我已尝试设置 CA 签名的 ssh 用户密钥。
我的配置在大多数客户端上都运行正常,但某些客户端似乎存在问题。密钥验证失败,系统提示输入密码。
当我尝试连接到 sftp 用户(ssh 密钥中的主体之一)时,服务器 ssh 日志中会出现以下内容
Failed publickey for sftp from 192.168.99.13 port 55830 ssh2: RSA-CERT SHA256:yYgNW3M5txAtXjj6jXnBVf6vI4NUnoNvfWPPtS4pewU ID debby (serial 0) CA RSA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI
用户密钥和 CA 签名密钥哈希似乎都是正确的。这在其他几个客户端上都没有问题,包括:
- Arch linux OpenSSH_9.3p2,OpenSSL 3.1.1 2023 年 5 月 30 日
- Fedora linux OpenSSH_8.8p1,OpenSSL 3.0.9 2023 年 5 月 30 日
有问题的客户端是:
- Debian OpenSSH_8.4p1 Debian-5+deb11u1,OpenSSL 1.1.1n 2022 年 3 月 15 日
- Ubuntu OpenSSH_9.0p1 Ubuntu-1ubuntu7.3,OpenSSL 3.0.5 2022 年 7 月 5 日
使用 Debian 客户端,我甚至尝试将其~/.ssh文件夹复制到本地以验证它是否正确签名。
连接成功了。这是服务器 ssh 日志中唯一的区别:
debug1: cert: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted certificate ID "debby" (serial 0) signed by RSA CA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI via /etc/ssh/ca_user_key.pub
我已确保目录的权限和所有权~/.ssh相同。
有没有人遇到过类似的问题或有更多的故障排除技巧?
编辑:这是 DEBUG3 日志的相关部分
debug1: trying public key file /home/sftp/.ssh/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug2: /home/sftp/.ssh/authorized_keys:1: check options: '@cert-authority *.dev.tbscz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDagkuT1W+CXkdkhkgCEWHTekY/QF9To4Ls0UMukW0VURcnER465QoUbOFzsZ6wZ1TkxNv32M9kgrUaCOZayyylYr1asLKgGx8KQayCoTgay06b5NLG6kFw7+zE/uk7lS5AXPS2tdzO9qxb7agtGcr9nyrUqyqA0ux+Kox03RlciazXS2b0BLzDYfIAvKcCk2peaQsogh0JIZxXNF8eVJZ9LGKh6XbQqxw1uwjizlMCXwzVwL1Qo/sTsDbo67lrIdH5mjX2HapCFbMz31BTX0IjJ+qqpBwDS2ydH4zpyOmHmIqn3kOh1DgCfZFtXSYzCKERKx5R5n5KtJShvjh7w7LBuD7VDB8u85Us7OpUUM7Ie+JbAPlxfGJ0I
debug2: /home/sftp/.ssh/authorized_keys:1: advance: '*.dev.tbscz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDagkuT1W+CXkdkhkgCEWHTekY/QF9To4Ls0UMukW0VURcnER465QoUbOFzsZ6wZ1TkxNv32M9kgrUaCOZayyylYr1asLKgGx8KQayCoTgay06b5NLG6kFw7+zE/uk7lS5AXPS2tdzO9qxb7agtGcr9nyrUqyqA0ux+Kox03RlciazXS2b0BLzDYfIAvKcCk2peaQsogh0JIZxXNF8eVJZ9LGKh6XbQqxw1uwjizlMCXwzVwL1Qo/sTsDbo67lrIdH5mjX2HapCFbMz31BTX0IjJ+qqpBwDS2ydH4zpyOmHmIqn3kOh1DgCfZFtXSYzCKERKx5R5n5KtJShvjh7w7LBuD7VDB8u85Us7OpUUM7Ie+JbAPlxfGJ0IkBMuS6yAY2WOOTntDNEP65
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1004/1004 (e=0/0)
debug1: trying public key file /home/sftp/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/sftp/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: RSA-CERT key is not allowed
Failed publickey for sftp from 192.168.99.13 port 58972 ssh2: RSA-CERT SHA256:yYgNW3M5txAtXjj6jXnBVf6vI4NUnoNvfWPPtS4pewU ID debby (serial 0) CA RSA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg [email protected] [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 0.757ms, delaying 6.094ms (requested 6.850ms) [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
debug3: send packet: type 51 [preauth]
问题似乎是这样的
mm_answer_keyallowed: publickey authentication test: RSA-CERT key is not allowed