当我使用密钥从我的机器(Arch Linux)通过 ssh 连接到远程机器(Fedora 服务器)时,它对一个用户(用户 1)有效,但对用户 2 无效。两个用户都使用相同的 ssh 密钥:用户 2 ssh 主文件夹中的密钥。(/home/user2/.ssh/id_rsa
使用正确的模式)。
在远程主机上,两个用户都有一个包含相同文件的主目录~/.ssh/authorized_keys
。
编辑
根据要求,一些配置文件:
在远程主机上:
/etc/ssh/sshd_config
Port XXXX
Allowusers user1 user2
PermitRootLogin without-password
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#HostbasedAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
$ journalctl -u sshd
Accepted publickey for user1 from XX.YY.XX.YY port XXXX ssh2: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4 <-- when connecting as user1
Connection closed by authenticating user user2 XX:YY:XX:YY port XXX [preauth] <-- when connecting as user2
用户2(非工作)主目录:
ls -la /home/user2
drwx------. 2 user2 user 4.0K Jan 31 19:18 .ssh/
ls -la /home/user2/.ssh
-rw-------. 1 user2 user2 393 Jan 31 18:12 authorized_keys
服务器上已启用 Selinux(Fedora 的默认设置)。请注意,当服务器是新建时,user1 是默认现有用户,而 user2 是我自己添加的。
用户1(工作)
ls -Za /home/user1
unconfined_u:object_r:ssh_home_t:s0 .ssh/
ls -Za /home/user1/.ssh
unconfined_u:object_r:ssh_home_t:s0 ./ unconfined_u:object_r:user_home_dir_t:s0 ../ unconfined_u:object_r:ssh_home_t:s0 authorized_keys
用户2(非工作)
ls -Za /home/user2
unconfined_u:object_r:unlabeled_t:s0 .ssh/
ls -Za /home/user2/.ssh
unconfined_u:object_r:unlabeled_t:s0 ./ unconfined_u:object_r:user_home_dir_t:s0 ../ unconfined_u:object_r:unlabeled_t:s0 authorized_keys
差异:r:未标记对比r:ssh_home_
在本地盒子上:
user2@hortensia ➤➤ ~ % ls -al .ssh
-rw------- 1 user2 user2 1.8K Jan 16 18:19 id_rsa
-rw------- 1 user2 user2 396 Jan 16 18:19 id_rsa.pub
user2@hortensia ➤➤ ~ % ls -al
drwx------ 2 user2 user2 4.0K Feb 1 08:06 .ssh/
我不明白为什么 ssh 对用户 1 有效,而对用户 2 无效。在远程主机上,我停止了安全卫士和iptables,但什么也没改变。sshd_配置非常基础,有一行允许用户使用 user1 和 user2 并允许使用密钥进行连接。在详细模式下运行 ssh 时,我可以看到 user1 或 user2 连接时消息的差异。
用户1
$ ssh -vv -p XX [email protected]
....................
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4 /home/user2/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2:input_userauth_pk_ok:SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4
debug1: Authentication succeeded (publickey).
Authenticated to XX.YY.XX.YY ([XX.YY.XX.YY]:XXXX).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Feb 1 07:08:04 2018 from XX.YY.XX.YY
[user1@dahlia ~]$
现在,当连接到用户2
$ ssh -vv -p XX [email protected]
...........
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4 /home/user2/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
过了一天多的时间,我仍然无法修复此错误。感谢您的帮助/提示。
答案1
您的ls -l
输出显示,除了正常权限之外,还设置了 selinux 上下文:
ls -la /home/user2/.ssh
-rw-------. 1 user2 user2 393 Jan 31 18:12 authorized_keys
^ this dot indicates additional selinux contextes
您的ls -Z
输出显示目录和其中的文件的类型上下文.ssh
设置为unlabeled_t
:
ls -Za /home/user2/.ssh
unconfined_u:object_r:unlabeled_t:s0 ./
必须设置此上下文ssh_home_t
以便 sshd 可以使用它。
跑步
chcon -R -t ssh_home_t .ssh
在目录上递归设置上下文.ssh
。