AuthorizedKeysCommand 设置提示输入密码

AuthorizedKeysCommand 设置提示输入密码

问题:尽管我已经设置了授权密钥命令当我尝试从我的 Mac 登录时,密码验证已停止,但仍要求我输入密码:

操作系统:Rocky Linux 9.2

服务器上的 OpenSSH 版本:OpenSSH_8.7p1,OpenSSL 3.0.7 2022 年 11 月 1 日

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:g7nyjiJifRo58tqXivGLTyxst7KP207XMKj3mNS3z4z
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/user/.ssh/id_ecdsa
debug1: Trying private key: /Users/user/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/user/.ssh/id_ed25519
debug1: Trying private key: /Users/user/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/user/.ssh/id_xmss
debug1: Trying private key: /Users/user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
([email protected]) Password:

这里是/etc/ssh/sshd_config


# General SSH settings
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# Specify the protocol versions
Protocol 2

# HostKeys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication settings

# Disable root login
PermitRootLogin no

# Use public key authentication
PubkeyAuthentication yes

# Local file to check for public keys (optional, as we use AuthorizedKeysCommand)
#AuthorizedKeysFile .ssh/authorized_keys

# Use the script to fetch keys from GitLab repo
AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh %u
AuthorizedKeysCommandUser root

# ignore existing authorized_keys files by default
AuthorizedKeysFile /dev/null

# Disable password authentication as requested
PasswordAuthentication no

# Other settings for best practices
PermitEmptyPasswords no
UsePAM yes
X11Forwarding no
TCPKeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 33

# Subsystem for SFTP
Subsystem sftp /usr/libexec/openssh/sftp-server

以下是从 GitLab 获取公钥的脚本:


# Check for required username argument
if [[ -z "$1" ]]; then
  >&2 echo "Username required."
  exit 1
fi

# Environment variables for configuration
TOKEN="GitLab-access-token"
PROJECT_ID="123"
GITLAB_BASE_URL="https://gitlab.mygitlab.tld/api/v4/projects"
USERNAME="$1"

# Complete URL to the user's public key file
USER_KEY_URL="${GITLAB_BASE_URL}/${PROJECT_ID}/repository/files/${USERNAME}%2Epub/raw?ref=main"

# Use curl with the token to fetch the public key from the URL
RESPONSE=$(curl --header "Private-Token: $TOKEN" --silent --fail --write-out "HTTPSTATUS:%{http_code}" "$USER_KEY_URL")

HTTP_STATUS=$(echo "$RESPONSE" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')

# Output only the SSH key to stdout
if [ "$HTTP_STATUS" == "200" ]; then
  echo "$RESPONSE" | sed -e 's/HTTPSTATUS:.*//g'
else
  >&2 echo "Failed to fetch keys with status code $HTTP_STATUS"
  exit 1
fi

如果我执行“journalctl-u sshd-n 50“:

Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: main: sshd: ssh-rsa algorithm is disabled
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: User user authorized keys /dev/null is not a regular file
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh user failed, status 1
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: Accepted keyboard-interactive/pam for user from 192.168.50.175 port 51277 ssh2
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: pam_unix(sshd:session): session opened for user user(uid=1001) by (uid=0)

我已经通过 cURL 手动测试了 Bash 脚本,它可以从 GitLab 存储库中很好地获取公钥,完全符合要求。我还手动执行了 Bash 脚本,输出包含用户的公钥,与我的 Mac 上的内容完全一样。需要说明的是,我正在从我的 Mac 上进行测试并使用 Mac 的公钥进行身份验证。

我无法禁用 PAM,因为我在日志中看到 Rocky Linux 不支持此功能。知道为什么 UNIX 用户仍然会出现此密码提示吗?PAM 会回退到密码吗?

我修改了 Bash 脚本以重定向文件中的错误/tmp/fetch_gitlab_keys.log

Wed Aug 16 03:46:12 AM EDT 2023 - Curl output: 000
Wed Aug 16 03:46:12 AM EDT 2023 - Failed to fetch keys with status code 000

该操作系统有 SELinux,但我已经将其禁用,因此没有任何区别。

相关内容