Debian SSH authorized_keys 被忽略

Debian SSH authorized_keys 被忽略

我使用 authorized_keys 来限制用户可用的命令。~/.ssh 和文件的所有者是 root,并设置为

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

一切运行良好,直到我发现,在某个时候,用户现在可以再次使用所有命令。文件 authorized_keys 确实包含:

command="mysql -u arg1 -p arg2",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa public_key

我不知道我做错了什么,我也尝试了调试模式并检查了日志。但他只是允许所有命令。

用户登录应该仅使用密码,因此没有密钥系统。

调试日志:

Connection from XX.XX.XX.XXX port 26048
debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63
debug1: no match: PuTTY_Release_0.63
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: permanently_set_uid: 103/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth]
debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user restricteduser service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "restricteduser"
debug1: PAM: setting PAM_RHOST to "XXX.XXXX.XXXXXXXX.XX"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user restricteduser service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: PAM: password authentication accepted for restricteduser
debug1: do_pam_account: called
Accepted password for restricteduser from XX.XX.XX.XXX port 26048 ssh2
debug1: monitor_read_log: child log fd closed
debug1: monitor_child_preauth: restricteduser has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 24137
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 2001/2001
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/11
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: server_input_channel_req: channel 0 request [email protected] reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req [email protected]

问候 ProcTrap

答案1

它并没有被特别忽略;客户只是不尝试公钥认证。请注意您的日志如何表明第一次也是唯一一次身份验证尝试使用了以下机制password

debug1: userauth-request for user restricteduser service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: PAM: password authentication accepted for restricteduser
debug1: do_pam_account: called
Accepted password for restricteduser from XX.XX.XX.XXX port 26048 ssh2

并且当不使用公钥时,服务器没有任何东西可以与authorized_keys内容匹配......所以它根本不会触及该文件。

如果您想要强制使用,请在使用组authorized_keys时关闭该用户的密码验证。/etc/ssh/sshd_configMatch User ...

或者,设置强制命令对于该用户,再次/etc/ssh/sshd_config使用Match。(甚至有一个 CVS 的示例。)

相关内容