我正在努力让 SSH 接受 AD 凭据。服务器详细信息
- CentOS 8
- 服务器已成功加入域
- Ran Realm 发现它返回了有关我们 AD 环境的正确信息
- 领域允许运行以允许特定用户
- SSH 配置文件已稍作修改。它主要只阻止 root 登录。
- 使用本地用户帐户通过 SSH 连接到服务器是可行的。
- 用户可以使用 id someuser 进行查找。我不需要附加 upn 后缀 (@ad.sample.com)。
行为
- 通过 SSH 登录时,它会提示输入用户名(提供 AD 用户名),然后提示输入密码(提供 AD 用户密码),提供密码后,SSH 会话立即终止。我可以看到通过 /var/log/secure 日志传入的请求,并且可以看到凭据正在被接受。一旦通过身份验证,会话就会立即关闭。我使用错误的用户凭据进行了测试,并且可以看到安全日志中报告了这一点,就像终端本身一样。
- 我还测试了尝试通过实际的服务器控制台登录,它最初似乎让我进入,然后立即引导我重新登录。
- SSH 调试中有趣的事情是 MOTD 是可见的。
- 当新用户尝试通过 SSH 登录时,会创建其主目录。
SSH 调试的部分输出
[email protected]'s password:
debug3: packet_send2: adding 48 (len 72 padlen 8 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to x.x.x.x ([x.x.x.x]:xx).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting
debug1: Entering interactive session.
debug1: client_input_global_request: rtype want_reply 0
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env HOSTNAME
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env HISTSIZE
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SSH_TTY
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env HISTCONTROL
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env LESSOPEN
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Jun 9 some date from x.x.x.x
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)
Connection to x.x.x.x closed.
Transferred: sent 2824, received 2420 bytes, in 0.1 seconds
Bytes per second: sent 24722.5, received 21185.7
debug1: Exit status 1
我们的 sssd.conf
[sssd]
domains = ad.sample.com
config_file_version = 2
services = nss, pam
[domain/ad.sample.com]
ad_domain = ad.sample.com
krb5_realm = AD.SAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
use_fully_qualified_names = False
#fallback_homedir = /home/%u@%d
fallback_homedir = /home/%u
access_provider = simple
simple_allow_users = someuser
我已经检查了几篇关于设置此功能的帖子/博客,我认为我没有错过任何内容。我应该提到,我已尝试将 SSH 添加到 sssd.conf 文件的服务部分。这没有任何区别。
有谁知道我还可以检查什么?或者可能出了什么问题?
答案1
另一件要检查的事情是您的 access.conf 文件。您描述的某些行为可以通过设置来完成,以允许本地帐户但拒绝其他帐户,直到设置有效的组或用户。
答案2
我终于能够解决这个问题了。有一个主要问题:
- 我的 SSSD 配置缺少定义用户 shell 的值
我最初是通过以下帖子注意到这个问题的:SSH 调试中的错误突出显示
具体来说,SSH 调试中有以下行表明了问题
client_input_channel_req: channel 0 rtype exit-status reply 0
根据此链接,这表明无法为用户选择外壳。
我检查了我们的 AD,并填充了 loginShell 的属性,但系统似乎不接受这一点。我将以下行添加到我的 /etc/sssd/sssd.conf 文件中
override_shell = /bin/bash
shell_fallback = /bin/bash
添加这些后,我就能够使用 SSH 成功登录。
然后我遇到了另一个问题,即未创建用户主目录。有一个 AD 属性可以控制这一点,称为 unixHomeDirectory。我们不会为所有用户填充此内容,因此我还在 SSSD 配置中添加了主目录的覆盖。
override_homedir = /home/%u
SSSD 的最终配置如下所示:
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = example.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
override_shell = /bin/bash
shell_fallback = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
override_homedir = /home/%u
access_provider = simple
simple_allow_users = someuser