多年来,我一直在 Linux 上使用公钥认证进行 SSH,现在我正尝试让它在Win32 端口在 Windows 2016 服务器上。到目前为止还没有成功。我已阅读帮助文件sshd_配置,它表示将凭据放入 中<user>/.ssh/authorized_keys,就像在普通的 Linux 设置中一样。我还通过查看 ACL 验证了它只能由用户和管理员组读取。此外,我准备好将我的客户端公钥放入 中%programdata%/ssh/administrators_authorized_keys,所以我也这样做了。仍然不行。我在事件查看器中查找正在发生的任何特殊迹象,但没有看到任何指向公钥身份验证的特殊信息。只是一群普通黑客的登录尝试。
您可以看到客户端尝试向服务器提供我的 RSA 密钥,并且服务器接受该密钥publickey作为登录方法:
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U /home/myuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8 myuser@ubuntu
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug1: Trying private key: /home/myuser/.ssh/id_ecdsa
debug1: Trying private key: /home/myuser/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
你会看到它尝试了两个密钥,一个是默认密钥67hw/H...,另一个是用于 GCE 的密钥cicl5t...。Windows 中的服务器日志显示它们都被拒绝了:
sshd: Failed publickey for myuser from 77.88.92.5 port 57621 ssh2: RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U
sshd: Failed publickey for myuser from 77.88.92.5 port 57621 ssh2: RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8
指纹有效:
$ ssh-keygen -l -E sha256 -f ~/.ssh/id_rsa.pub
2048 SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U myuser@i9-ACME (RSA)
如果您查看底部的服务器日志转储,您会发现它从未尝试打开文件.ssh/authorized_keys。相反,它只是查看\ProgramData\ssh\administrators_authorized_keys。然而,即使我在那里添加了密钥,它仍然拒绝让我登录。
你也可以看到我在Windows服务器端已经正确添加了,因为指纹是相同的:
PS C:\Users\myuser\.ssh> ssh-keygen -l -f .\authorized_keys
2048 SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U i9-ACME (RSA)
我还遵循了以下指示文件设置,避免不必要的广泛读取权限:
PS C:\Users\myuser\.ssh> icacls .\authorized_keys /inheritance:r
processed file: .\authorized_keys
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\myuser\.ssh> icacls.exe .\authorized_keys
.\authorized_keys NT AUTHORITY\SYSTEM:(N)
BUILTIN\Administrators:(N)
Successfully processed 1 files; Failed processing 0 files
还是不行。更改后我还重新启动了 OpenSSH 服务。
完整服务器日志来自sshd -dd:
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 77.88.92.5 port 52794 on 10.166.0.3 port 22
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,Open
SSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug2: Network child is on pid 1900
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-n
istp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-
group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: MACs stoc: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: compression ctos: none,[email protected] [preauth]
debug2: compression stoc: none,[email protected] [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-n
istp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-
group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: host key algorithms: [email protected],[email protected],ecdsa-sha
[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh
.com,[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],aes256-gcm@o
penssh.com [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: MACs stoc: [email protected],[email protected],[email protected],hmac-sha2-512-etm@open
ssh.com,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preaut
h]
debug2: compression ctos: none,[email protected],zlib [preauth]
debug2: compression stoc: none,[email protected],zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug2: monitor_read: 6 used once, disabling now
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user myuser service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug2: parse_server_config: config reprocess config len 294
debug1: user myuser matched group list administrators at line 88
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for myuser [preauth]
debug2: input_userauth_request: try method none [preauth]
debug2: monitor_read: 4 used once, disabling now
debug1: userauth-request for user myuser service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: valid user myuser querying public key rsa-sha2-512 AAAAB3NzaC1yc2EAAAADAQABAAABAQCtB10ag2fipH
7Cnls3gZvl5eBJx0OvQaLu7hndL5sif3m4CTGmrN/MuP0lei0Rt23cBy5Ey2DqAjmizCAhdc3jSQm0pXisKG92Juo2HxiJw+eMUucoPhjbEy35sKKrru2//5
uPpK5IEeVEve3bIXCAQUQgyOESmHBgXmKSCz0jQXEvcV8GxxkdXK7/UQVSe5wtxzPHOoP+yeRdNGfMdl1SeXwUCEXwexAn7YM8ZlISufuxXMInpBMrxVXLAi
h0ZG2WGD2BAJZcwXmMjLPPVP+bjHXnQkiqk5oDeP3ewPorrvxbOeOcqk0b1qrAQYSXHqXv6lENfWIceIz1EsZlRsIV [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U [preauth]
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
Authentication refused.
Failed publickey for myuser from 77.88.92.5 port 52794 ssh2: RSA SHA256:67hw/H9QTbRYNl1n/xxhbB76lPm88yhyuVfIjxIWE1U
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
debug1: userauth-request for user myuser service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: valid user myuser querying public key rsa-sha2-512 AAAAB3NzaC1yc2EAAAADAQABAAABAQDCaISFI0hCDM
K5SIqIBlsboBQTBCoW98bvjUjoCDn9S4kXSOtVvwNeXc/Kb+9lXqKR8CbtYgOZySPqI+5VADdAIcfot2S65Fq5qOQ1IH7Uo29nzvhyjfRbckAs3gaTF6uzxE
A0THqyAZ1oGIyK3vDI8W/Ofczi08oIYWpMmWA8dQNQuKRujloDuFElpjZEjbEyfkn/e7iSm1VxZ8aLEw7M3/BsJLmtwxa+tYyTAfKx63NRFbSWf873GLOyAK
CnE5ls27ftlTjDJMISI3RZd1KMdyg+6KAwN7YsCTwJXarNXr9v2GcY8lrpC7dQ/lGK1nBsPa0kOSYKQzJ0LIDxfOan [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8 [preauth]
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
Authentication refused.
Failed publickey for myuser from 77.88.92.5 port 52794 ssh2: RSA SHA256:cicl5t/5mDmIocrkDopK2C6Rf9OvT7FhKAh9GEMPFd8
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
debug1: userauth-request for user myuser service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 3 failures 2 [preauth]
debug2: input_userauth_request: try method keyboard-interactive [preauth]
debug1: keyboard-interactive devs [preauth]
debug1: auth2_challenge: user=myuser devs= [preauth]
debug1: kbdint_alloc: devices '' [preauth]
debug2: auth2_challenge_start: devices [preauth]
输出自net user myuser
PS C:\Windows\system32> net user myuser
User name myuser
Full Name myuser
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 12/20/2019 9:13:31 AM
Password expires Never
Password changeable 12/20/2019 9:13:31 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/6/2020 3:09:27 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
PS C:\Windows\system32>
答案1
在 sshd 配置中添加第三项-d帮助我发现了问题:
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug3: Bad permissions. Try removing permissions for user: NT AUTHORITY\\Authenticated Users (S-1-5-11) on file C:/Prog
ramData/ssh/administrators_authorized_keys.
Authentication refused.
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
- 由于某种原因,
authorized_keys它不适用于管理员用户。不知道为什么。 - 密钥需要存在于 中
administrators_authorized_keys。 - 上的文件限制与 上的相同,也
authorized_keys适用于administrators_authorized_keys。
debug1并debug2没有显示问题,但debug3确实有:这是我自己的用户查看内容的权限,administrators_authorized_keys这一直搞乱了这一切。删除它后,我终于可以登录了。
我还没有找到可以解释的资料来源administrators_authorized_keys......这个问题是目前为止最好的。