pam_unix(sudo:auth):对话失败,auth 无法识别 [username] 的密码 [英] pam_unix(sudo:auth): conversation failed, auth could not identify password for [username]

查看:602
本文介绍了pam_unix(sudo:auth):对话失败,auth 无法识别 [username] 的密码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用 ansible 来配置我的 Centos 7 生产集群.不幸的是,执行以下命令会导致 ansible Tieout 和 Linux 可插拔身份验证模块 (pam) 错误对话失败.

I'm using ansible to provision my Centos 7 produciton cluster. Unfortunately, execution of below command results with ansible Tiemout and Linux Pluggable Authentication Modules (pam) error conversation failed.

相同的 ansible 命令运行良好,可以在 vagrant 盒子外针对虚拟实验室执行.

The same ansible command works well, executed against virtual lab mad out of vagrant boxes.

$ ansible master_server -m yum -a 'name=vim state=installed' -b -K -u lukas -vvvv
123.123.123.123 | FAILED! => {
    "msg": "Timeout (7s) waiting for privilege escalation prompt: \u001b[?1h\u001b=\r\r"
}

SSHd 日志

# /var/log/secure
Aug 26 13:36:19 master_server sudo: pam_unix(sudo:auth): conversation failed
Aug 26 13:36:19 master_server sudo: pam_unix(sudo:auth): auth could not identify password for [lukas]

推荐答案

我发现了问题.结果是 PAM 的 auth 模块问题!让我描述一下我是如何找到解决方案的.

I've found the problem. It turned out to be PAM's auth module problem! Let me describe how I got to the solution.

我设置了我的机器进行调试 - 即我打开了四个终端窗口.

I set up my machine for debugging - that is I had four terminal windows opened.

  • 第一个终端(本地机器):在这里,我正在执行 ansible prduction_server -m yum -a 'name=vim state=installed' -b -K -u username
  • 第二个终端(生产服务器):在这里,我执行了 journalctl -f(系统范围的日志).
  • 第三个终端(生产服务器):在这里,我执行了 tail -f/var/log/secure(sshd 的日志).
  • 第四个终端(生产服务器):在这里,我正在编辑 vi/etc/pam.d/sudo 文件.
  • 1st terminal (local machine): Here, I was executing ansible prduction_server -m yum -a 'name=vim state=installed' -b -K -u username
  • 2nd terminal (production server): Here, I executed journalctl -f (system wide log).
  • 3rd terminal (production server): Here, I executed tail -f /var/log/secure (log for sshd).
  • 4th terminal (production server): Here, I was editing vi /etc/pam.d/sudo file.

每次,我从第一个终端执行命令时都会出现以下错误:

Every time, I executed command from 1st terminal I got this errors:

# ansible error - on local machine
Timeout (7s) waiting for privilege escalation prompt error.

# sshd error - on remote machine
pam_unix(sudo:auth): conversation failed
pam_unix(sudo:auth):  [username]

我向同事展示了我的整个设置,他告诉我错误与PAM"有关.坦率地说,这是我第一次听说 PAM.所以,我必须阅读这个 PAM 教程.我发现,该错误与位于 /etc/pam.d/sudo 模块中的 auth 接口有关.通过互联网挖掘,我偶然发现了这个带有 sufficient 控制标志的 pam_permit.so 模块,它解决了我的问题!

I showed my entire setup to my colleague, and he told me that the error had to do something with "PAM". Frankly, It was the first time that I've heard about PAM. So, I had to read this PAM Tutorial. I figured out, that error relates to auth interface located in /etc/pam.d/sudo module. Diging over the internet, I stambled upon this pam_permit.so module with sufficient controll flag, that fixed my problem!

基本上,我添加的是 auth enough pam_permit.so 行到 /etc/pam.d/sudo 文件.看看下面的例子.

Basically, what I added was auth sufficient pam_permit.so line to /etc/pam.d/sudo file. Look at the example below.

$ cat /etc/pam.d/sudo
#%PAM-1.0
# Fixing ssh "auth could not identify password for [username]"
auth       sufficient   pam_permit.so

# Below is original config
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

结论:

我花了 4 天时间才找到这个解决方案.我偶然发现了数十种对我不起作用的解决方案,从在 ansible 主机/配置文件中重复 sudo 密码"ldap 特定配置" 到从总是脾气暴躁的系统管理员那里获得建议!

Conclusion:

I spent 4 days to arrive to this solution. I stumbled upon over a dozens solutions that did not worked for me, starting from "duplicated sudo password in ansible hosts/config file", "ldap specific configuration" to getting advice from always grumpy system admins!

由于我不是 PAM 方面的专家,我不知道此修复程序是否会影响系统的其他方面,因此请小心盲目复制粘贴此代码!但是,如果您是 PAM 方面的专家,请与我们分享替代解决方案或意见.谢谢!

这篇关于pam_unix(sudo:auth):对话失败,auth 无法识别 [username] 的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