我需要暂时在 Fedora 40 工作站上使用密钥启用 root SSH。SSH 客户端日志确认已发送并接受了正确的密钥(复制如下)。sshd
调试日志(也在下面)显示相同内容,但不知何故ROOT LOGIN REFUSED FROM ...
仍在发生。
我做过的事情:
- 在
/etc/ssh/sshd_config
:PermitRootLogin yes
+AllowUsers root ...
DenyUsers|DenyGroups
在同一个文件中没有设置。- root 用户未被锁定
sudo passwd -S root
,并且也拥有有效的 shell。 - 暂时设置
sudo setenforce 0
为排除 SELinux。 ls -l /root/.ssh/authorized_keys
(和父目录)确认正确的权限(600,700)-(StrictModes no
无论如何,以防万一使用)/etc/security/access.conf
显示对 root 没有限制(所有行均已注释)- 没有添加自定义配置
cat /etc/pam.d/
客户端日志:
ssh -v -t -o IdentitiesOnly=yes -o PreferredAuthentications=publickey [email protected]
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Will attempt key: /Users/.../.ssh/id_ed25519 ED25519 SHA256:4ZMC... explicit agent
debug1: Offering public key: /Users/.../.ssh/id_ed25519 ED25519...
debug1: Server accepts key: /Users/.../.ssh/id_ed25519 ED25519...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
服务器日志:
Jul 25 08:37:05 n1 sshd[110058]: debug1: PAM: initializing for "root"
Jul 25 08:37:05 n1 sshd[110058]: debug1: PAM: setting PAM_RHOST to "192.168.1.23"
Jul 25 08:37:05 n1 sshd[110058]: debug1: PAM: setting PAM_TTY to "ssh"
Jul 25 08:37:05 n1 sshd[110058]: debug1: userauth-request for user root service ssh-connection method publickey [preauth]
Jul 25 08:37:05 n1 sshd[110058]: debug1: attempt 1 failures 0 [preauth]
Jul 25 08:37:05 n1 sshd[110058]: debug1: userauth_pubkey: publickey test pkalg ssh-ed25519 pkblob ED25519 SHA256:4ZMC4... [preauth]
Jul 25 08:37:05 n1 sshd[110058]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Jul 25 08:37:05 n1 sshd[110058]: debug1: trying public key file /root/.ssh/authorized_keys
Jul 25 08:37:05 n1 sshd[110058]: debug1: fd 5 clearing O_NONBLOCK
Jul 25 08:37:05 n1 sshd[110058]: debug1: /root/.ssh/authorized_keys:1: matching key found: ED25519 SHA256:4ZMC4....
Jul 25 08:37:05 n1 sshd[110058]: debug1: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Jul 25 08:37:05 n1 sshd[110058]: Accepted key ED25519 SHA256:4ZMC4.... found at /root/.ssh/authorized_keys:1
Jul 25 08:37:05 n1 sshd[110058]: debug1: restore_uid: 0/0
Jul 25 08:37:05 n1 sshd[110058]: Postponed publickey for root from 192.168.1.23 port 50995 ssh2 [preauth]
Jul 25 08:37:05 n1 sshd[110058]: debug1: userauth-request for user root service ssh-connection method [email protected] [preauth]
Jul 25 08:37:05 n1 sshd[110058]: debug1: attempt 2 failures 0 [preauth]
Jul 25 08:37:05 n1 sshd[110058]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Jul 25 08:37:05 n1 sshd[110058]: debug1: trying public key file /root/.ssh/authorized_keys
Jul 25 08:37:05 n1 sshd[110058]: debug1: fd 5 clearing O_NONBLOCK
Jul 25 08:37:05 n1 sshd[110058]: debug1: /root/.ssh/authorized_keys:1: matching key found: ED25519 SHA256:4ZMC4j....
Jul 25 08:37:05 n1 sshd[110058]: debug1: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Jul 25 08:37:05 n1 sshd[110058]: Accepted key ED25519 SHA256:4ZMC4jv... found at /root/.ssh/authorized_keys:1
Jul 25 08:37:05 n1 sshd[110058]: debug1: restore_uid: 0/0
Jul 25 08:37:05 n1 sshd[110058]: debug1: auth_activate_options: setting new authentication options
Jul 25 08:37:05 n1 sshd[110058]: ROOT LOGIN REFUSED FROM 192.168.1.23 port 50995
Jul 25 08:37:05 n1 sshd[110058]: Failed publickey for root from 192.168.1.23 port 50995 ssh2: ED25519 SHA256:4ZMC4jv....
Jul 25 08:37:05 n1 sshd[110058]: debug1: auth_activate_options: setting new authentication options [preauth]
Jul 25 08:37:05 n1 sshd[110058]: ROOT LOGIN REFUSED FROM 192.168.1.23 port 50995 [preauth]
Jul 25 08:37:05 n1 sshd[110058]: Connection closed by authenticating user root 192.168.1.23 port 50995 [preauth]
还:
cat /etc/securetty
ssh
pts/0
pts/1
pts/2
pts/3
sudo sshd -T | grep -Ev '(#|^$)' | grep -Ei 'permit'
permitrootlogin no
尽管我对文件做了一些修改,但结果显示配置仍然有效/etc/ssh/sshd_config
。经过深入调查,我发现我正在使用的系统有一个
/etc/ssh/sshd_config.d/*.conf
文件覆盖了这个文件,尽管该文件本来是用来配置不同的东西的🤦♂️