使用 ssh tectia 进行无密码 root 登录因策略被拒绝

tag-icon tag-icon ssh root
使用 ssh tectia 进行无密码 root 登录因策略被拒绝

我需要使用 ssh tectia 设置无密码 root 访问权限。我已完成以下操作:

  • 像往常一样通过 ssh-keygen 创建密钥对
  • 将私钥复制到*source_host*:/etc/opt/SSHtectia/keys/root。我还在那里创建了文件/etc/opt/SSHtectia/keys/root/identification并指定了私钥。
  • 将公钥复制到*target_host*:/etc/opt/SSHtectia/keys/root。我还在那里创建了文件/etc/opt/SSHtectia/keys/root/authorization并指定了公钥。

当尝试登录时,我看到密钥已被接受,但登录被拒绝

    Feb 25 11:52:42 targethost ssh-server-g3: 400 Connect, Policy name: connection, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 1002 Algorithm_negotiation_success, "kex_algorithm=diffie-hellman-group1-sha1, hostkey_algorithm=ssh-rsa, cipher=aes128-cbc/aes128-cbc, mac=hmac-sha1/hmac-sha1, compression=none/none", Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 703 Auth_methods_available, Username: root, Auth methods: publickey, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 707 Publickey_auth_success, Username: root, Algorithm: publickey, "The user's public key matched the key (/etc/opt/SSHtectia/keys/root/authorized_11.pub, fingerprint xozel-pezer-sacok-vunud-horim-ropuc-milaf-nobip-setuc-zedar-boxex/bd7afcbc846e24252f8b29181f3940ac771f49b0) in the user's authorization file (/etc/opt/SSHtectia/keys/root/authorization)", Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 700 Auth_method_success, Username: root, Auth method: publickey, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 702 Auth_methods_completed, Username: root, Auth methods: publickey, Src IP: x.x.7.131, Src Port: 38158, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135 
    Feb 25 11:52:42 targethost ssh-server-g3: 410 Login_success, Username: root, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 420 Session_channel_open, Username: root, Error: Denied by policy, Command: shell, Sub ID: 0, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 421 Session_channel_close, Username: root, Sub ID: 0, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 412 Logout, Username: root, Reason: By application, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, "Connection discarded by broker, Remote Disconnect", Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 402 Disconnect, Reason: By application, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, "Connection discarded by broker, Remote Disconnect", Session-Id: 288135

ssh-broker-config.xml

ssh-服务器配置.xml

非root无密码登录工作正常。

答案1

从您收到的错误中:

Feb 25 11:52:42 targethost ssh-server-g3: 410 Login_success, Username: root, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135
Feb 25 11:52:42 targethost ssh-server-g3: 420 Session_channel_open, Username: root, Error: Denied by policy, Command: shell, Sub ID: 0, Session-Id: 288135

看起来身份验证有效,但是用户被拒绝 shell 或终端访问。

这是因为在管理员规则组中您有:terminal action="deny"

您需要将其更改terminal action为“允许”in the ssh-server-config.xml for规则组=“管理员”。

<rule group="admins" idle-timeout="0" print-motd="no">
      <environment allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*" />
      <terminal action="allow" />
      <subsystem type="sftp" action="allow" application="sft-server-g3" />
      <command action="allow" />
      <tunnel-agent action="deny" />
      <tunnel-x11 action="deny" />
      <tunnel-local action="deny" />
      <tunnel-remote action="deny" />
    </rule>

正如所提到的ssh-server-config.xml 中的配置设置,当终端访问被拒绝时,用户将无法访问命令 shell。

限制终端访问

您可以限制终端访问,以便仅允许管理员组中的用户访问。要禁止其他所有人访问终端,请在 ssh-server-config.xml 文件中的服务块中进行以下设置:

<rule group="admin">
      <terminal action="allow" />
    ...
    </rule>

    <rule group="SFTP-users">
      <terminal action="deny" />
    ...
    </rule>

    <rule>
      <terminal action="deny" />
    ...
    </rule>

此设置还拒绝 X11 和代理转发,以及shell 命令 对于指定的组(除非某些命令被明确允许)。

用户将能够使用 SFTP 和 SSH Tectia 服务器配置中定义的其他子系统。任何其他“exec”和“shell”请求都将被拒绝。这包括使用公钥的强制命令和作为强制命令执行时更改的传统式密码。

相关内容