这个问题跟sudo的版本有关,有人说在sudo 1.7.6p1之后已经OK了,谨以此文献给那些被百度搞得一头雾水而谷歌又被墙的同学。
我用的sudo是1.7.2p1版本,CentOS5.9,问题现象先描述一下:
使用pam_tally2模块来实现用户多次输入密码错误后锁住账号一段时间的需求,在/etc/pam.d/system-auth中增加pam_tally2的entry
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=10配置完成后先用login或者ssh的方式验证一下,当用户错误输入密码5次后,账户都会被锁住10秒钟;账户解锁后输入正确的密码,pam_tally2的计数器清零。
查看计数器的命令如下:
pam_tally2 --user=admin
显示结果如下:
[root@space-000c29c16417 pam.d]# pam_tally2 --user=admin Login Failures Latest failure From admin 2 04/10/14 11:21:16 /dev/pts/0
但是在使用sudo的时候发现计数器不能正常清零,只要执行sudo,计数器就一直累加,不清零,除非使用命令手工清零
pam_tally2 --user=admin --reset
锁定的行为也变得无章可循,执行几次后账户就会被锁住。
[admin@space-000c29c16417 root]$ sudo bash -c "echo aaa" [sudo] password for admin: Sorry, try again. [sudo] password for admin: Sorry, try again. [sudo] password for admin: Sorry, try again. [sudo] password for admin: aaa [admin@space-000c29c16417 root]$ sudo bash -c "echo aaa" [sudo] password for admin: Sorry, try again. Your account is locked. Maximum amount of failed attempts was reached. [sudo] password for admin:可以看到我在第四次的时候已经正确输入了密码,屏幕打印出“aaa",但是当我再次输入错误密码时,我的账号还是被锁住了。查看计数器失败次数已经超过5次
[root@space-000c29c16417 pam.d]# pam_tally2 --user=admin Login Failures Latest failure From admin 6 04/10/14 11:27:14 /dev/pts/0
https://bugzilla.redhat.com/show_bug.cgi?id=707660
解决办法是在system-auth配置文件的account段增加下面一行配置
account required pam_tally2.so这样可以让计数器在每次sudo输入正确密码后清零。pam_tally2的文档这样解释:
Account phase resets attempts counter if the user is not magic root.This phase can be used optionally for services which don‘t call pam_setcred(3) correctly or if the reset should be done regardless of the failure of the account phase of other modules."
这个问题一个可能的原因是sudo模块在执行具体动作之前关闭了pam的session,没有正确调用pam_setcred(),导致返回失败的错误码,pam_tally2计数器累加。
Redhat关于pam_tally2计数器在每次sudo时都增加的bug,布布扣,bubuko.com
Redhat关于pam_tally2计数器在每次sudo时都增加的bug
原文:http://blog.csdn.net/napolunyishi/article/details/23375927