sshd 拒绝公钥,即使在 authorized_keys 中匹配(身份验证失败)

sshd 拒绝公钥,即使在 authorized_keys 中匹配(身份验证失败)

我查看了类似的帖子,但都没什么帮助。有人知道吗?


Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: matching key found: file /home/user/.ssh/authorized_keys, line 32 RSA SHA256:Pi4vjWY1TtjIPyP9Ot5opdnbDeB0BtasQ9jaKMQgu3Y
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: restore_uid: 0/0
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_answer_keyallowed: key 0x55e87e9ea3a0 is allowed
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 23
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_key_verify entering [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 24 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive_expect entering: type 25 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: monitor_read: checking request 24
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_answer_keyverify: key 0x55e87e9e9c70 signature verified
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 25
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive_expect entering: type 102
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: do_pam_account: called
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)

<- why this fail?

Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 103
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: Failed publickey for user from 10.96.4.107 port 63266 ssh2: RSA SHA256:Pi4vjWY1TtjIPyP9Ot5opdnbDeB0BtasQ9jaKMQgu3Y
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_do_pam_account entering [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 102 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_do_pam_account returning 0 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: fatal: Access denied for user user by PAM account configuration [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: do_cleanup [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 124 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 122 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive_expect entering: type 123 [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering [preauth]
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: monitor_read: checking request 124
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: monitor_read: checking request 122
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_send entering: type 123
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: monitor_read_log: child log fd closed
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: mm_request_receive entering
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: do_cleanup
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: PAM: cleanup
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug3: PAM: sshpam_thread_cleanup entering
Nov 20 13:08:06 ip-10-160-153-99 sshd_server[10408]: debug1: Killing privsep child 10409


答案1

这不是身份验证失败,而是失败授权。这是一组完全独立的检查 - 即使您已成功通过身份验证,服务器也会认为您由于其他原因而无权登录(例如不允许的源地址、缺少组成员身份、缺少 LDAP 属性等等)。

查看account/etc/pam.d/sshd 部分中的模块以及任何包含的文件。通常模块还会将所有拒绝记录到 syslog 中。

答案2

我找到了问题所在。SSH 进程缺失/etc/pam.d。添加条目后,就可以正常工作了。

相关内容