我正在尝试为一小部分主机设置基于主机的身份验证。我认为我已经做好了一切准备:
- 将公钥复制到
/etc/ssh/ssh_known_hosts文件 - 将所有主机放入
/etc/shosts.equiv - 已
HostbasedAuthentication启用/etc/ssh/sshd_config/etc/ssh/ssh_config - 设置二进制文件的 UIID ,并在客户端的文件中
/usr/lib64/ssh/ssh-keysign设置。EnableSSHKeysign yes/etc/ssh/ssh_config
但是,它仍然不起作用。在调试模式下运行服务器,我得到以下输出:
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 10.3.128.10.
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: parse_server_config: config reprocess config len 137
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for kamil
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 45
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "kamil"
debug1: PAM: setting PAM_RHOST to "foo.bar.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user kamil service ssh-connection method hostbased
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-dss slen 55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x58c400
debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10
debug2: stripping trailing dot from chost foo.bar.com.
debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
debug1: userauth-request for user kamil service ssh-connection method hostbased
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser kamil chost foo.bar.com. pkalg ssh-rsa slen 143
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x58c400
debug2: userauth_hostbased: chost foo.bar.com. resolvedname foo.bar.com ipaddr 10.3.128.10
debug2: stripping trailing dot from chost foo.bar.com.
debug2: auth_rhosts2: clientuser kamil hostname foo.bar.com ipaddr 10.3.128.10
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1031/1028 (e=0/0)
debug1: restore_uid: 0/0
Failed hostbased for kamil from 10.3.128.10 port 55105 ssh2
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
debug1: userauth-request for user kamil service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
问题的关键似乎是这一行:
debug3: mm_answer_keyallowed: key 0x58c400 is disallowed
有想法吗?
答案1
您是否已EnableSSHKeysign在客户端启用此功能?这是我使基于主机的身份验证正常工作所需的另一部分。
答案2
好吧,这是我的重大失误。我创建了/etc/shosts.equiv而不是/etc/ssh/shosts.equiv(参见我的问题第 2 点)。它在我的其他一些系统上起作用的原因是它们还保留了/etc/hosts.equiv同事以前工作留下的文件。
当正确的文件位于正确的位置时,事情会变得更好。我花了一些时间strace在服务器上查找它从哪些文件中读取了什么,最后才找到答案。
答案3
您是否在 Debian 上使用旧的主机密钥?openssh-blacklist 软件包可能会阻止使用受以下因素影响的密钥:臭名昭著的 SSL 漏洞。
如果是这种情况,请重新生成您的主机密钥。