我有一个带有 2 个 jail 的 FreeBSD VPS,每个都设置了 ezjail(我现在知道这基本上已经被弃用了,但当时并不知道)。
$ jls
JID IP Address Hostname Path
1 172.16.1.1 wwwserver /usr/jails/wwwserver
2 172.16.1.2 wwwgit /usr/jails/wwwgit
主持人和监狱都在运行12.2-RELEASE-p2
。
我在每个 jail 以及主机中都启用了基于密钥的 ssh 登录。这对于主机和 wwwserver 来说很好,但对于 wwwgit 来说不行。对于那个 jail,我得到了以下日志:
debug1: Reading configuration data /Users/chris/.ssh/config
debug1: /Users/chris/.ssh/config line 3: Applying options for *
debug1: /Users/chris/.ssh/config line 22: Applying options for waitstaff_git
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug2: resolve_canonicalize: hostname {censored-ip-address} is address
debug2: ssh_connect_direct
debug1: Connecting to {censored-ip-address} [{censored-ip-address}] port 22.
debug1: Connection established.
debug1: identity file /Users/chris/.ssh/id_ed25519_chrisdeluca_git type 3
debug1: identity file /Users/chris/.ssh/id_ed25519_chrisdeluca_git-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9 FreeBSD-20200214
debug1: match: OpenSSH_7.9 FreeBSD-20200214 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to {censored-ip-address}:22 as 'git'
debug3: hostkeys_foreach: reading file "/Users/chris/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/chris/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys from {censored-ip-address}
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nhwOgcMl+Z+47Qu1VHAnjGnSbIdnjqMV60XQ9ilsCrI
debug3: hostkeys_foreach: reading file "/Users/chris/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/chris/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys from {censored-ip-address}
debug1: Host '{censored-ip-address}' is known and matches the ECDSA host key.
debug1: Found key in /Users/chris/.ssh/known_hosts:7
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/chris/.ssh/id_ed25519_chrisdeluca_git ED25519 SHA256:xUYB2rlHSwtkA515PXWHC3dN8XQkcG2dbXJg1SPikxM explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/chris/.ssh/id_ed25519_chrisdeluca_git ED25519 SHA256:xUYB2rlHSwtkA515PXWHC3dN8XQkcG2dbXJg1SPikxM explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password for git@waitstaff:
起初我以为可能是我的权限关闭了,但我可以确认我已将公钥上传到 git 用户的.ssh/authorized_keys
文件,并且权限是正确的:
drwx------ 2 git git 512 Dec 29 22:07 .ssh
-rw------- 1 git git 109 Dec 29 22:13 authorized_keys
SSH 配置本身在主机和监狱之间几乎相同。
主持人
$ grep -E -v '^$|^#' /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/sftp-server
PermitRootLogin without-password
www服务器
$ sudo jexec wwwserver grep -E -v '^$|^#' /etc/ssh/sshd_config
Port 2222
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
git
$ sudo jexec wwwgit grep -E -v '^$|^#' /etc/ssh/sshd_config
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/sftp-server
我还有一个本地 ssh 配置文件,可能会有帮助。以下是相关内容。
IdentitiesOnly yes
Host *
AddKeysToAgent yes
UseKeychain yes
...
# Freebsd host
Host waitstaff
Hostname {censored-ip-address}
Port 22
IdentityFile ~/.ssh/id_ed25519_waitstaff
User freebsd
# wwwserver jail
Host waitstaff_deploy
Hostname {censored-ip-address}
Port 2222
IdentityFile ~/.ssh/id_ed25519_waitstaff_deploy
User chris
# wwwgit jail
Host waitstaff_git
Hostname {censored-ip-address}
IdentityFile ~/.ssh/id_ed25519_chrisdeluca_git
User git
我不知道哪里出了问题。如能提供任何帮助,我将不胜感激。提前致谢!
编辑:如果相关的话,我将 git 用户(我尝试以该用户身份登录的用户)的主目录更改为/git
。
答案1
我建议检查一下 OpenSSH 版本。我最近在将客户端的 OpenSSH 版本升级到 8.8 后遇到了这样的错误。 https://www.openssh.com/releasenotes.html
当连接到尚未升级或未密切跟踪 SSH 协议改进的旧 SSH 实现时,更有可能出现不兼容问题。对于这些情况,可能需要有选择地重新启用 RSA/SHA1,以允许通过 HostkeyAlgorithms 和 PubkeyAcceptedAlgorithms 选项进行连接和/或用户身份验证。例如,~/.ssh/config 中的以下节将为单个目标主机启用 RSA/SHA1 进行主机和用户身份验证:
Host old-host HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
答案2
这可能是由于您尝试登录的用户的主目录的权限不被 ssh 服务器接受,您能发布这些权限吗?
如果您想要保留原来的权限,您可以更改 sshd_config 以包含以下内容来覆盖权限检查:
StrictModes no
man sshd_config 中对 StrictModes 的解释:
StrictModes
Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. This is
normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is yes. Note
that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally.