我已经向 AD 人员请求了一个服务帐户,它可以让我使用特定的服务器作为 SSH 跳转主机(使用 ProxyJump),当然我已经为此设置了一个 SSH 私钥。jumphost 本身正在运行 SSSD 以针对 AD 对用户进行身份验证。
但是,我被警告过,如果服务帐户上的 AD LastLoginTimeStamp 属性太旧,该帐户将被清除。所以问题是,无论 SSSD 代表 SSHD 为仅隧道登录(无用户命令)激活的 pam 模块所做的任何事情都会实际更新该时间戳吗?使用 LDAP 查找用户的组可能是不够的,但什么是?我可以在 Linux 端进行研究以查看 SSSD 的作用,但我无法轻松访问 AD 端以检查时间戳是否更新。
这是另一个 SSH 问题。它在更新到 Fedora 33 之前有效,但现在它没有,这让我相信这是一个客户端问题。有人在日志中看到可以提供线索的东西吗?不幸的是,我只是一个业余爱好者,而不是专家。
ssh -vvv 日志:
ssh testuser@testserver -vvv
OpenSSH_8.4p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host testserver originally testserver
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host testserver originally testserver
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/test/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/test/.ssh/known_hosts2'
debug2: resolving "testserver" port 22
debug2: ssh_connect_direct
debug1: Connecting to testserver [111.111.111.111] port 22.
debug1: Connection established.
debug1: identity file /home/test/.ssh/id_rsa type -1
debug1: identity file /home/test/.ssh/id_rsa-cert type -1
debug1: identity file /home/test/.ssh/id_dsa type -1
debug1: identity file /home/test/.ssh/id_dsa-cert type -1
debug1: identity file /home/test/.ssh/id_ecdsa type -1
debug1: identity file /home/test/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/test/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/test/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/test/.ssh/id_ed25519 type -1
debug1: identity file /home/test/.ssh/id_ed25519-cert type -1
debug1: identity file /home/test/.ssh/id_ed25519_sk type -1
debug1: identity file /home/test/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/test/.ssh/id_xmss type -1
debug1: identity file /home/test/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u8
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u8 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to testserver:22 as 'testuser'
debug3: hostkeys_foreach: reading file "/home/test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from testserver
debug3: order_hostkeyalgs: have matching best-preference key type [email protected], using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: [email protected] need=32 dh_need=32
debug1: kex: [email protected] need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:IM4bKknzoKNTV6xGlCYGhs0e0VwhgOhDIdQO7AmJeQQ
debug3: hostkeys_foreach: reading file "/home/test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from testserver
debug3: hostkeys_foreach: reading file "/home/test/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/test/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 111.111.111.111
debug1: Host 'testserver' is known and matches the ECDSA host key.
debug1: Found key in /home/test/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: testuser@testserver RSA SHA256:WWWWWWWWWWWWWWWWW agent
debug1: Will attempt key: /home/test/.ssh/id_rsa
debug1: Will attempt key: /home/test/.ssh/id_dsa
debug1: Will attempt key: /home/test/.ssh/id_ecdsa
debug1: Will attempt key: /home/test/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/test/.ssh/id_ed25519
debug1: Will attempt key: /home/test/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/test/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: testuser@testserver RSA SHA256:WWWWWWWWWWWWWWWWW agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/test/.ssh/id_rsa
debug3: no such identity: /home/test/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/test/.ssh/id_dsa
debug3: no such identity: /home/test/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/test/.ssh/id_ecdsa
debug3: no such identity: /home/test/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/test/.ssh/id_ecdsa_sk
debug3: no such identity: /home/test/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/test/.ssh/id_ed25519
debug3: no such identity: /home/test/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/test/.ssh/id_ed25519_sk
debug3: no such identity: /home/test/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/test/.ssh/id_xmss
debug3: no such identity: /home/test/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
testuser@testserver: Permission denied (publickey).
几乎是唯一一个暗示服务器日志的服务器日志条目:
testserver sshd[1111]: Connection closed by ip [preauth]
这是一台旧的 debian 机器,如果这能提供任何线索的话。
刚刚设置了一个新的 Debian 10 服务器,上传了我的公共 SSH 密钥,还没有重新启动 sshd。
我现在可以在没有密码的情况下登录,所以现在在 /etc/ssh/sshd_config 中进行所有通常推荐的编辑:
ChallengeResponseAuthentication nousePAM noPermitRootLogin noPasswordAuthentication no但是我想知道是否留下#PubkeyAuthentication yes注释掉意味着“没有设置”,即一些帖子似乎表明我仍然可以在没有 pw-free 的情况下进行 SSH 而不明确取消注释这一行?
