无密码的 SSH 无法与用户 postgres 一起使用

无密码的 SSH 无法与用户 postgres 一起使用

我尝试手动将公钥添加到 authorized_keys 和 authorized_keys2。我还仔细检查了 .ssh (700) 和 authorized_keys (644) 的权限。我可以使用另一个用户(服务器用户)在同一台机器上无需密码登录。

以下是 ssh -vvv 的输出:

ssh postgres@java7 -vvv
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to java7 [192.168.120.28] port 22.
debug1: Connection established.
debug1: identity file /home/informix/.ssh/identity type -1
debug3: Not a RSA1 key file /home/informix/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/informix/.ssh/id_rsa type 1
debug1: identity file /home/informix/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 118/256
debug2: bits set: 497/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 86
debug3: check_host_in_hostfile: filename /home/informix/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 82
debug1: Host 'java7' is known and matches the RSA host key.
debug1: Found key in /home/informix/.ssh/known_hosts:86
debug2: bits set: 513/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/informix/.ssh/id_rsa (0x555560bb41c0)
debug2: key: /home/informix/.ssh/identity ((nil))
debug2: key: /home/informix/.ssh/id_rsa (0x555560bae620)
debug2: key: /home/informix/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.120.28.
debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/informix/.ssh/identity
debug3: no such identity: /home/informix/.ssh/identity
debug1: Offering public key: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/informix/.ssh/id_dsa
debug3: no such identity: /home/informix/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
postgres@java7's password: 

编辑:

This is an excerpt of what the ssh server on a different port says:
debug1: PAM: initializing for "postgres"
debug1: PAM: setting PAM_RHOST to "192.168.120.97"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user postgres service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4
Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee
debug1: restore_uid: 0/0
Postponed publickey for postgres from 192.168.120.97 port 45341 ssh2
debug1: userauth-request for user postgres service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: trying public key file /var/lib/pgsql/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /var/lib/pgsql/.ssh/authorized_keys, line 4
Found matching RSA key: f5:79:bb:f0:df:57:a3:ee:83:cc:33:a5:1b:b2:5d:ee
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for postgres from 192.168.120.97 port 45341 ssh2
debug1: monitor_child_preauth: postgres has been authenticated by privileged process
debug1: temporarily_use_uid: 26/26 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: SELinux support enabled
debug1: PAM: establishing credentials
PAM: pam_open_session(): Authentication failure
User child is on pid 10198
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 26/26
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
debug1: session_pty_req: session 0 alloc /dev/pts/5
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 10199
debug1: session_exit_message: session 0 channel 0 pid 10199
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/pts/5
debug1: session_pty_cleanup: session 0 release /dev/pts/5
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 192.168.120.97
debug1: do_cleanup
Transferred: sent 2296, received 2416 bytes
Closing connection to 192.168.120.97 port 45341
debug1: PAM: cleanup
debug1: PAM: deleting credentials

运行另一个 ssh 服务器时为 /var/log/secure.log

Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): conversation failed
Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N]
Apr  4 16:52:31 java7 sshd[10774]: pam_selinux(sshd:session): Unable to get valid context for postgres
Apr  4 16:52:31 java7 sshd[10774]: pam_unix(sshd:session): session opened for user postgres by (uid=0)

答案1

我发现在这种情况下最好的办法是在调试模式下运行 SSH 守护程序。如果您在计算机上有 root 访问权限,则可以运行:

# /usr/sbin/sshd -d -p 2222

然后你可以使用:

# ssh -p 2222 postgres@java7

并查看服务器拒绝密钥的原因。

答案2

您可以在现有的 ssh 服务器上打开调试日志。在文件 /etc/ssh/sshd_config 中更改, LogLevel DEBUG3 如果登录失败的原因是 Could not open authorized keys '/var/lib/pgsql/.ssh/authorized_keys': Permission denied并且对 authorized_keys 的访问权限似乎正常,那么此命令将有所帮助

restorecon -FRvv /var/lib/pgsql/.ssh/

解释

答案3

'postgres' 是通过安装 PostreSQL 服务器生成的用户吗?如果是这样,大多数自动生成的用户都无法“登录”;它们仅用于需要文件权限的守护进程。

答案4

确保您的 selinux 设置正确。

我将 selinux 改为宽容并且它可以工作或者您必须将 .ssh 添加到 selinux 角色。

相关内容