我正在尝试让这个命令以用户 postgres 的身份工作(这样我就可以发送 wal 文件):
rsync -a /tmp/test postgres@server2:/tmp/test
但我收到了错误:
Permission denied (publickey).
我已经在 server1 上以 postgres 用户身份运行ssh-keygen
eval `ssh-agent`
并创建了 keygen并且我可以看到它是通过使用 发送的。ssh-add
/var/lib/postgresql/.ssh/id_rsa
id_rsa.pub
ssh -vvv postgres@server2
在 server2 上,我创建了/var/lib/postgresql/.ssh/authorized_keys
server1 的 id_rsa.pub 内容。它归 postgres 用户和组所有,chmod 为 600。该.ssh
目录也归 postgres 所有,chmod 为 700。
我可以从 server2 上的详细 sshd 日志中看到Failed publickey for postgres...
两台服务器上的 postgres 用户:postgres:x:106:114:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ssh -vvv postgres@server2
...
debug1: Found key in /var/lib/postgresql/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/lib/postgresql/.ssh/id_rsa (0x7f468e434000)
debug2: key: /var/lib/postgresql/.ssh/id_dsa ((nil))
debug2: key: /var/lib/postgresql/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/postgresql/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /var/lib/postgresql/.ssh/id_dsa
debug3: no such identity: /var/lib/postgresql/.ssh/id_dsa
debug1: Trying private key: /var/lib/postgresql/.ssh/id_ecdsa
debug3: no such identity: /var/lib/postgresql/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
server2 sshd_config(删除注释行)
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel VERBOSE
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
server2 身份验证日志
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Set /proc/self/oom_score_adj to 0
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Connection from 10.28.123.97 port 49377
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Failed publickey for postgres from 10.28.123.97 port 49377 ssh2
Jan 16 03:54:21 ip-10-28-26-251 sshd[7972]: Connection closed by 10.28.123.97 [preauth]
我遗漏了什么?我猜 sshd 没有查看 server2 上的 authorized_keys 文件
答案1
/etc/ssh/sshd_config
假设您的从属服务器允许密钥认证,则只有在设置了的情况下才需要更新AllowedUsers
,在这种情况下您需要确保postgres
在该列表中。
除此之外,只需ssh-keygen
(将私钥密码留空),然后~/.ssh/authorized_keys
向从属服务器添加目录/文件。 的主目录postgres
是/var/lib/postgresql
,但是如果您su
以postgres
用户身份执行这些操作,则只需使用~
,更不用说您无需执行chown
任何操作,因为postgres
将在主服务器上拥有生成的 ssh 密钥,并将postgres
在从属服务器上拥有创建的目录/文件。
确保在主服务器和从服务器上安全地设置文件权限:
# On master
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/known_hosts # this one won't exist until you SSH once
# On slave
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
答案2
您需要在sshd_config
server2 中输入以下内容:
AuthorizedKeysFile .ssh/authorized_keys
答案3
在系统范围内禁用 selinux 是一个糟糕的解决方案。
最好创建一个允许您执行所需特定操作的策略模块。
这是我在 RHEL6 中所做的:
我清除了审计日志,重新启动了 rsyslogd,并重复了该问题。
接下来,使用 audit2allow 查看人类可读的问题:
# audit2allow -w -a
type=AVC msg=audit(1438288591.000:8525): avc: denied { open } for pid=6063 comm="sshd" path="/var/lib/pgsql/.ssh/authorized_keys" dev="dm-0" ino=920234 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1438288591.000:8525): avc: denied { read } for pid=6063 comm="sshd" name="authorized_keys" dev="dm-0" ino=920234 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1438288591.000:8526): avc: denied { getattr } for pid=6063 comm="sshd" path="/var/lib/pgsql/.ssh/authorized_keys" dev="dm-0" ino=920234 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
确保没有发生额外的拒绝,并且这些都是特定于当前问题的,创建一个 selinux 模块以允许 sshd 读取、打开和 getattr postgres authorized_keys:
# audit2allow -a -M sshd_read_postgres_ssh_authorized_keys
现在安装生成的模块:
# semodule -i sshd_read_postgres_ssh_authorized_keys.pp
我将此模块复制到对等 postgres 服务器并在那里安装。我现在可以以 postgres 的身份在机器之间使用公钥身份验证进行 ssh 连接,并且我仍然处于 selinux 强制执行状态。
答案4
我发现 Gregory 的答案只对我有用,尽管它为我指明了正确的方向。我发现需要一些规则/策略,并且只能按特定顺序生成。
由于该ssh-copy-id
命令仅在另一端有密码时才有效,因此您需要scp
获取公钥并相应地调整用户和权限。这样就无需创建密码,并且一个可能的接入点保持关闭。
创建一个 postgres 用户密钥并允许它通过 ssh 进入自身,但如果您将该密钥携带到另一台服务器,它也可以工作。
# su postgres
$ cd
$ ssh-keygen # [enter....] *
$ cd .ssh/
$ cp id_rsa.pub authorized_keys
$ chmod 0600 authorized_keys
每个错误都需要在生成规则之前发生,因此在添加每个策略之后,只需在密码提示时输入即可再次尝试 ssh。
$ ssh [email protected]
为了简单起见,ssh 进入 self,但它仍然有效。出现错误后:
$ exit
# audit2allow -a -M sshd_open_postgres_ssh_authorized_keys
# semodule -i sshd_open_postgres_ssh_authorized_keys.pp
# su postgres
$ ssh [email protected]
$ exit
# audit2allow -a -M sshd_read_postgres_ssh_authorized_keys
# semodule -i sshd_read_postgres_ssh_authorized_keys.pp
# su postgres
$ ssh [email protected]
$ exit
# audit2allow -a -M sshd_getattr_postgres_ssh_authorized_keys
# semodule -i sshd_read_postgres_ssh_authorized_keys.pp
# su postgres
$ ssh [email protected]
这次应该可以
注意:'#' 表示 root,但使用 sudo,我这样写是为了方便,而不是为了表示最佳实践