B:  公网地址





当A ssh 到2.2.2.2:3322端口的时候每次都是通过2.2.2.2来进行内外网转发的。而A 得到的know_hosts里面的key也是真是10.10.10.3的公钥。但是在A的know_hosts文件里10.10.10.3的公钥对应的IP却是2.2.2.2,而不是10.10.10.3。.所以会出现一个情况,当你以后ssh的22端口的时候会提示key出错了。












auth,account,password,session。每个部分又都有不同的方法,针对方法的使用也有不同的控制选项,一般有这些控制选项:required,requisite,sufficient,optional,include 这5种


具体内容man pam.d就都能看到,而很明显的,验证登录是通过auth这个部分来的。

this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service
based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant
user -- ’root’ login only on the console.

this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by
instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant
group membership or other privileges through its credential granting properties.

this module type is required for updating the authentication token associated with the user. Typically, there is one module for
each ’challenge/response’ based authentication (auth) type.

this module type is associated with doing things that need to be done for the user before/after they can be given service. Such
things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories,

The third field, control, indicates the behavior of the PAM-API should the module fail to succeed in its authentication task. There
are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a
square-bracketed selection of value=action pairs.

For the simple (historical) syntax valid control values are:

failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this
service and type) have been invoked.

like required, however, in the case that such a module returns a failure, control is directly returned to the application. The
return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against
the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior
might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns
of exposing a sensitive password in a hostile environment.

success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module
has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that
this type has succeeded.

the success or failure of this module is only important if it is the only module in the stack associated with this service+type.

include all lines of given type from the configuration file specified as an argument to this control.

而所有的pam的方法都在/lib64/security/ 目录下,查询到登录验证是通过pam_tally2这个来进行的。通过man pam_tally2找到了很多对应的方法。因为之前查了很多网上的方法都是只针对普通用户的,不针对root用户的。root的方法跟普通的是不一样的。从这个来看以后还是得多看man帮助。



cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth       required     pam_tally2.so deny=3 onerr=fail no_magic_root even_deny_root unlock_time=120 root_unlock_time=120
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so