Então, eu estou tendo um problema bastante estranho. Eu tenho um servidor que, quando tento fazer o SSH, fecha imediatamente a conexão se eu digitar a senha correta na primeira tentativa. No entanto, se eu propositalmente digitar uma senha errada na primeira tentativa e depois digitar uma senha correta no segundo ou terceiro prompt, ela me registrará com êxito no computador. Da mesma forma, quando tento usar a autenticação de chave pública, obtenho uma conexão fechada imediata. Se, no entanto, eu digitar uma senha incorreta para o meu arquivo de chave, seguido por outra senha incorreta, uma vez que ele reverter para a autenticação de senha, posso efetuar login com êxito, desde que forneça a senha correta no segundo ou terceiro prompt.
A máquina está executando o Red Hat Enterprise Linux Server versão 6.2 (Santiago) e está usando LDAP e PAM para autenticação. Alguma idéia de onde começar a depurar este? Deixe-me saber quais arquivos de configuração eu preciso fornecer e ficarei feliz em fazê-lo.
Aqui estão algumas informações de depuração. Os seguintes blocos de código representam esses três cenários, em ordem: 1) Corrija a senha da chave privada na primeira tentativa, 2) ignore a chave privada, corrija a senha normal na primeira tentativa, 3) ignore a chave privada, insira intencionalmente a senha incorreta e, em seguida, entre o bom ... esse é o único cenário que realmente me permite conectar.
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to [removed for privacy].
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/trevor/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/trevor/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/trevor/.ssh/id_rsa-cert type -1
debug1: identity file /home/trevor/.ssh/id_dsa type -1
debug1: identity file /home/trevor/.ssh/id_dsa-cert type -1
debug1: identity file /home/trevor/.ssh/id_ecdsa type -1
debug1: identity file /home/trevor/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 531/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA cb:1c:78:3f:f7:7d:8a:10:27:86:a3:12:0c:27:f4:19
debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:90
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "[removed]" from file "/home/trevor/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/trevor/.ssh/known_hosts:80
debug3: load_hostkeys: loaded 1 keys
debug1: Host '[removed]' is known and matches the RSA host key.
debug1: Found key in /home/trevor/.ssh/known_hosts:90
debug2: bits set: 541/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/trevor/.ssh/id_rsa (0x7f3a228127d0)
debug2: key: /home/trevor/.ssh/id_dsa ((nil))
debug2: key: /home/trevor/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/trevor/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17
debug3: sign_and_send_pubkey: RSA 9c:b0:15:a4:92:9c:a5:31:8b:00:ea:f6:cb:e1:96:17
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/trevor/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
Connection closed by [removed_ip]
Agora pulo a chave privada e uso a senha de usuário correta na primeira tentativa:
Enter passphrase for key '/home/trevor/.ssh/id_rsa':
debug2: no passphrase given, try next key
debug1: Trying private key: /home/trevor/.ssh/id_dsa
debug3: no such identity: /home/trevor/.ssh/id_dsa
debug1: Trying private key: /home/trevor/.ssh/id_ecdsa
debug3: no such identity: /home/trevor/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[user]@[server]'s password:
debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##])
debug2: we sent a password packet, wait for reply
Connection closed by [removed_ip]
Por fim, pulo a chave privada, insiro uma senha incorreta e, em seguida, insiro a senha correta na 2ª tentativa, essa abordagem finalmente me permite s
debug1: Next authentication method: password
[user]@[server]'s password:
debug3: packet_send2: adding [##] (len [##] padlen [#] extra_pad [##])
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
[user]@[server]'s password:
debug3: packet_send2: adding [##] (len [##] padlen [##] extra_pad [#])
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to [server] ([[server_ip]]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request [email protected] confirm 0
debug2: client_session2_setup: id 0
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env LANGUAGE
debug3: Ignored env KDE_MULTIHEAD
debug3: Ignored env KDE_SESSION_VERSION
debug3: Ignored env KONSOLE_DBUS_SERVICE
debug3: Ignored env LOGNAME
debug3: Ignored env WINDOWPATH
debug3: Ignored env GTK_MODULES
debug3: Ignored env GTK2_RC_FILES
debug3: Ignored env KDE_FULL_SESSION
debug3: Ignored env SHLVL
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env PATH
debug3: Ignored env USER
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env GTK_RC_FILES
debug3: Ignored env WINDOWID
debug3: Ignored env XCURSOR_SIZE
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env XDM_MANAGED
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env DM_CONTROL
debug3: Ignored env _