Ubuntu 20.04 Strongswan 5.9.1(从源代码构建)
swanctl.conf
Android Strongswan 应用程序
我正在使用自签名的 ca 和证书。
roadwarr-ikev2-pubkey {
version = 2
#proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
proposals = aes256-sha1-modp1024,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
local_addrs = %any
# dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
local-1 {
#auth = pubkey
certs = Srv1SwanCert.der
id = ub-srv-1
}
remote-1 {
# defaults are fine.
#auth = pubkey
#id = androidLkP
id = %any
}
children {
roadwarr-ikev2-pubkey {
# local_ts = 10.10.5.0/24
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
# esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
esp_proposals = aes256-sha1-modp1024,default
}
}
}
此设置仅在 Android 应用中的“客户身份”为空白时才有效。一旦我添加了一个客户 ID,我就会得到这个:
15[CFG] selected peer config 'roadwarr-ikev2-pubkey'
15[IKE] no trusted RSA public key found for 'androidLkP'
androidLkP 是此特定证书中的 CN。
我已经使用 pki 命令从证书中提取了一个公钥,并将其放入/etc/swanctl/pubkey文件夹中。我的目标是为特定客户提供单独的配置,而不是使用id = %any
pubkey 插件已加载。
什么可能导致这个问题?
它是与自签名 CA 一起使用还是需要真正受信任的 CA?
嗨,我在我的服务器 B 上创建了一个密钥环
我将服务器 B 的公钥复制到服务器 A 的 authorized_keys 文件中
我的服务器在 Ubuntu 20.04 LTS 上
当我尝试将目录从服务器 A 传输到服务器 B 时,出现此错误:
ubuntu@server_B:~$ scp -r -p ubuntu@server_A:/home/ubuntu/www-example-com/ /home/ubuntu/www-example-com/
ubuntu@server_A: Permission denied (publickey).
为什么我有这个错误?如何纠正?
ubuntu@server_B:~$ ls -l /home
total 20
drwx------ 2 root root 16384 Nov 5 01:14 lost+found
drwxr-xr-x 11 ubuntu ubuntu 4096 Nov 5 03:57 ubuntu
ubuntu@server_B:~$ ls -a -l /home/ubuntu
total 76
drwxr-xr-x 11 ubuntu ubuntu 4096 Nov 5 03:57 .
drwxr-xr-x 4 root root 4096 Nov 5 01:04 ..
-rw------- 1 ubuntu ubuntu 4961 Nov 5 03:38 .bash_history
-rw-r--r-- 1 ubuntu ubuntu 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Feb 25 2020 .bashrc
-rw-rw-r-- 1 ubuntu ubuntu 241 Nov 5 01:28 bridge_log.txt
drwx------ 3 ubuntu ubuntu 4096 Nov 5 01:24 .cache
drwxr-x--- 3 ubuntu ubuntu 4096 Nov 5 01:24 .config
drwx------ 4 ubuntu ubuntu 4096 Nov 5 01:28 .gnupg
drwxrwxr-x 3 ubuntu ubuntu 4096 Nov 5 03:57 .local
-rw------- 1 ubuntu ubuntu 409 Nov 5 03:50 .mysql_history
drwxr-xr-x 9 ubuntu ubuntu 4096 Nov 5 03:27 nginx-1.18.0
drwxrwxr-x 7 ubuntu ubuntu 4096 Nov 5 03:27 ngx_brotli
drwx------ 3 ubuntu ubuntu 4096 Nov 5 01:24 .password-store
-rw-r--r-- 1 ubuntu ubuntu 807 Feb 25 2020 .profile
drwx------ 2 ubuntu ubuntu 4096 Nov 5 04:43 .ssh
-rw-r--r-- 1 ubuntu ubuntu 0 Nov 5 01:07 .sudo_as_admin_successful
-rw-rw-r-- 1 ubuntu ubuntu 204 Nov 5 03:33 .wget-hsts
drwxr-xr-x 2 ubuntu ubuntu 4096 Nov 5 04:00 www-example-com
ubuntu@server_B:~$ ls -l .ssh
total 16
-rw------- 1 ubuntu ubuntu 748 Nov 5 04:34 authorized_keys
-rw------- 1 ubuntu ubuntu 3434 Nov 5 04:32 id_rsa_dev-example-com
-rw-r--r-- 1 ubuntu ubuntu 748 Nov 5 04:32 id_rsa_dev-example-com.pub
-rw-r--r-- 1 ubuntu ubuntu 222 Nov 5 04:43 known_hosts
和
ubuntu@server_A ~ $ ls -l /home
total 20
drwx------ 2 root root 16384 Sep 7 17:10 lost+found
drwxr-xr-x 12 ubuntu ubuntu 4096 Nov 5 02:02 ubuntu
ubuntu@server_A ~ $ ls -a -l /home/ubuntu
total 148
drwxr-xr-x 12 ubuntu ubuntu 4096 Nov 5 02:02 .
drwxr-xr-x 4 root root 4096 Sep 7 17:04 ..
