我已经设置了 SSH - 使用 kerberos V5 单点登录。当用户密码已过期时,它返回'警告:密码已过期。'并允许用户登录!还送了我的变化/etc/pam.d/password-auth,使得pam_krb5.so来自上面pam_unix.so:
验证堆栈:
auth requisite pam_krb5.so uid >= 500
#Google authentication configuration module
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth requisite pam_google_authenticator.so
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 0 quiet
账户栈:
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so uid >= 500
account required pam_permit.so
请提出任何更改建议,以防止密码过期的用户登录。
日志 :
krb5kdc.log …