LXC 容器上的 FreeIPA 客户端 sshd 访问被拒绝

LXC 容器上的 FreeIPA 客户端 sshd 访问被拒绝

在 Proxmox 4.4 上,我安装了带有 FreeIPA 服务器的 Centos 7 VM:

ipa-server-install --idstart 10000 --setup-dns

我可以使用 IPA 用户并登录 Proxmox 上的其他虚拟机,但是当我尝试对 Centos 7 LXC 容器执行相同操作时出现错误:

May  6 13:15:50 aaaaaa sshd[424]: Authorized to user, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok)
May  6 13:15:50 aaaaaa sshd[424]: pam_sss(sshd:account): Access denied for user user: 4 (System error)
May  6 13:15:50 aaaaaa sshd[424]: fatal: Access denied for user user by PAM account configuration [preauth]

但:

[root@aaaaaa ~]# su - user
Creating home directory for user.
[user@aaaaaa ~]$

并且现在该服务器上有这样的用户/etc/passwd,所以它来自IPA。

[user@aaaaaa ~]$ id
uid=10001(user) gid=10000(admins) groups=10000(admins)
[user@aaaaaa ~]$ getent passwd user
user:*:10001:10000:Name Surename:/home/user:/bin/bash

另外,将该容器注册到 FreeIPA 服务器后,我无法以 root 用户身份登录该容器。

[root@aaaaaa ~]# kinit admin
Password for [email protected]:
[root@aaaaaa ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_rirBgUU
Default principal: [email protected]

Valid starting       Expires              Service principal
05/06/2017 14:56:21  05/07/2017 14:56:19  krbtgt/[email protected]

因此,kerberos 可以工作,但我遇到的唯一问题是 ssh。我在 Proxmox 上进行了更改,/etc/subgid并且/etc/subuid(按照建议这里) 来获取更多 ID,但这是无奈之举。我的 IPA ID 范围不是很高,从 10000 开始,我可以su - user这样做,但事实并非如此。

我认为我检查了所有内容,包括删除 sssd db,但它并没有改变任何东西。

这是我的sssd.conf

[domain/homelab.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = homelab.local
id_provider = ipa
auth_provider = ipa
access_provider = permit
ipa_hostname = aaaaaa.homelab.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa.homelab.local
dyndns_iface = eth0
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = homelab.local
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

和我的system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

我的sshd_config文件:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UsePrivilegeSeparation sandbox          # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

下面是我可以通过 ssh 连接到 LXC 容器的输出:

 ssh -vvv user@aaaaaa
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 aaaaaa
debug1: permanently_drop_suid: 10001
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 6 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4
debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6
debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8
debug3: load_hostkeys: loaded 4 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss,
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=16 dh_need=16
debug1: kex: [email protected] need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 4f:71:72:5c:46:e5:58:3b:cf:17:75:c9:52:35:38:e9
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4
debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6
debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8
debug3: load_hostkeys: loaded 4 keys
debug1: Host 'aaaaaa' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/sss/pubconf/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user/.ssh/id_rsa ((nil)),
debug2: key: /home/user/.ssh/id_dsa ((nil)),
debug2: key: /home/user/.ssh/id_ecdsa ((nil)),
debug2: key: /home/user/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by UNKNOWN

当然,服务器user不是我使用的真正登录名。

还有什么建议可以参考吗?我为此苦苦挣扎了好几天,却找不到任何解决办法。我希望这里有人能帮助我。

更新:

我犯了一个错误,写到我无法以 root 用户身份登录。我可以。但仍然无法以 IPA 的其他用户身份通过​​ ssh 登录。此外,当我无法以su - usersudo用户身份登录时,但在其他虚拟机上,来自 IPA 的该用户可以通过 运行任何命令sudo

更新2: 当我执行时,我在容器上发现它kinit user,然后klist我得到:

Ticket cache: KEYRING:persistent:0:0

但在 VM 上也是一样:

Ticket cache: KEYRING:persistent:10001:krb_ccache_K1JScvu

答案1

su - user通常可以避免实际身份验证,因为第一行/etc/pam.d/su包含auth sufficient pam_rootok.so短路根身份验证。因此 SSSD 根本不参与。

不要在容器内使用密钥环 ccache 存储,因为密钥环没有命名空间。default_ccache_name = KEYRING:persistent:%{uid}/etc/krb5.conf容器中删除。libkrb5 将默认使用FILE:...ccache /tmp

最后,当 SSSD 报告“系统错误”时,您应该使用故障排除指南将域部分的调试级别提高到 9,并分析容器中的日志。请参阅https://web.archive.org/web/20170102152322/https://fedorahosted.org/sssd/wiki/Troubleshooting了解详情。SSSD 项目最近已迁移至pagure.ioFedora Hosted 基础设施退役后,尚未重新生成其文档,因此链接到回溯机。

答案2

我认为我部分解决了这个问题。在@abbra 评论之后,我开始检查/var/log/sssd/文件夹中的所有日志,当我检查时selinux_child.log发现:

(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [unpack_buffer] (0x2000): username: user
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0400): performing selinux operations
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [get_seuser] (0x0020): Cannot create SELinux handle
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [set_seuser] (0x0020): Cannot init SELinux management
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): Cannot set SELinux login context.
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): selinux_child failed!

首先,我完全禁用了 Selinux,但这并不能解决我的问题。之后,在部分/etc/sssd/sssd.confdomain我输入了:selinux_provider=none。重新启动容器后,我可以通过 ssh 以 IPA 用户身份登录,也可以使用 sudo。我没有说明如何使用 SeLinux 并通过 ssh 登录容器,但目前我认为对我来说没问题。

更新:

krb5.conf也禁用了钥匙圈。

相关内容