我正在尝试使用 sshd 设置 Centos 7 机器网络,以根据 AWS 简单目录服务目录验证公钥。
目前,我有一堆 Centos 主机、一个 Windows Server 2008 实例和一个使用 Amazon Web Service (AWS) 简单目录服务的目录。Windows 框用于管理目录,Centos 框使用该目录来验证 SSH 会话。所有机器都已加入目录。
我已经验证我能够以本地用户和域用户的身份通过 SSH 进入 Centos 系统,并且使用简单的密码验证。同样,我能够以本地和域帐户的身份通过 RDP 进入 Windows 系统,并且使用简单的密码验证。
sshPublicKey
然而,可以说,AWS 在我的目录中设置的模式不包含任何带有开箱即用字段的类。
因此,我使用 Windows 上的 Active Directory 架构管理单元将以下属性添加到我的架构中:
Common Name: sshPublicKey
OOID: 1.3.6.1.4.1.24552.1.1.1.13
Syntax: IA5-String
Multi-valued: true
然后我创建了以下类:
Common Name: LDAP Public Key
OOID: 1.3.6.1.4.1.24552.500.1.1.2.0
Parent Class: top
Class Type: Auxiliary
Optional Attributes: sshPublicKey
然后,我使用 ADSI Snap-in 将用户公钥的内容添加到sshPublicKey
目录中其条目的字段中。
PasswordAuthentication no
在我的其中一台 Centos 机器上,我通过设置sshd 的配置文件禁用了密码验证。
然后,我尝试使用具有以下属性集的目录用户通过 ssh 进入该 Centos 框sshPublicKey
:
$ ssh -l [email protected] -i ~/.ssh/path.to.key.pub centos.box -vvv;
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/localuser/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to centos.box [ip addy] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "~/.ssh/path.to.key.pub" as a RSA1 public key
debug1: identity file ~/.ssh/path.to.key.pub type 1
debug1: identity file ~/.ssh/path.to.key.pub type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLineNumber
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: found [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 116/256
debug2: bits set: 535/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA blah
debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLine
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'centos.box' is known and matches the RSA host key.
debug1: Found key in /Users/localuser/.ssh/known_hosts:27
debug2: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/localuser/.ssh/path.to.key.pub (0x7fb3cb600000), explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/localuser/.ssh/path.to.key.pub
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
$
在 Centos 盒子上,我们得到:
$ sudo journalctl -felu sshd
....
Some Date centos.box sshd[a number]: Connection closed by 1.2.3.4 [preauth]
私钥的权限为600
;公钥的权限为644
我不确定如何检查目录服务主机上的服务器日志。
知道我做错了什么吗?
答案1
为了确保sshd
进行sssd
公钥认证,请在sshd
主机上执行以下操作:
将以下行添加到文件
[sssd]
的部分/etc/sssd/sssd.conf
:services = ssh, [ all the other services already listed there as well ]
这告诉sssd
它应该与 对话sshd
。
如果那里还没有部分,请添加文件的
[ssh]
空白部分:[ssh]
/etc/sssd/sssd.conf
[ssh]
这是所有对话服务必需的配置部分sssd
。
将以下行添加到文件
[domain/directory.server]
的部分/etc/sssd/sssd.conf
,其中directory.server
是目录服务主机的完全限定域名:ldap_user_ssh_public_key = sshPublicKey
这告诉您sssd
使用哪个属性来查找sshd
用户的公共 SSH 密钥。(使用的默认属性sssd
是ipaSshPubKey
,可以在ipaSshUser
和ipaSshHost
类的模式中找到。)
将以下行添加到您的
/etc/sshd/sshd_config
文件:AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
这告诉以用户sshd
身份执行文件。 为尝试验证主机身份的用户获取授权密钥。/usr/bin/sss_ssh_authorizedkeys
nobody
/usr/bin/sss_ssh_authorizedkeys
sshd
将以下行添加到您的
/etc/sshd/ssh_config
文件:GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
这告诉sssd
将客户端的名称和公钥添加到/var/lib/sss/pubconf/known_hosts
并连接到客户端,使用可执行文件通过标准 I/O 管道传输所有通信/usr/bin/sss_ssh_knownhostsproxy
。
重新启动两个服务:
$ sudo systemctl reload sshd; $ sudo systemctl restart sshd; $ sudo systemctl restart sssd;