我已经阅读了很多解决这个问题的方法,但似乎没有一个适用于我所看到的。大多数关注目录权限,但在这种情况下似乎是正确的。TL;DR:两个具有相同主目录的 Centos7 服务器;sshd即使已启用,一个人也不允许公钥身份验证。
我有两台 centos7 服务器,我们称它们centos-a为centos-b. 主目录是通过 NFS 挂载的,因此.ssh两者之间的目录是相同的(下面对此进行确认)。我可以从 sshcentos-a到centos-a,但不能到centos-b。我可以从centos-btocentos-a和 to SSH centos-b。
| SSH 能力 | centos-a |
centos-b |
|---|---|---|
centos-a |
是的 | 不 |
centos-b |
是的 | 是的 |
[myuser@centos-a ~]$ ls -la ~/.ssh
total 16
drwx------. 1 myuser domain users 0 Jul 6 11:45 .
drwx------. 1 myuser domain users 0 Jul 7 13:44 ..
-rw-------. 1 myuser domain users 1212 Jul 6 12:02 authorized_keys
-rw-------. 1 myuser domain users 1675 Jul 6 11:45 id_rsa
-rw-r--r--. 1 myuser domain users 402 Jul 6 11:45 id_rsa.pub
-rw-r--r--. 1 myuser domain users 1119 Jul 6 17:49 known_hosts
[myuser@centos-a ~]$ md5sum ~/.ssh/*
65b4fdf2d59cee3ae45b8480454453ec /home/myuser/.ssh/authorized_keys
fa3e9fc5a8ff08787ff2ba8f979da24e /home/myuser/.ssh/id_rsa
dca36ab3ec342423c5eca588f2ad5678 /home/myuser/.ssh/id_rsa.pub
f67bc94bc7a30b9876e3027b24f893d8 /home/myuser/.ssh/known_hosts
[myuser@centos-a ~]$ ssh centos-a hostname
centos-a
[myuser@centos-a ~]$ ssh centos-b hostname
myuser@centos-b's password:
[myuser@centos-b ~]$ ls -la ~/.ssh
total 16
drwx------. 1 myser domain users 0 Jul 6 11:45 .
drwx------. 1 myser domain users 0 Jul 7 13:44 ..
-rw-------. 1 myser domain users 1212 Jul 6 12:02 authorized_keys
-rw-------. 1 myser domain users 1675 Jul 6 11:45 id_rsa
-rw-r--r--. 1 myser domain users 402 Jul 6 11:45 id_rsa.pub
-rw-r--r--. 1 myser domain users 1119 Jul 6 17:49 known_hosts
[myuser@centos-b ~]$ md5sum ~/.ssh/*
65b4fdf2d59cee3ae45b8480454453ec /home/myuser/.ssh/authorized_keys
fa3e9fc5a8ff08787ff2ba8f979da24e /home/myuser/.ssh/id_rsa
dca36ab3ec342423c5eca588f2ad5678 /home/myuser/.ssh/id_rsa.pub
f67bc94bc7a30b9876e3027b24f893d8 /home/myuser/.ssh/known_hosts
[myuser@centos-b ~]$ ssh centos-b hostname
centos-b
[myuser@centos-b ~]$ ssh centos-a hostname
centos-a
如上所示,.ssh 目录上的权限似乎是正确的(无论如何,两台机器之间的权限都是相同的)。
ssh -vvv在失败的 ssh 上显示:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
...
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
...
debug1: Host 'centos-b' is known and matches the ECDSA host key.
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1211402155)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1211402155)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug3: no such identity: /home/myuser/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/myuser/.ssh/id_ecdsa
debug3: no such identity: /home/myuser/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/myuser/.ssh/id_ed25519
debug3: no such identity: /home/myuser/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
myuser@centos-b's password:
将此与我看到的从centos-bto 进行对比centos-a,这很有效:
...
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:nAO5pVOzqUQzEUSEBN37WKp6ADs9Sk4rfTRGmk0FHEY
debug3: sign_and_send_pubkey: RSA SHA256:nAO5pVOzqUQzEUSEBN37WKp6ADs9Sk4rfTRGmk0FHEY
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
我已启用 sshd 登录消息/etc/ssh/sshd_config并重新启动服务
# Logging
SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
但是/var/log/secure或中没有其他有用的消息/var/log/messages。
有趣的是,ssh from centos-btocentos-b正在使用 gssapi 身份验证。如果我强制它使用 publickey 它会失败:
[myuser@centos-b ~]$ ssh -vvv -o PreferredAuthentications=publickey centos-b hostname
...
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
...
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
我看到/var/log/messages:
Jul 7 13:52:10 centos-b sshd[23266]: Connection closed by 192.168.1.100 port 48064 [preauth]
公钥已启用:
[root@centos-b ssh]# sshd -T | grep -i pub
pubkeyauthentication yes
pubkeyacceptedkeytypes [email protected],ecdsa-sha...
这sshd_config是一个股票 Centos7 ,并且在andsshd_config之间是相同的(通过在两台机器上通过管道传递以下命令来验证centos-acentos-bmd5sum
[root@centos-b ssh]# grep -v -e '^#' -e '^$' /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
对我所缺少的有什么建议吗?
一些额外的谷歌搜索向我透露,问题在于我配置的新系统上启用了 SELinux。在我的情况下,将其设置为 permissive 可以解决我的问题。
对于环境中需要 SELinux 的人来说,这可能不是正确的解决方案。永久更改涉及更新
/etc/selinux/config。