主目录权限阻止 Ubuntu Server 14.10 上的 ssh 密钥认证

主目录权限阻止 Ubuntu Server 14.10 上的 ssh 密钥认证

我有一台装有 SSH 服务器的 ubuntu server 14.10,并且我的 System76 darter 笔记本电脑运行 Debian Sid,密码验证工作正常。我想切换到 rsa-key 验证。

在本地系统上,我生成了密钥,将公钥放在服务器上,然后编辑 /etc/ssh/sshd_config 以允许密钥认证,然后重新启动服务。当我尝试通过 ssh 进入服务器时,系统提示我输入密码。我停止了服务,然后以调试模式重新启动了 sshd:

sudo /usr/sbin/sshd -d

然后我尝试登录,并收到以下消息(由于过度偏执,我用#删除了大量内容,但我认为它们并不相关):

debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port ##### on 192.168.1.###.
Server listening on 192.168.1.### port #####.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.### port 34258 on 192.168.1.### port #####
debug1: Client protocol version 2.0; client software version OpenSSH_6.7p1 Debian-3
debug1: match: OpenSSH_6.7p1 Debian-3 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: permanently_set_uid: 107/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes128-ctr [email protected] none [preauth]
debug1: kex: server->client aes128-ctr [email protected] none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user surfrock66 service ssh-connection method non [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "surfrock66"
debug1: PAM: setting PAM_RHOST to "sr66-darter.######.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user surfrock66 service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/surfrock66/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /home/surfrock66
debug1: restore_uid: 0/0
Failed publickey for surfrock66 from 192.168.1.### port 34258 ssh2: RSA ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Connection closed by 192.168.1.### [preauth]
debug1: do_cleanup [preauth]
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 14705

具体来说,我看到了 Authentication refused: bad ownership or modes for directory /home/surfrock66

我进行了大量研究,发现 .ssh 目录及其下文件的权限存在问题,但我从未听说过与主目录权限有关的问题。我怀疑这与 sshd 启动时所用的用户没有访问我的主目录的权限有关。以下是相关权限:

surfrock66@sr66-blade:~$ ls -as1l /home/
total 12
4 drwxr-xr-x  3 root       root       4096 Sep  8  2013 .
4 drwxr-xr-x 22 root       root       4096 Dec 11 07:47 ..
4 drwxrwxrwx 54 surfrock66 surfrock66 4096 Dec 28 12:30 surfrock66

surfrock66@sr66-blade:~$ ls -as1l /home/surfrock66/ | grep .ssh
4 drwx------    2 surfrock66 surfrock66  4096 Dec 28 12:04 .ssh

surfrock66@sr66-blade:~$ ls -as1l /home/surfrock66/.ssh/
total 28
4 drwx------  2 surfrock66 surfrock66 4096 Dec 28 12:04 .
4 drwxrwxrwx 54 surfrock66 surfrock66 4096 Dec 28 12:30 ..
4 -rw-r--r--  1 surfrock66 surfrock66  404 Dec 28 12:04 authorized_keys
4 -rw-------  1 surfrock66 surfrock66 1679 Nov 12  2012 id_rsa
4 -rw-r--r--  1 surfrock66 surfrock66  403 Nov 12  2012 id_rsa.pub
4 -rw-------  1 surfrock66 surfrock66 3964 Nov 10 19:51 known_hosts
4 -rw-------  1 surfrock66 surfrock66 3078 Dec 10  2013 known_hosts.old

如果有帮助,这里是服务器运行和登录失败期间 /var/log/auth.log 的输出:

Dec 28 14:32:30 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/sbin/sshd -d
Dec 28 14:32:30 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type RSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #0 type 1 RSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type DSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #1 type 2 DSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: key_parse_private2: missing begin marker
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: read PEM private key done: type ECDSA
Dec 28 14:32:32 sr66-blade sshd[27862]: debug1: private host key: #2 type 3 ECDSA
Dec 28 14:32:35 sr66-blade sudo: pam_unix(sudo:session): session closed for user root
Dec 28 14:32:44 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/bin/tail -n /var/log/auth.log
Dec 28 14:32:44 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)
Dec 28 14:32:44 sr66-blade sudo: pam_unix(sudo:session): session closed for user root
Dec 28 14:32:48 sr66-blade sudo: surfrock66 : TTY=pts/3 ; PWD=/home/surfrock66 ; USER=root ; COMMAND=/usr/bin/tail -n 100 /var/log/auth.log
Dec 28 14:32:48 sr66-blade sudo: pam_unix(sudo:session): session opened for user root by surfrock66(uid=0)

这是 /etc/ssh/sshd_config

surfrock66@sr66-blade:~$ cat /etc/ssh/sshd_config 
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port #####
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.1.###
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no 
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

为了完整起见,这是 /etc/ssh/ssh_config

surfrock66@sr66-blade:~$ cat /etc/ssh/ssh_config 

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
    ForwardAgent yes
    ForwardX11 yes
    ForwardX11Trusted yes
#   RhostsRSAAuthentication no
    RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

任何帮助/想法都将不胜感激!

答案1

在这里找到答案:https://unix.stackexchange.com/questions/37164/ssh-and-home-directory-permissions

事实证明,/home/surfrock66 不能是 777(它本来就不应该是 777)。现在它是 750,并且运行正常。

相关内容