debug3: Ignored env DISPLAY
debug3: Ignored env PWD
debug3: Ignored env XCURSOR_THEME
debug3: Ignored env GS_LIB
debug3: Ignored env COLORFGBG
debug3: Ignored env KDE_SESSION_UID
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env OLDPWD
debug3: Ignored env TERM
debug3: Ignored env PROFILEHOME
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env UBUNTU_MENUPROXY
debug3: Ignored env QT_PLUGIN_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env KONSOLE_DBUS_SESSION
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env MANDATORY_PATH
debug3: Ignored env SHELL_SESSION_ID
debug3: Ignored env HOME
debug3: Ignored env SHELL
debug3: Ignored env GREP_OPTIONS
debug3: Ignored env GREP_COLOR
debug3: Ignored env PAGER
debug1: Sending env LC_CTYPE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env LSCOLORS
debug3: Ignored env rvm_prefix
debug3: Ignored env rvm_path
debug3: Ignored env __array_start
debug3: Ignored env rvm_bin_path
debug3: Ignored env escape_flag
debug3: Ignored env _first
debug3: Ignored env _second
debug3: Ignored env rvm_version
debug3: Ignored env RUBY_VERSION
debug3: Ignored env GEM_HOME
debug3: Ignored env GEM_PATH
debug3: Ignored env MY_RUBY_HOME
debug3: Ignored env IRBRC
debug3: Ignored env rvm_alias_expanded
debug3: Ignored env rvm_docs_type
debug3: Ignored env rvm_gemstone_package_file
debug3: Ignored env rvm_gemstone_url
debug3: Ignored env rvm_niceness
debug3: Ignored env rvm_nightly_flag
debug3: Ignored env rvm_proxy
debug3: Ignored env rvm_quiet_flag
debug3: Ignored env rvm_ruby_file
debug3: Ignored env rvm_ruby_make
debug3: Ignored env rvm_ruby_make_install
debug3: Ignored env rvm_ruby_mode
debug3: Ignored env rvm_script_name
debug3: Ignored env rvm_sdk
debug3: Ignored env rvm_silent_flag
debug3: Ignored env rvm_wrapper_name
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: [DateTime removed] from [location removed]
Como você pode ver pelo código de depuração, meu nome é Trevor. Obrigado pela ajuda! Deixe-me saber quais arquivos de configuração do pam eu preciso incluir.
Por solicitações nos comentários, aqui estão mais algumas informações de log / depuração.
/ var / log / secure (meu nome de usuário é twhitney):
Oct 9 12:01:26 [server] sshd[25087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[removed] user=twhitney
Oct 9 12:01:26 [server] sshd[25087]: pam_krb5[25087]: authentication fails for 'twhitney' (twhitney@[domain]): Authentication failure (Decrypt integrity check failed)
Oct 9 12:01:26 [server] sshd[25087]: pam_ldap: ldap_starttls_s: Operations error
Oct 9 12:01:28 [server] sshd[25087]: Failed password for twhitney from [server_ip] port 47541 ssh2
Oct 9 12:01:32 [server] sshd[25087]: Accepted password for twhitney from [server_ip] port 47541 ssh2
Oct 9 12:01:32 [server] sshd[25087]: pam_unix(sshd:session): session opened for user twhitney by (uid=0)
A principal pista aqui é provavelmente "pam_ldap: ldap_starttls_s: Erro de operações", vou ter que fazer alguma pesquisa sobre isso.
A seguir, estão as configurações do pam. Vou começar com /etc/pam.d/system-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authok
password required pam_deny.so
session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
E agora /etc/pam.d/password-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0027
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so
Mais uma vez obrigado por qualquer luz que você possa lançar sobre o meu enigma!
/etc/pam.d/
? Porque há muitos deles.Respostas:
Não tem reputação para adicionar comentários, mas para depurar os problemas de autenticação do PAM que você procura do lado errado, é necessário fazer isso no lado do servidor.
Para fazer isso, ssh no servidor e execute:
Isso iniciará um daemon ssh na porta 4000 (
-p 4000
) com a depuração ativada (-d
), sem desanexar do console (-D
).Em seguida, tente novamente, mas conecte-se à porta 4000. No lado do servidor, você verá muitas saídas; há a verdade da raiz do seu problema, não do lado do cliente.
Se você precisar de mais detalhes, poderá adicionar vários
-d
, até três.Se você não conseguir descobrir a partir da saída, cole-a aqui para que possamos vê-lo.
fonte
Então, encontrei uma solução, não sei se é a melhor, mas ela me permite fazer o SSH na primeira tentativa. O truque era se livrar de todas as
password-auth
inclusões/etc/pam.d/sshd
e substituí-las porsystem-auth
inclusões. Então, meu/etc/pam.d/sshd
arquivo final fica assim:Como você provavelmente pode perceber, sou um pouco novo no PAM. Os arquivos
system-auth
epassword-auth
estão incluídos acima, na minha pergunta original. Alguém pode me explicar por que as alterações acima corrigem as coisas? Fiz a mesma correção, substituindo todas asinclude password-auth
instruções porinclude system-auth
,/etc/pam.d/crond
pois não estava permitindo que ninguém (incluindo o root) usasse cron / crontab. Qual a diferença entre essas configurações? Essas alterações comprometeram minha segurança de alguma forma?Obrigado novamente por toda a ajuda e sugestões.
fonte