某局点交换机SSH登陆失败问题

现场SSH结合hwtacacs进行SSH登录，域的配置如下，由于认证服务器宕机，只能通过本地认证。

domain name hwtac

authentication login hwtacacs-scheme hwtac local

authorization login hwtacacs-scheme hwtac local

accounting login hwtacacs-scheme hwtac

新用户认证成功后，立即显示登录失败。

*Apr 14 15:48:34:218 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Get default work dir: flash:, return:0

%Apr 14 15:48:34:218 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/6/SSHS_CONNECT: -MDC=1; SSH user h3cadmin01 (IP: 198.18.10.74) connected to the server successfully.

%Apr 14 15:48:40:176 2021 GDMM-XYEG-1F-S12508R-SM-E101 LOGIN/5/LOGIN_FAILED: -MDC=1; h3cadmin01 failed to log in from 198.18.10.74.

*Apr 14 15:48:43:177 2201 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Received SIGCHLD.

*Apr 14 15:48:43:177 2201 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Received SIGCHLD.

*Apr 14 15:48:43:177 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: request exit-status confirm 0

*Apr 14 15:48:43:177 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/MESSAGE: -MDC=1; Prepare packet[98].

*Apr 14 15:48:43:177 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/MESSAGE: -MDC=1; Prepare packet[98].

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT:- MDC=1; Release channel 0

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT:- MDC=1; Release channel 0

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: write failed

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: write failed

Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: send EOW

Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: send EOW

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/MESSAGE: -MDC=1; Prepare packet[98].

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: output state changed (open -> closed)

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: output state changed (open -> closed)

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(24)

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(24)

Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: read failed

Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: read failed

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: input state changed (open -> drain)

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: send EOF

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: send EOF

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/MESSAGE: -MDC=1; Prepare packet[96].

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/MESSAGE: -MDC=1; Prepare packet[96].

Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: input state changed (drain -> closed)

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: send SSH2_MSG_CHANNEL_CLOSE

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: send SSH2_MSG_CHANNEL_CLOSE

*Apr 14 15:48:43:178 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/MESSAGE: -MDC=1; Prepare packet[97].

*Apr 14 15:48:43:190 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/MESSAGE: -MDC=1; Received packet type 97.

*Apr 14 15:48:43:190 2021 GDMM-XYEG-1F-S12508R-SM-E101 SSHS/7/EVENT: -MDC=1; Channel 0: received SSH2_MSG_CHANNEL_CLOSE

SSH用户登录如果不带域名，那么会选择缺省域 hwtac进行认证；domain hwtac配置了认证、授权选择先尝试进行tacacs认证授权，tacacs服务器不可达，才会选择local进行认证授权，计费配置了只走tacacs计费；现网环境中tacacs服务器不可达，所以SSH用户认证、授权最终通过本地认证、授权，但是计费只选择了tacacs，所以计费失败。针对login类型用户，如果计费失败会影响上线。而对于lan-access、Portal，计费失败不会影响用户上线。

在domain中增加计费local参数后即可认证成功。