我使用 samba、winbind、sssd、krb5 和 nfs-common 配置了最新的 Debian (v10.5) 服务器,以针对我域中的 AD 进行身份验证并通过 nfs4 挂载它的 /home。
在客户端(带有putty的windows,来自linux的ssh)我的ssh代理中有我的私钥并尝试登录服务器。我只允许私钥登录和禁用密码登录。
现在,当 ssh 到服务器时,第一次提示我输入密码时,我使用我的 AD 密码并进入。然后我再次注销。我第二次登录时使用了我的私钥并且我进入了。
为什么这行得通?我只希望 ssh 私钥登录工作。如果我正确理解 nfsv4,sshd(和 root)应该无法读取我的主目录或我的授权密钥,并且我可以理解私钥登录是否会失败。所以在某种程度上我很高兴他们工作 - 我只是不明白为什么。
我该怎么做才能只有私钥登录才能工作,即使是第一次?
这是我第二次登录尝试的详细 sshd 调试输出:
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: oom_adjust_restore
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: Set /proc/self/oom_score_adj to 0
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: inetd sockets after dupping: 3, 3
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: Connection from 10.21.1.74 port 44732 on 195.37.235.121 port 22
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: Client protocol version 2.0; client software version OpenSSH_7.9p1 Debian-10+deb10u2
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: fd 3 setting O_NONBLOCK
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: Network child is on pid 12687
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: preauth child monitor started
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: privsep user:group 105:65534 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: permanently_set_uid: 105/65534 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: send packet: type 20 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: receive packet: type 20 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: SSH2_MSG_KEXINIT received [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: local server KEXINIT proposal [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: compression ctos: none,[email protected] [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: compression stoc: none,[email protected] [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: languages ctos: [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: languages stoc: [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: first_kex_follows 0 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: reserved 0 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: peer client KEXINIT proposal [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: compression ctos: none,[email protected],zlib [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: compression stoc: none,[email protected],zlib [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: languages ctos: [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: languages stoc: [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: first_kex_follows 0 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: reserved 0 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: kex: algorithm: curve25519-sha256 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: receive packet: type 30 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_sshkey_sign entering [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 6 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 6
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_answer_sign
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_answer_sign: hostkey proof signature 0x56470fc89c70(100)
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 7
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: monitor_read: 6 used once, disabling now
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 7 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: send packet: type 31 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: send packet: type 21 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug2: set_newkeys: mode 1 [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: rekey after 134217728 blocks [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Sep 24 11:44:26 jmp-ei-01 sshd[12686]: debug3: send packet: type 7 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: receive packet: type 21 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: set_newkeys: mode 0 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: rekey after 134217728 blocks [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: KEX done [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: receive packet: type 5 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: send packet: type 6 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: receive packet: type 50 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: userauth-request for user schuldeia service ssh-connection method none [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: attempt 0 failures 0 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_getpwnamallow entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 8 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 8
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_pwnamallow
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: parse_server_config: config reprocess config len 272
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 9
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: monitor_read: 8 used once, disabling now
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 9 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: input_userauth_request: setting up authctxt for schuldeia [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_start_pam entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 100 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 100
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: PAM: initializing for "schuldeia"
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: PAM: setting PAM_RHOST to "10.21.1.74"
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: PAM: setting PAM_TTY to "ssh"
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: monitor_read: 100 used once, disabling now
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_inform_authserv entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 4 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: input_userauth_request: try method none [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: ensure_minimum_time_since: elapsed 6.083ms, delaying 2.229ms (requested 8.313ms) [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 4
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_authserv: service=ssh-connection, style=, role=
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: monitor_read: 4 used once, disabling now
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: send packet: type 51 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: receive packet: type 50 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: userauth-request for user schuldeia service ssh-connection method publickey [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: attempt 1 failures 0 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: input_userauth_request: try method publickey [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:5sI4OvJOs6+7RcD76iomtR6geCSBoZ5397jeWzNlspE [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_key_allowed entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 22 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 23 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 22
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_keyallowed entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_keyallowed: key_from_blob: 0x56470fc9e5f0
