基于 CentOS7 的 SSH rkt 容器:PAM 会话设置失败

tag-icon tag-icon ssh centos-7 pam
基于 CentOS7 的 SSH rkt 容器:PAM 会话设置失败

我无法登录到在基于 CentOS7 的 rkt 容器中运行的 SSH 主机,因为 PAM 会话设置从未完成 - 即使将日志记录设置为 DEBUG3,也没有错误消息 - 日志只是以 结尾,sshd[10]: debug3: PAM: opening session客户端导致Write failed: Broken pipe。 SSH 守护程序继续运行。

/etc/ssh/sshd_config

#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel DEBUG3

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox     # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

/etc/pam.d/sshd

#%PAM-1.0
auth       required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session optional pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

服务器端日志:粘贴箱. 结尾是:

Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: Accepted publickey for root from 172.16.28.1 port 45040 ssh2: RSA dc:7b:dc:02:bd:87:0b:7a:ad:a0:71:78:e4:18:86:5
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: monitor_child_preauth: root has been authenticated by privileged process
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Waiting for new keys
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 26
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_from_blob: 0x7eff5524bd40(138)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: mac_setup: setup [email protected]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Waiting for second key
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_from_blob: 0x7eff5524bd40(138)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: mac_setup: setup [email protected]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Getting compression state
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_get_keystate: Getting Network I/O buffers
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 122
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 123
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_do_pam_account entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 102 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_do_pam_account returning 1 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Sending new keys: 0x7eff55233ce0 0x7eff552382d0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_to_blob: converting 0x7eff55233ce0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_newkeys_to_blob: converting 0x7eff552382d0 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: New keys have been sent [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Sending compression state [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 26 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_send_keystate: Finished sending state [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_send entering: type 122 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive_expect entering: type 123 [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_request_receive entering [preauth]
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: monitor_read_log: child log fd closed
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_share_sync: Share sync
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: mm_share_sync: Share sync end
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: ssh_sandbox_parent_finish: finished
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: restore_uid: 0/0
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: SELinux support disabled
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug1: PAM: establishing credentials
Aug 14 09:55:06 rkt-1f29b259-f7a3-45a3-912a-58f401f8da79 sshd[10]: debug3: PAM: opening session

客户端日志:粘贴箱

如果我禁用 PAM(RHEL 和 CentOS 不支持,但只是为了测试),会话将由客户端建立并立即终止(我将在评论中发布 pastebin)。我也试过...

  • 注释掉 UsePrivilegeSeparation 沙箱
  • 在容器中禁用 SELinux(结果发现它显然没有安装在容器内)

没有明显的影响。有人知道是什么导致 PAM 表现如此糟糕,甚至没有错误消息吗?我在许多其他线程中看到 PAM 与 chroot 结合使用时出现问题,但仍然有明确的错误消息,这里看起来像是突然死亡......(sshd 仍在运行)

附言:有足够声誉的人可以创建一个 rkt 标签吗?谢谢

相关内容