我正在尝试使用 SSH 连接到本地网络上的服务器,并且希望能够以身份登录,storm但不能以身份登录root(出于明显的安全目的)。我将 .pub 密钥复制到.ssh/authorized_keys
有了这个 /etc/ssh/sshd_config :
PermitRootLogin no
[...]
Match Address 192.168.1.*,127.0.0.1
PermitRootLogin yes
我得到:
$ ssh root@ip
Enter passphrase for key 'PATH_OF_THE_KEY'
$ ssh storm@ip
Permission denied (publickey).
最后加上这一行新内容:
AllowUsers storm或者AllowUsers storm root
我得到:
$ ssh root@ip
Permission denied (publickey).
$ ssh storm@ip
Permission denied (publickey).
即使Match Address注释了阻止,它也会阻止我 root 和用户。有人能帮助我吗?
编辑:记录与 Storm 用户的每个失败连接
localhost sshd[698]: Invalid user storm from 192.168.1.11
localhost sshd[443]: input_userauth_request: invalid user storm [preauth]
localhost sshd[698]: Connection closed by 192.168.1.11 [preauth]
不允许使用密码:
PasswordAuthentication no
ssh -v root@ip并ssh -v storm@ip给出相同的输出AllowUsers storm:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.33 [192.168.1.33] port XXXX.
debug1: Connection established.
debug1: identity file /home/storm/.ssh/id_rsa type -1
debug1: identity file /home/storm/.ssh/id_rsa-cert type -1
debug1: identity file /home/storm/.ssh/id_dsa type -1
debug1: identity file /home/storm/.ssh/id_dsa-cert type -1
debug1: identity file /home/storm/.ssh/id_ecdsa type 3
debug1: identity file /home/storm/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/storm/.ssh/id_ed25519 type -1
debug1: identity file /home/storm/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1
debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA XX:XX:XX:XX:XX:XX:XX:XX
debug1: Host '[192.168.1.33]:XXXX' is known and matches the ECDSA host key.
debug1: Found key in /home/storm/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/storm/.ssh/id_rsa
debug1: Trying private key: /home/storm/.ssh/id_dsa
debug1: Offering ECDSA public key: /home/storm/.ssh/id_ecdsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/storm/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
编辑2:
drwx------ 2 root root 4096 19 sept. 15:47 .ssh
-r-------- 1 root root 236 19 sept. 15:47 authorized_keys
编辑3:
工作中 !感谢布兰登泽维尔。我不明白每个用户(服务器端)都需要有自己的.ssh目录,这无疑是事后的逻辑。
但现在我可以以 Storm 身份登录(这就是我想要的),但不能再以直接 root 身份登录。
两者root都有storm其 .ssh 目录、authorized_keys文件,每个文件都有正确的所有者/权限和相同的公钥authorized_keys。 SSHD 配置文件始终与Match块一起。什么会阻止 root 访问?
答案1
.ssh它下面的所有内容都应该由用户拥有(在本例中为“storm”),并且只有用户应该拥有权限。chown -R storm ~storm/.ssh; chmod 700 ~storm/.ssh;chmod 600 ~storm/.ssh/authorized_keys应该可以解决问题。
如果你可以控制谁能够登录到控制台,你可以通过简单地禁用密码并只允许使用密钥登录 root 来摆脱Match块和指令:AllowUsers
PasswordAuthentication no
PermitRootLogin without-password
请务必在可以访问控制台的情况下进行测试。 。 。万一。
答案2
你的配置文件中的“PasswordAuthentication”怎么样?如果您修改了配置,请记住重新启动服务
一些链接:https://wiki.centos.org/HowTos/Network/SecuringSSH https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html
答案3
我也有同样的问题。检查后/etc/passwd我看到 myuser shell 配置设置为/bin:false
$ cat /etc/passwd
myuser:x:112:116::/media/sys:/bin/false
我必须纠正这个问题usermod myuser -s /bin/bash,之后我有:
$ cat /etc/passwd
myuser:x:112:116::/media/sys:/bin/bash
瞧,现在运行良好:)