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: temporarily_use_uid: 50709/10004 (e=0/0)
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: trying public key file /home/schuldeia/.ssh/authorized_keys
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: fd 9 clearing O_NONBLOCK
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: /home/schuldeia/.ssh/authorized_keys:2: matching key found: RSA SHA256:5sI4OvJOs6+7RcD76iomtR6geCSBoZ5397jeWzNlspE
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: /home/schuldeia/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: Accepted key RSA SHA256:5sI4OvJOs6+7RcD76iomtR6geCSBoZ5397jeWzNlspE found at /home/schuldeia/.ssh/authorized_keys:2
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: restore_uid: 0/0
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_keyallowed: publickey authentication test: RSA key is allowed
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 23
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: send packet: type 60 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: ensure_minimum_time_since: elapsed 3.132ms, delaying 5.181ms (requested 8.313ms) [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: Postponed publickey for schuldeia from 10.21.1.74 port 44732 ssh2 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: receive packet: type 50 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: userauth-request for user schuldeia service ssh-connection method publickey [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: attempt 2 failures 0 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: input_userauth_request: try method publickey [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: userauth_pubkey: have rsa-sha2-512 signature for RSA SHA256:5sI4OvJOs6+7RcD76iomtR6geCSBoZ5397jeWzNlspE [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_key_allowed entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 22 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 23 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 22
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_keyallowed entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_keyallowed: key_from_blob: 0x56470fca0f50
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: temporarily_use_uid: 50709/10004 (e=0/0)
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: trying public key file /home/schuldeia/.ssh/authorized_keys
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: fd 9 clearing O_NONBLOCK
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: /home/schuldeia/.ssh/authorized_keys:2: matching key found: RSA SHA256:5sI4OvJOs6+7RcD76iomtR6geCSBoZ5397jeWzNlspE
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: /home/schuldeia/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: Accepted key RSA SHA256:5sI4OvJOs6+7RcD76iomtR6geCSBoZ5397jeWzNlspE found at /home/schuldeia/.ssh/authorized_keys:2
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: restore_uid: 0/0
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowed
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 23
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_sshkey_verify entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 24 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 25 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 24
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_keyverify: publickey 0x56470fc9e5f0 signature verified
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: auth_activate_options: setting new authentication options
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 25
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 102
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: do_pam_account: called
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 103
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: Accepted publickey for schuldeia from 10.21.1.74 port 44732 ssh2: RSA SHA256:5sI4OvJOs6+7RcD76iomtR6geCSBoZ5397jeWzNlspE
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: monitor_child_preauth: schuldeia has been authenticated by privileged process
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_get_keystate: Waiting for new keys
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 26
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_get_keystate: GOT new keys
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: auth_activate_options: setting new authentication options [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: userauth_pubkey: authenticated 1 pkalg rsa-sha2-512 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: ensure_minimum_time_since: elapsed 1.791ms, delaying 6.522ms (requested 8.313ms) [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_do_pam_account entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 102 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_do_pam_account returning 1 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: send packet: type 52 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 26 [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_send_keystate: Finished sending state [preauth]
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: monitor_read_log: child log fd closed
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: ssh_sandbox_parent_finish: finished
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: PAM: establishing credentials
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: PAM: opening session
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: do_pam_session: auth information in SSH_AUTH_INFO_0
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: pam_unix(sshd:session): session opened for user schuldeia by (uid=0)
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: PAM: sshpam_store_conv called with 1 messages
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: PAM: sshpam_store_conv called with 1 messages
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: User child is on pid 12692
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_receive entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: monitor_read: checking request 28
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_pty entering
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug2: session_new: allocate (allocated 0 max 10)
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: session_unused: session id 0 unused
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: session_new: session 0
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug1: SELinux support disabled
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_request_send entering: type 29
Sep 24 11:44:27 jmp-ei-01 sshd[12686]: debug3: mm_answer_pty: tty /dev/pts/3 ptyfd 5
让我们先看看带有 sec=sys 的 NFS 是如何处理这个问题的,然后我们会看到为什么带有 sec=krb5* 安全性的 NFS 会失败。在此示例中,我们将在两台不同的计算机上运行一个 SSH 服务器和一个 NFS 服务器。
SSH 守护进程通常在 SSH 服务器上以 root 身份运行。假设您的 NFS 服务器配置为 squash root,并且您的主目录只能由您读取,则不允许以 root 身份运行的 SSH 守护程序读取存储在您的主目录中的公钥。当 SSH 服务器需要检查公钥时,它会生成另一个进程作为您尝试登录的用户,然后该用户有权读取公钥文件。如果用户拥有正确的私钥,那么他们就可以登录。
这种方法适用于 sec=sys 的 NFS,因为计算机告诉 NFS 服务器谁正在连接,而 NFS 服务器盲目地信任它。
现在我们来看看 sec=krb5*。在此安全模型中,NFS 服务器要求客户端出示确认其身份的票证。假设您尚未登录 SSH 服务器。和以前一样,root 帐户无法读取 SSH 公钥。但与以前不同的是,以正确用户的身份生成进程并没有帮助,因为用户没有 NFS 服务票证或 TGT。然后,此身份验证方法会失败,SSH 守护程序会尝试使用另一种身份验证方法,例如密码。
现在,在使用密码进行身份验证后,您已经获得了一个 Kerberos TGT,可能还有一个 NFS 服务票证。注销后,我的猜测是凭证缓存在 SSH 服务器上仍然有效。当尝试再次登录时,这一次 SSH 守护进程以用户身份生成一个进程后,它能够读取公钥,因为它仍然具有该用户的有效凭据。
希望这可以帮助!