配置 SSH 以立即拒绝所有身份验证但仍进行监听

我正在尝试配置 SSH 服务器，使其仅允许特定用户从特定 IP 地址进行访问。我已将其配置为

PubkeyAuthentication no
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Match User ubuntu Address 192.168.0.58
<tab>PubkeyAuthentication yes

我还特意删除了允许其他文件夹中的任何其他配置的行/etc/ssh/*，并清空了所有其他配置目录。

预期行为： 尝试从 Match 语句中未列出的 IP 进行连接的客户端将自动失败，并且不支持任何身份验证方法，因为所有方法都设置为“否”。

实际行为： 当从 Match 语句之外的 IP 进行连接时，客户端仍会提示输入密码。无论此密码是否正确，用户都无法进入。使用正确的 SSH 密钥也无法进入。

编辑信息（这是垃圾邮件？） 信息：

• Ubuntu OpenSSH_8.9p1
• SSH 客户端日志

ssh [email protected] -v
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to 192.168.0.58 [192.168.0.58] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\whs05/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\whs05/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
debug1: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.58:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7dEDHYt6C/gtbmNlBE3xp8YqvKIcP3b5Nz7JM9MzrWw
debug1: Host '192.168.0.58' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\whs05/.ssh/known_hosts:7
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\whs05/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\whs05/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\whs05/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\whs05/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\whs05/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected] (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\whs05/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\whs05/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\whs05/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\whs05/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\whs05/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
[email protected]'s password:
debug1: Authentications that can continue:
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such file or directory
[email protected]'s password:
debug1: Authentications that can continue:

• 输出sudo sshd -T

port 22
addressfamily inet
listenaddress 0.0.0.0:22
usepam no
logingracetime 120
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin no
ignorerhosts yes
ignoreuserknownhosts no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
pubkeyauthentication no
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapicleanupcredentials yes
gssapikeyexchange no
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
passwordauthentication no
kbdinteractiveauthentication no
printmotd no
printlastlog yes
x11forwarding yes
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
compression yes
gatewayports no
usedns no
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes
streamlocalbindunlink no
fingerprinthash SHA256
exposeauthinfo no
pidfile /run/sshd.pid
modulifile /etc/ssh/moduli
xauthlocation /usr/bin/xauth
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
banner none
forcecommand none
chrootdirectory none
trustedusercakeys none
revokedkeys none
securitykeyprovider internal
authorizedprincipalsfile none
versionaddendum none
authorizedkeyscommand none
authorizedkeyscommanduser none
authorizedprincipalscommand none
authorizedprincipalscommanduser none
hostkeyagent none
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
hostbasedacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
loglevel DEBUG
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
acceptenv LANG
acceptenv LC_*
authenticationmethods any
subsystem sftp /usr/lib/openssh/sftp-server
maxstartups 10:30:100
persourcemaxstartups none
persourcenetblocksize 32:128
permittunnel no
ipqos lowdelay throughput
rekeylimit 0 0
permitopen any
permitlisten any
permituserenvironment no
pubkeyauthoptions none