前言
liunx下用户登录不到操作系统无非就是这么几种情况:
1、没有登录权限(百度一大堆)
2、用户密码过期:Password expires
3、用户账号过期:Account expires
4、用户账号锁定
第一种情况就不再介绍了,大多数童鞋们不太会遇到这个问题。以下文章只是粗略介绍,感兴趣的童鞋们可以解决问题以后深入学习下相关命令以及参数
一、用户密码过期
那么用户密码过期呢,在大家尝试登录时候会提示:
[BEGIN] 2021/12/15 9:43:04
You are required to change your password immediately (password aged)
Last login: Tue Dec 14 18:48:36 CST 2021 on pts/0
Last failed login: Tue Dec 14 18:52:23 CST 2021 from 11.111.111.241 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Wed Dec 15 09:43:03 2021 from 11.111.111.101
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user cxl.
Changing password for cxl.
(current) UNIX password:
那么这时候大家可以通过提示修改密码就可以,设置密码永不过期:
[root@cxldb01 ~]# chage -M 99999 username
[root@cxldb01 ~]#
[root@cxldb01 ~]# chage -l username
Last password change : Dec 04, 2021
Password expires : never
Password inactive : never
Account expires : Jan 31, 2022
Minimum number of days between password change : 1
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
二、账户过期
通过命令可以查收看到账户的信息:
[root@cxldb01 ~]# chage -l username
Last password change : Dec 04, 2021 #最后次变更密码的时间
Password expires : Jan 31, 2022 #密码过期时间
Password inactive : Jan 31, 2022
Account expires : Jan 31, 2022 #账户过期时间
Minimum number of days between password change : 1
Maximum number of days between password change : 60 #密码有效天数
Number of days of warning before password expires : 7 #密码到期前的警告天数
如帐户时间过期我们可通过以下命令进行修改:
[root@cxldb01 ~]# chage --help
Usage: chage [options] LOGIN
Options:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximum number of days before password
change to MAX_DAYS
-R, --root CHROOT_DIR directory to chroot into
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
[root@cxldb01 ~]#chage -E "Jun 15, 2022" username
三、用户账户锁定
这里上锁可能会有2个层面的问题:1、密码上锁;2、账户锁定(提示:ssh服务器拒绝了密码)
密码上锁
可使用 passwd 命令或者usermod 命令 锁定、解锁和检查 Linux 中给定用户帐户的状态
锁定:
# passwd -l username
Locking password for user username.
passwd: Success
查询状态:
# passwd -S username
或
# passwd --status username
daygeek LK 2021-12-15 7 90 7 -1 (Password locked.)
或
#grep username/etc/shadow #注释:密码前出现两个感叹号代表已上锁
username:!!$6$FJv0iamG$pJvYvma/mnzMnDEoAxu5XeLEPF53woeK8oCZ3yxFYf6U8ivTSKoiFYip9oUSnfWbBHifNWpdmz605A8J16wjg/:18976:1:99999:7::19023:
解锁:
# passwd -u username
Unlocking password for user username.
passwd: Success
账户锁定
很多情况由于安全策略问题对账户登录身份进行验证,例如密码错误5次后被锁定,就会有个配置文件/etc/pam.d/sshd,检查是否有pam_tally2.so deny=的限制
[root@cxldb01 ~]#
[root@cxldb01 ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
auth required pam_tally2.so deny=5 onerr=fail lock_time=1 serialize
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# EXADATA ACCESS CONTROL via /etc/exadata/security/exadata-access.conf
account required pam_access.so accessfile=/etc/exadata/security/exadata-access.conf
account required pam_nologin.so
account include password-auth
account required pam_tally2.so
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
session required pam_limits.so
[root@cxldb01 ~]#
[root@cxldb01 ~]# pam_tally2 --user username--reset
Login Failures Latest failure From
username 37 12/15/21 10:44:53 11.111.111.101
[root@cxldb01 ~]#
解锁命令:
[root@cxldb01 ~]# pam_tally2 --user username--reset