。
此时,基本可以判定存在两个问题,一是密码错误,二是账号被锁定。
4.解决方案:
- 修改用户的密码
[root@z0rzpsap9069 ~]# passwd appuser
更改用户 appuser 的密码 。
新的 密码:
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
- 解锁用户
[root@z0rzpsap9069 ~]# pam_tally2 -u appuser -r
3.使用新密码测试登录
使用新密码测试,登录正常