我在 Ubuntu 20.04 上的 sshd 配置遇到问题。
我的目标是拒绝密码验证,除了特定的 IP 地址/网络。我相信通过 config har 以前可以工作,但一段时间前就停止了(可能已经是几年前了)。
我的/etc/ssh/sshd_config非常标准(我删除了大多数注释行)
Include /etc/ssh/sshd_config.d/*.conf
# Logging
SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG
UsePAM yesX11
Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
除了标准配置文件之外,我还从这个文件中包含了我的特定配置: /etc/ssh/sshd_config.d/myconfig.conf
HostKey /etc/ssh/ssh_host_rsa_key
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
PasswordAuthentication no
PermitEmptyPasswords no
AllowTcpForwarding yes
Match Address 192.168.1.2,192.168.1.10
PasswordAuthentication yes
192.168.1.2 是我的服务器的 IP,我主要从这里进行测试。我在 192.168.1.10 上还有一个 Windows 主机,我用它来测试。
最初我有一份较长的 IP 地址列表,需要匹配。但由于遇到了这个问题,我将其过滤为测试所需的基本 IP 地址,但仍然无法正常工作。
我进行了详细连接以从客户端的角度查看发生了什么:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.2 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.2 [192.168.1.2] port 22.
debug1: Connection established.
debug1: identity file /home/myuser/.ssh/id_rsa type 0
...
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.2:22 as 'myuser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
...
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
...
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1
debug1: Host '192.168.1.2' is known and matches the RSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:18
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/myuser/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2
debug1: Will attempt key: /home/myuser/.ssh/id_dsa
...
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp2
[email protected]>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/myuser/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/myuser/.ssh/id_dsa
...
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
(我不得不删除一些我认为不相关的内容,因为我的输出在我的帖子中被标记为跨度)
我注意到客户端似乎收到只允许公钥身份验证的提示。尽管我连接的地址应该匹配,因此允许使用密码进行身份验证。
debug1: Authentications that can continue: publickey
我已经更改了我的特定配置文件,以确保它在启动时确实被读取和使用。所以我想我已经验证了它正在被使用。
/etc/ssh/sshd_config.d/myconfig.conf
有人能帮我解决这个问题吗?
答案1
对于每个关键字,将使用第一个获得的值。
在您的文件中,有一个无条件PasswordAuthentication no提供第一个值。后面的PasswordAuthentications 无关紧要。
移至您已有的区块PasswordAuthentication no之后。注意Match你需要Match All表示前一个区块已经结束,然后PasswordAuthentication no。
PasswordAuthentication no#删除此行 匹配地址 192.168.1.2,192.168.1.10 密码验证 是 全部匹配 密码验证否