在 Archlinux 机器上,我尝试为用户设置基于密码的身份验证。应将用户登录 shell 设置为 git-shell,以便在帐户被盗用的情况下不允许执行命令。
我的 sshd_config 只针对这一个 git 用户有一条规则,该规则似乎有效,因为当我将登录 shell 设置为 bash 时,我可以使用该用户登录。但是,当将 shell 设置为 git-shell 时,我无法登录。我不确定 shell 和密码验证实际上是如何关联的。需要说明的是:我没有使用 ChallengeResponseAuthentication,而是使用 Authentication。
当在启用 git-shell 的情况下尝试登录时,用户端出现以下错误:
myuser@myhosts's password:
Permission denied, please try again.
在服务器端,当使用 -d 标志启动 sshd 时,我得到以下信息:
debug1: user myuser matched 'User myuser' at line 135
debug1: PAM: initializing for "myuser"
debug1: PAM: setting PAM_RHOST to <homeip>
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user myuser service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: PAM: password authentication failed for myuser: Authentication failure
Failed password for myuser from <homeip> port 57470 ssh2
使用 bash 作为 shell 的成功尝试如下所示:
debug1: user myuser matched 'User myuser' at line 135
debug1: PAM: initializing for "myuser"
debug1: PAM: setting PAM_RHOST to "<homeip>"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user myuser service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: PAM: password authentication accepted for myuser
debug1: do_pam_account: called
Accepted password for myuser from <homeip> port 57499 ssh2
你知道为什么会发生这种情况以及如何解决它吗?简单的方法是为实际使用的机器设置一个密钥,但令我恼火的是,我无法让它工作。
编辑,用DEBUG3输出:
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user myuser service ssh-connection method password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 12 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 13 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 12
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication failed for myuser: Authentication failure
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 13
Failed password for myuser from <homeip> port 52928 ssh2
debug3: mm_auth_password: user not authenticated [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
debug3: send packet: type 51 [preauth]
答案1
事实证明,这个问题的存在是因为 中没有 git-shell /etc/shells。由于我在显示警告时用 root 更改了用户 shell(使用chsh指定的用户名),因此可以首先将 shell 更改为 git-shell。
我不完全确定为什么基于密钥的登录仍然可行但现在一切正常!
通常,/etc/shells这只是允许的登录 shell 的列表,但显然并非在每种情况下都会进行检查。