-rw------- 1 ubuntu ubuntu 72711 Nov 5 02:02 .bash_history
-rw-r--r-- 1 ubuntu ubuntu 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 4049 Sep 7 21:13 .bashrc
-rw-rw-r-- 1 ubuntu ubuntu 258 Sep 7 17:20 bridge_log.txt
drwx------ 4 ubuntu ubuntu 4096 Sep 7 17:50 .cache
drwxr-x--- 4 ubuntu ubuntu 4096 Sep 7 17:50 .config
drwxrwxr-x 3 ubuntu ubuntu 4096 Sep 7 21:13 .drush
drwx------ 4 ubuntu ubuntu 4096 Oct 27 16:15 .gnupg
drwxrwxr-x 3 ubuntu ubuntu 4096 Sep 7 17:50 .local
-rw------- 1 ubuntu ubuntu 3417 Sep 14 04:38 .mysql_history
drwxr-xr-x 9 ubuntu ubuntu 4096 Sep 7 17:38 nginx-1.18.0
drwxrwxr-x 7 ubuntu ubuntu 4096 Sep 7 17:38 ngx_brotli
drwx------ 3 ubuntu ubuntu 4096 Sep 7 17:18 .password-store
-rw-r--r-- 1 ubuntu ubuntu 807 Feb 25 2020 .profile
-rw-rw-r-- 1 ubuntu ubuntu 66 Sep 7 21:15 .selected_editor
drwx------ 2 ubuntu ubuntu 4096 Nov 5 04:42 .ssh
-rw-r--r-- 1 ubuntu ubuntu 0 Sep 7 17:07 .sudo_as_admin_successful
-rw-rw-r-- 1 ubuntu ubuntu 244 Nov 5 03:45 .wget-hsts
drwxr-xr-x 6 ubuntu ubuntu 4096 Nov 4 01:03 www-example-com
ubuntu@server_A ~ $ ls -l .ssh
total 4
-rw------- 1 ubuntu ubuntu 1496 Nov 5 04:33 authorized_keys
服务器 B(副本)
$ cat /home/ubuntu/.ssh/id_rsa_dev-example-com.pub
服务器 A(过去)
$ nano /home/ubuntu/.ssh/authorized_keys
$ sudo systemctl restart ssh
我一直在尝试为我的 Windows 10 专业版媒体服务器配置 OpenSSH。我可以正常使用密码登录,但我正在尝试设置公钥身份验证。
我已经编辑了我的sshd_config文件以允许公钥身份验证。客户端和服务器正在运行ssh-agent。C:\ProgramData\ssh\administrators_authorized_keys由于该帐户是管理员帐户,因此我已将我的 SSH 公钥从客户端计算机复制并粘贴到该文件中。对上述文件的权限设置与目录中的其他关键文件相同,即 SYSTEM 和 Administrators 都具有完全控制权,没有列出其他人。
我添加了调试日志,当我尝试使用公钥连接时,我得到了这个:
debug1: userauth-request for user uther service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user uther matched group list administrators at line 84
debug1: userauth-request for user uther service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test pkalg ssh-rsa pkblob RSA SHA256:jcQNaVuxvH90SIh4zu8xduBqJaav1WFQJIov3hiFSFM [preauth]
debug1: trying public key file C:\\ProgramData\\ssh\\administrators_authorized_keys
Failed publickey for uther from 10.0.0.24 port 60432 ssh2: RSA SHA256:jcQNaVuxvH90SIh4zu8xduBqJaav1WFQJIov3hiFSFM
debug1: userauth-request for user uther service ssh-connection method keyboard-interactive [preauth]
我不知道如何解决这个问题。我使用远程桌面将客户端上 id_rsa.pub 中的文本剪切并粘贴到管理员授权密钥文件中的服务器。似乎没有权限错误,我无法弄清楚为什么它不会进行身份验证。
我将不胜感激任何人可以提供的帮助以使这项工作正常进行。这并不重要,SSH 不会暴露在 Internet 上,但我使用的一些脚本在使用公钥身份验证时会做得更好。
我还应该注意,当我使用我的 Microsoft 帐户设置服务器时,我一直想知道这是否与它有关,所以我可能会尝试设置一个直接的本地帐户,看看是否可以解决它。
编辑:我试图创建一个本地用户帐户,但我不能。即使我尝试使用control userpasswords2该框,但创建帐户的所有选项都被禁用。我想这一定是因为我有 Windows 10 专业版而不是更高和最昂贵的版本。
Options error: Unrecognized option or missing or extra parameter(s) in server.ovpn:4: cert (2.4.9) Use --help for more information.
