对于一个用户,我在尝试通过 SSH 连接到服务器时遇到错误。此用户的主目录位于 /opt,具有 .ssh 目录(权限:700)和包含公钥的 authorized_keys 文件。它与其他用户一起使用,这些用户的主目录位于 /home,使用我可以作为其他用户连接的相同 rsa 密钥。在 /var/log/secure 中我得到:
Apr 8 14:48:22 myserver sshd[338949]: pam_sss(sshd:account): Access denied for user myuser: 6 (Permission denied)
Apr 8 14:48:22 myserver sshd[338949]: fatal: Access denied for user myuser by PAM account configuration [preauth]
使用 ssh -vvv 最后几行是:
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: sign_and_send_pubkey: RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: send packet: type 50
Authentication failed.
如果我使用相同的密钥以另一个用户身份连接到此服务器,则可以看到唯一的区别是主目录位于 /opt 而不是 /home。并且此用户的登录名中有一个下划线。您遇到过这种情况吗?
[编辑] 附加信息:
SELinux 已禁用
[root@myserver ~]# getenforce
Disabled
[myuser@myserver ~]$ ls -la /opt/myuser/
drwx------ 2 myuser myuser 80 Apr 8 14:46 .ssh
[myuser@myserver ~]# ls -l /opt/myuser/.ssh/authorized_keys
-rw------- 1 myuser myuser 1131 Apr 8 14:46 /opt/myuser/.ssh/authorized_keys
[root@myserver ~]# namei -l /opt/myuser/.ssh/authorized_keys
f: /opt/myuser/.ssh/authorized_keys
dr-xr-xr-x root root /
drwxr-xr-x root root opt
drwx------ myuser myuser myuser
drwx------ myuser myuser .ssh
-rw------- myuser myuser authorized_keys
[root@myserver ~]# grep -v ^# /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
[root@myserver ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
LDAP 身份验证也已通过 sssd 启用。
答案1
假设已启用 LDAP 身份验证,但拒绝该特定用户的访问,则意味着该用户尚未被授予 LDAP 对该服务器的访问权限
/etc/sssd/sssd.conf
您可以检查允许的用户和允许群组然后将用户名添加为“allowed_users”的条目,或者添加到“allowed_groups”中提到的 LDAP 组中