远程主机拒绝 ssh 权限

当我使用密钥从我的机器（Arch Linux）通过 ssh 连接到远程机器（Fedora 服务器）时，它对一个用户（用户 1）有效，但对用户 2 无效。两个用户都使用相同的 ssh 密钥：用户 2 ssh 主文件夹中的密钥。（/home/user2/.ssh/id_rsa使用正确的模式）。

在远程主机上，两个用户都有一个包含相同文件的主目录~/.ssh/authorized_keys。

编辑

根据要求，一些配置文件：

在远程主机上：

/etc/ssh/sshd_config

Port XXXX
Allowusers user1 user2
PermitRootLogin without-password
#PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
#HostbasedAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

$ journalctl -u sshd
Accepted publickey for user1 from XX.YY.XX.YY port XXXX ssh2: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4  <-- when connecting as user1
Connection closed by authenticating user user2 XX:YY:XX:YY port XXX [preauth]  <-- when connecting as user2

用户2（非工作）主目录：

ls -la /home/user2
drwx------. 2 user2 user  4.0K Jan 31 19:18 .ssh/
 ls -la /home/user2/.ssh
-rw-------. 1 user2 user2   393 Jan 31 18:12 authorized_keys

服务器上已启用 Selinux（Fedora 的默认设置）。请注意，当服务器是新建时，user1 是默认现有用户，而 user2 是我自己添加的。

用户1（工作）

ls -Za /home/user1
 unconfined_u:object_r:ssh_home_t:s0 .ssh/ 
ls -Za /home/user1/.ssh
 unconfined_u:object_r:ssh_home_t:s0 ./  unconfined_u:object_r:user_home_dir_t:s0 ../       unconfined_u:object_r:ssh_home_t:s0 authorized_keys

用户2（非工作）

ls -Za /home/user2 
unconfined_u:object_r:unlabeled_t:s0 .ssh/
ls -Za /home/user2/.ssh
unconfined_u:object_r:unlabeled_t:s0 ./  unconfined_u:object_r:user_home_dir_t:s0 ../      unconfined_u:object_r:unlabeled_t:s0 authorized_keys

差异：r:未标记对比r:ssh_home_

在本地盒子上：

user2@hortensia ➤➤ ~ % ls -al .ssh
-rw-------   1 user2 user2  1.8K Jan 16 18:19 id_rsa
-rw-------   1 user2 user2   396 Jan 16 18:19 id_rsa.pub
user2@hortensia ➤➤ ~ % ls -al
drwx------    2 user2 user2  4.0K Feb  1 08:06  .ssh/

我不明白为什么 ssh 对用户 1 有效，而对用户 2 无效。在远程主机上，我停止了安全卫士和iptables，但什么也没改变。sshd_配置非常基础，有一行允许用户使用 user1 和 user2 并允许使用密钥进行连接。在详细模式下运行 ssh 时，我可以看到 user1 或 user2 连接时消息的差异。

用户1

 $ ssh -vv -p XX [email protected]
 ....................
 debug1: Next authentication method: publickey
 debug1: Offering public key: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4 /home/user2/.ssh/id_rsa
 debug2: we sent a publickey packet, wait for reply
 debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
 debug2:input_userauth_pk_ok:SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4                                                                                                                                                                                                                                                                    
 debug1: Authentication succeeded (publickey).
 Authenticated to XX.YY.XX.YY ([XX.YY.XX.YY]:XXXX).
 debug1: channel 0: new [client-session]
 debug2: channel 0: send open
 debug1: Requesting [email protected]
 debug1: Entering interactive session.
 debug1: pledge: network
 debug1: client_input_global_request: rtype [email protected] want_reply 0
 debug2: channel_input_open_confirmation: channel 0: callback start
 debug2: fd 3 setting TCP_NODELAY
 debug2: client_session2_setup: id 0
 debug2: channel 0: request pty-req confirm 1
 debug2: channel 0: request shell confirm 1
 debug2: channel_input_open_confirmation: channel 0: callback done
 debug2: channel 0: open confirm rwindow 0 rmax 32768
 debug2: channel_input_status_confirm: type 99 id 0
 debug2: PTY allocation request accepted on channel 0
 debug2: channel 0: rcvd adjust 2097152
 debug2: channel_input_status_confirm: type 99 id 0
 debug2: shell request accepted on channel 0
 Last login: Thu Feb  1 07:08:04 2018 from XX.YY.XX.YY
 [user1@dahlia ~]$

现在，当连接到用户2

$ ssh -vv -p XX [email protected]
...........
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:WT722lmf2CkXC8T6hGScDl+wZW71Ls3/U2W8FHh+vK4 /home/user2/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

过了一天多的时间，我仍然无法修复此错误。感谢您的帮助/提示。