描述:某工程在进行ssh漏洞修复过程中升级openssh后输入用户名密码被拒绝(如下图)通过带外重定向到操作系统发现日志出现PAM unable to dlopen和 PAM adding faulty module的报错
经排查发现是ssh rpm 包升级后会修改/etc/pam.d/sshd 文件(如下图)
和其他服务器对比,正常可登录的/etc/pam.d/sshd文件如下
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
解决:
修复/etc/pam.d/sshd文件,重启服务即可
标签:CRT,openssh,required,auth,session,so,xshell,include,pam From: https://www.cnblogs.com/HByang/p/17983869