远程主机拒绝 ssh 权限

远程主机拒绝 ssh 权限

当我使用密钥从我的机器(Arch Linux)通过 ssh 连接到远程机器(Fedora 服务器)时,它对一个用户(用户 1)有效,但对用户 2 无效。两个用户都使用相同的 ssh 密钥:用户 2 ssh 主文件夹中的密钥。(/home/user2/.ssh/id_rsa使用正确的模式)。

在远程主机上,两个用户都有一个包含相同文件的主目录~/.ssh/authorized_keys

编辑

根据要求,一些配置文件:

在远程主机上

/etc/ssh/sshd_config

Port XXXX
Allowusers user1 user2
PermitRootLogin without-password
#PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
#HostbasedAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

$ journalctl -u sshd
Accepted publickey for user1 from XX.YY.XX.YY port XXXX ssh2: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4  <-- when connecting as user1
Connection closed by authenticating user user2 XX:YY:XX:YY port XXX [preauth]  <-- when connecting as user2

用户2(非工作)主目录:

ls -la /home/user2
drwx------. 2 user2 user  4.0K Jan 31 19:18 .ssh/
 ls -la /home/user2/.ssh
-rw-------. 1 user2 user2   393 Jan 31 18:12 authorized_keys

服务器上已启用 Selinux(Fedora 的默认设置)。请注意,当服务器是新建时,user1 是默认现有用户,而 user2 是我自己添加的。

用户1(工作)

ls -Za /home/user1
 unconfined_u:object_r:ssh_home_t:s0 .ssh/ 
ls -Za /home/user1/.ssh
 unconfined_u:object_r:ssh_home_t:s0 ./  unconfined_u:object_r:user_home_dir_t:s0 ../       unconfined_u:object_r:ssh_home_t:s0 authorized_keys

用户2(非工作)

ls -Za /home/user2 
unconfined_u:object_r:unlabeled_t:s0 .ssh/
ls -Za /home/user2/.ssh
unconfined_u:object_r:unlabeled_t:s0 ./  unconfined_u:object_r:user_home_dir_t:s0 ../      unconfined_u:object_r:unlabeled_t:s0 authorized_keys

差异:r:未标记对比r:ssh_home_

在本地盒子上

user2@hortensia ➤➤ ~ % ls -al .ssh
-rw-------   1 user2 user2  1.8K Jan 16 18:19 id_rsa
-rw-------   1 user2 user2   396 Jan 16 18:19 id_rsa.pub
user2@hortensia ➤➤ ~ % ls -al
drwx------    2 user2 user2  4.0K Feb  1 08:06  .ssh/

我不明白为什么 ssh 对用户 1 有效,而对用户 2 无效。在远程主机上,我停止了安全卫士iptables,但什么也没改变。sshd_配置非常基础,有一行允许用户使用 user1 和 user2 并允许使用密钥进行连接。在详细模式下运行 ssh 时,我可以看到 user1 或 user2 连接时消息的差异。

用户1

 $ ssh -vv -p XX [email protected]
 ....................
 debug1: Next authentication method: publickey
 debug1: Offering public key: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4 /home/user2/.ssh/id_rsa
 debug2: we sent a publickey packet, wait for reply
 debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
 debug2:input_userauth_pk_ok:SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4                                                                                                                                                                                                                                                                    
 debug1: Authentication succeeded (publickey).
 Authenticated to XX.YY.XX.YY ([XX.YY.XX.YY]:XXXX).
 debug1: channel 0: new [client-session]
 debug2: channel 0: send open
 debug1: Requesting [email protected]
 debug1: Entering interactive session.
 debug1: pledge: network
 debug1: client_input_global_request: rtype [email protected] want_reply 0
 debug2: channel_input_open_confirmation: channel 0: callback start
 debug2: fd 3 setting TCP_NODELAY
 debug2: client_session2_setup: id 0
 debug2: channel 0: request pty-req confirm 1
 debug2: channel 0: request shell confirm 1
 debug2: channel_input_open_confirmation: channel 0: callback done
 debug2: channel 0: open confirm rwindow 0 rmax 32768
 debug2: channel_input_status_confirm: type 99 id 0
 debug2: PTY allocation request accepted on channel 0
 debug2: channel 0: rcvd adjust 2097152
 debug2: channel_input_status_confirm: type 99 id 0
 debug2: shell request accepted on channel 0
 Last login: Thu Feb  1 07:08:04 2018 from XX.YY.XX.YY
 [user1@dahlia ~]$

现在,当连接到用户2

$ ssh -vv -p XX [email protected]
...........
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4 /home/user2/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

过了一天多的时间,我仍然无法修复此错误。感谢您的帮助/提示。

答案1

您的ls -l输出显示,除了正常权限之外,还设置了 selinux 上下文:

ls -la /home/user2/.ssh
-rw-------. 1 user2 user2   393 Jan 31 18:12 authorized_keys
          ^ this dot indicates additional selinux contextes

您的ls -Z输出显示目录和其中的文件的类型上下文.ssh设置为unlabeled_t

ls -Za /home/user2/.ssh
unconfined_u:object_r:unlabeled_t:s0 ./

必须设置此上下文ssh_home_t以便 sshd 可以使用它。

跑步

chcon -R -t ssh_home_t .ssh

在目录上递归设置上下文.ssh

相关内容