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert serverport 1194
proto udp
任何人都可以帮助解决这个问题吗?
dev tun
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert serverVPN.crt
key serverVPN.key
dh dh1024.pem
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
client-to-client
log-append /var/log/openvpn
group daemon
daemon
verb 3.crt
key server.key
dh dh1024.pem
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
client-to-client
log-append /var/log/openvpn
group daemon
daemon
verb 3
我查看了这篇文章,但它似乎是为 OSX 和/或 Windows 编写的,我不确定如何将其应用于我的情况:
GitLab Not Working With SSH-Keys
我使用 Omnibus(添加到 gitlab.sources 的 bash 脚本)正常设置了我的 GitLab 实例。我在本地服务器上运行 GitLab。本地服务器正在使用 OpenSSH 允许从我的主机连接,并且我有端口 80 和 8060 对我连接到 GitLab 网站的本地计算机开放。当 GitLab 启动时,我可以登录网站,并且可以创建管理员和用户帐户。
我转到我的用户下的设置,并为我生成的密钥添加了公钥,我什至重新配置并重新启动了 GitLab 实例,但每次我尝试通过终端从本地计算机连接时都会Permission Denied (publickey)出错。
我不精通 GitLab 配置(通过 gitlab.rb)或 SSH 配置。我唯一能想到的是文件或目录的权限错误,或者 GitLab 不知道在哪里查看/如何找到我正在使用的密钥。非常感谢任何帮助,我很乐意提供我遗漏的任何信息!
我已经在我的 VPS 上设置了公钥认证,并禁用了密码登录。如果有人试图连接到我的 VPS,它现在会显示“Permission denied (publickey,gssapi-keyex,gssapi-with-mic)”。
我对别人知道我设置了公钥身份验证感到不舒服,我希望坏人尽可能少地知道我的秘密藏身之处。
如何阻止 openSSH 说出我所有的秘密?
谢谢
一、问题总结:
您好,最近在我们的基础设施生产环境中,新用户无法 ssh 进入 debian 跳转服务器。jumpserver 的 SSH 守护程序从 LDAP 服务器检索 SSH 公钥。我们验证了 sshd 本地配置、sshd 日志、LDAP 公钥的存在,我们无法完全了解是什么阻止了用户有效登录。
2.详细信息(配置文件):
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
PubkeyAuthentication yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no
Match Address 172.20.1.*,10.*
PasswordAuthentication yes
Match Group ldap-user
AuthorizedKeysFile /dev/null
AuthorizedKeysCommand /opt/ourcompanyname/scripts/ldap_keys.sh
AuthorizedKeysCommandUser nobody
查询 LDAP 的脚本:
#!/bin/bash
if [ $(whoami) = nobody ]; then
/usr/local/bin/ldap_ssh_keys -f /tmp/ssh_keys.log -b dc=prod,dc=ourcompany -u ldaps://ldap.prod.ourcompanydomain -l DEBUG $1
else
echo "should be run as user nobody"
fi
3. 我们尝试了什么(日志):
用户尝试连接到服务器(客户端)
myusername@laptophostname currentfoldr % ssh -vvv [email protected]
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/myusername/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolving "jbox01.prod.ourcompanydomain" port 22
debug2: ssh_connect_direct
debug1: Connecting to jbox01.prod.ourcompanydomain [172.20.1.66] port 22.
debug1: Connection established.
