SELinux - 脚本将 SSH 密钥上传到远程服务器但无法通过 SSH 连接

SELinux - 脚本将 SSH 密钥上传到远程服务器但无法通过 SSH 连接

我编写了这个脚本,它现在在未安装 SElinux 的系统上完美运行。

echo Enter server IP:
read server
scp /home/Zenoss/.ssh/authorized_keys random@$server:/home/random
sshpass -p randompassword  ssh -t  random@$server sudo -i 'useradd zenoss; sudo mkdir /home/zenoss/.ssh; sudo mv /home/random/authorized_keys /home/zenoss/.ssh/;
sudo chmod 700 /home/zenoss/.ssh;
sudo chmod 600 /home/zenoss/.ssh/authorized_keys;
sudo chown -R zenoss /home/zenoss/.ssh;
sudo chgrp -R zenoss /home/zenoss/.ssh;
exit'

因此,在没有 SELinux 的服务器上,脚本可以运行,然后 Zenoss 可以通过 SSH 登录到远程服务器并开始监控。但是在启用了 SELinux 的系统上,脚本可以运行,但 Zenoss 无法通过 SSH 连接到远程服务器,调试信息显示它没有看到已成功设置的 authorized_keys 文件。

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to ***** port 22.
debug1: Connection established.
debug1: identity file /home/zenoss/.ssh/id_rsa type 1
debug1: identity file /home/zenoss/.ssh/id_rsa-cert type -1
debug1: identity file /home/zenoss/.ssh/id_dsa type 2
debug1: identity file /home/zenoss/.ssh/id_dsa-cert type -1
debug1: identity file /home/zenoss/.ssh/id_ecdsa type -1
debug1: identity file /home/zenoss/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/zenoss/.ssh/id_ed25519 type -1
debug1: identity file /home/zenoss/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=16 dh_need=16
debug1: kex: [email protected] need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ***************
The authenticity of host '******' can't be established.
ECDSA key fingerprint is **************************
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '*******' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/zenoss/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /home/zenoss/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/zenoss/.ssh/id_ecdsa
debug1: Trying private key: /home/zenoss/.ssh/id_ed25519
debug1: Next authentication method: password
zenoss@****s password: 

有谁知道是什么原因造成的,以及我该如何解决它,禁用 SELinux 不是一个选择。

韩国

答案1

很可能是文件的上下文.ssh.ssh/authorized_keys误。请执行sudo restorecon -R -v /home/zenoss/.ssh并重试。

相关内容