我不明白发生了什么事。理论上,我在机器上为用户“user”生成了密钥对家庭桌面,并将公钥发送至myserver.example.com放到下面myserver:~user/.ssh/authorized_keys
,不用密码就可以登录了,没问题。
问题是奇怪的是,机器上的所有其他用户家庭桌面也可以登录user@myserver
,无需密码!您可能会认为该密钥只能在全局范围内访问homedesktop:/etc/ssh
,但事实并非如此(我删除了该目录并重试,仍然有效)。事实上,不仅仅是“myserver”,所有拥有“user”公钥的服务器都接受“homedesktop”上所有用户的无密码登录。从下面的 SSH 日志看起来好像密钥可能在内存中?我不明白发生了什么事以及如何防止其他用户使用此密钥!此外,homedesktop:~user/.ssh
具有正常权限,其他用户无法读取。
在此示例中,“otheruser”尝试以 user@myserver 身份登录,回家后他/她可以访问用户@home桌面密钥,哪个被接受?
otheruser@homedesktop:~$ rm -rf .ssh
otheruser@homedesktop:~$ ssh -vvv -p 15555 [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.example.com [123.234.123.234] port 15555.
debug1: Connection established.
debug1: SELinux support disabled
debug1: identity file /home/otheruser/.ssh/id_rsa type -1
debug1: identity file /home/otheruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_dsa type -1
debug1: identity file /home/otheruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa type -1
debug1: identity file /home/otheruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519 type -1
debug1: identity file /home/otheruser/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [myserver.example.com]:15555
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f
debug3: put_host_port: [123.234.123.234]:15555
debug3: put_host_port: [myserver.example.com]:15555
debug1: checking without port identifier
The authenticity of host '[myserver.example.com]:15555 ([123.234.123.234]:15555)' can't be established.
ECDSA key fingerprint is 9d:ce:c8:e4:39:43:f5:3a:0b:11:0b:77:78:cd:63:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[myserver.example.com]:15555,[123.234.123.234]:15555' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: user@myserver (0x7fba1acf8000),
debug2: key: user@homedesktop (0x7fbaa1bbcf30),
debug2: key: /home/otheruser/.ssh/id_rsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_dsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ecdsa ((nil)),
debug2: key: /home/otheruser/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: user@myserver
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_VTNR
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env KDE_MULTIHEAD
debug1: Sending env LC_ADDRESS = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MONETARY = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_GREETER_DATA_DIR
debug3: Ignored env CLUTTER_IM_MODULE
debug3: Ignored env SELINUX_INIT
debug3: Ignored env SESSION
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env KONSOLE_PROFILE_NAME
debug3: Ignored env GS_LIB
debug3: Ignored env GTK_RC_FILES
debug1: Sending env LC_NUMERIC = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env WINDOWID
debug3: Ignored env GNOME_KEYRING_CONTROL
debug3: Ignored env UPSTART_SESSION
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env USER
debug1: Sending env LC_TELEPHONE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env QT_IM_MODULE
debug1: Sending env LC_IDENTIFICATION = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug3: Ignored env JOB
debug3: Ignored env XMODIFIERS
debug3: Ignored env KONSOLE_DBUS_WINDOW
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env GNOME_KEYRING_PID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env GDM_LANG
debug3: Ignored env MANDATORY_PATH
debug1: Sending env LC_MEASUREMENT = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env IM_CONFIG_PHASE
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env GDMSESSION
debug3: Ignored env SESSIONTYPE
debug3: Ignored env HOME
debug3: Ignored env XDG_SEAT
debug3: Ignored env SHLVL
debug3: Ignored env COLORFGBG
debug3: Ignored env LANGUAGE
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env UPSTART_INSTANCE
debug3: Ignored env PYTHONPATH
debug3: Ignored env LOGNAME
debug3: Ignored env UPSTART_EVENTS
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env QT4_IM_MODULE
debug3: Ignored env LESSOPEN
debug3: Ignored env TEXTDOMAIN
debug3: Ignored env UPSTART_JOB
debug3: Ignored env INSTANCE
debug3: Ignored env DISPLAY
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PROFILEHOME
debug3: Ignored env QT_PLUGIN_PATH
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env PAM_KWALLET_LOGIN
debug1: Sending env LC_TIME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LESSCLOSE
debug3: Ignored env TEXTDOMAINDIR
debug1: Sending env LC_NAME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env XAUTHORITY
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to MYSERVER!!
Last login: Tue Nov 1 21:05:47 2016 from 111.222.111.222
user@myserver:~$
答案1
debug1: Offering DSA public key: user@homedesktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug3: sign_and_send_pubkey: DSA d2:43:29:a0:88:06:a1:d2:1d:7a:65:15:4f:f8:95:eb
debug1: Authentication succeeded (publickey).
Authenticated to myserver.example.com ([123.234.123.234]:15555).
表示密钥存储在您的会话中的ssh-agent
.ssh
在没有连接到您的情况下运行ssh-agent
将不允许您访问:
SSH_AUTH_SOCK="" ssh -vvv -p 15555 [email protected]
杀死代理也可以完成这项工作:(eval $(ssh-agent -k)
如果您不使用gnome-keyring
)。否则从 DE 重新登录将“刷新”密钥。