1.修改配置/etc/ssh/sshd_config
#修改配置/etc/ssh/sshd_config
#开启ssh通过pam认证账户
vim /etc/ssh/sshd_config
#UsePAM no
UsePAM yes
#可用如下命令替换
sed -i 's%UsePAM no%UsePAM yes%g' /etc/ssh/sshd_config
2.修改配置文件/etc/pam.d/sshd,以确认调用pam认证文件
#修改配置文件/etc/pam.d/sshd,以确认调用pam认证文件
vim /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
session required pam_mkhomedir.so #加入此行后确保登录成功后创建用户的home目录
#可用如下命令替换
echo 'session required pam_mkhomedir.so' >> /etc/pam.d/sshd
3.修改配置文件/etc/pam.d/password-auth
#修改配置文件/etc/pam.d/password-auth
vim /etc/pam.d/password-auth
#将文件中的pam_sss全部替换成pam_ldap
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
#可用如下命令替换
sed -i 's%pam_sss.so%pam_ldap.so%g' /etc/pam.d/password-auth
4.修改/etc/pam.d/password-auth文件
#修改/etc/pam.d/password-auth文件
cp /etc/pam.d/system-auth /etc/pam.d/system-auth-bak
#可用如下命令替换
sed -i 's%pam_sss.so%pam_ldap.so%g' /etc/pam.d/password-auth
5.重启sshd服务
#重启sshd服务
systemctl start sssd
systemctl status sssd
6.验证SSH登录
#验证SSH登录
#ssh登录本机
[root@node1 ~] ssh testuser@172.21.35.243
#ssh远程登录
[root@node2 ~] ssh testuser@172.21.35.243
#登录成功,配置完毕
登录成功,配置完毕