debug1: identity file /Users/myusername/.ssh/id_rsa type 0
debug1: identity file /Users/myusername/.ssh/id_rsa-cert type -1
debug1: identity file /Users/myusername/.ssh/id_dsa type -1
debug1: identity file /Users/myusername/.ssh/id_dsa-cert type -1
debug1: identity file /Users/myusername/.ssh/id_ecdsa type -1
debug1: identity file /Users/myusername/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/myusername/.ssh/id_ed25519 type -1
debug1: identity file /Users/myusername/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/myusername/.ssh/id_xmss type -1
debug1: identity file /Users/myusername/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u6
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u6 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to jbox01.prod.ourcompanydomain:22 as 'myusername'
debug3: hostkeys_foreach: reading file "/Users/myusername/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/myusername/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from jbox01.prod.ourcompanydomain
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:VKd849z2c6XlUO3p7GnZpwVIwtdhI6Gl+6EsTImYwLI
debug3: hostkeys_foreach: reading file "/Users/myusername/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/myusername/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from jbox01.prod.ourcompanydomain
debug3: hostkeys_foreach: reading file "/Users/myusername/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/myusername/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 172.20.1.66
debug1: Host 'jbox01.prod.ourcompanydomain' is known and matches the ECDSA host key.
debug1: Found key in /Users/myusername/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /Users/myusername/.ssh/id_rsa RSA SHA256:6pLYo9k0m0LK2E4Og69uAmu24SyTOX8FUX91/HDx1gk
debug1: Will attempt key: /Users/myusername/.ssh/id_dsa
debug1: Will attempt key: /Users/myusername/.ssh/id_ecdsa
debug1: Will attempt key: /Users/myusername/.ssh/id_ed25519
debug1: Will attempt key: /Users/myusername/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/myusername/.ssh/id_rsa RSA SHA256:6pLYo9k0m0LK2E4Og69uAmu24SyTOX8FUX91/HDx1gk
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/myusername/.ssh/id_dsa
debug3: no such identity: /Users/myusername/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/myusername/.ssh/id_ecdsa
debug3: no such identity: /Users/myusername/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/myusername/.ssh/id_ed25519
debug3: no such identity: /Users/myusername/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /Users/myusername/.ssh/id_xmss
debug3: no such identity: /Users/myusername/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
myusername@mylaptopname:currentfoldername % ssh -vv [email protected]
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/myusername/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolving "jbox01.prod.ourcompanydomain" port 22
debug2: ssh_connect_direct
debug1: Connecting to jbox01.prod.ourcompanydomain [172.20.1.66] port 22.
debug1: Connection established.
debug1: identity file /Users/myusername/.ssh/id_rsa type 0
debug1: identity file /Users/myusername/.ssh/id_rsa-cert type -1
debug1: identity file /Users/myusername/.ssh/id_dsa type -1
debug1: identity file /Users/myusername/.ssh/id_dsa-cert type -1
debug1: identity file /Users/myusername/.ssh/id_ecdsa type -1
debug1: identity file /Users/myusername/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/myusername/.ssh/id_ed25519 type -1
debug1: identity file /Users/myusername/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/myusername/.ssh/id_xmss type -1
debug1: identity file /Users/myusername/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u6
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u6 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to jbox01.prod.ourcompanydomain:22 as 'myusername'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:VKd849z2c6XlUO3p7GnZpwVIwtdhI6Gl+6EsTImYwLI
debug1: Host 'jbox01.prod.ourcompanydomain' is known and matches the ECDSA host key.
debug1: Found key in /Users/myusername/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /Users/myusername/.ssh/id_rsa RSA SHA256:6pLYo9k0m0LK2E4Og69uAmu24SyTOX8FUX91/HDx1gk
debug1: Will attempt key: /Users/myusername/.ssh/id_dsa
debug1: Will attempt key: /Users/myusername/.ssh/id_ecdsa
debug1: Will attempt key: /Users/myusername/.ssh/id_ed25519
debug1: Will attempt key: /Users/myusername/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
**debug1: Offering public key: /Users/myusername/.ssh/id_rsa RSA SHA256:6pLYo9k0m0LK2E4Og69uAmu24SyTOX8FUX91/HDx1gk
debug2: we sent a publickey packet, wait for reply**
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/myusername/.ssh/id_dsa
debug1: Trying private key: /Users/myusername/.ssh/id_ecdsa
debug1: Trying private key: /Users/myusername/.ssh/id_ed25519
debug1: Trying private key: /Users/myusername/.ssh/id_xmss
**debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).**
用户尝试连接到服务器(服务器端):
Mar 16 12:49:55 jbox01 sshd[26063]: Connection from 172.20.101.6 port 63442 on 172.20.1.66 port 22
Mar 16 12:49:56 jbox01 sshd[26063]: Failed publickey for myusername from 172.20.101.6 port 63442 ssh2: RSA SHA256:6pLYo9k0m0LK2E4Og69uAmu24SyTOX8FUX91/HDx1gk
我们还将 LDAP 中包含的密钥的 SHA256 与用户提供给服务器的密钥进行了比较,并且它们匹配。对此有什么建议吗?